Security Enhancements in Android 4.2.2
Android 4.2 Jelly Bean has been refreshed with additional features to enhance security of applications. It includes a feature with which your users will be able to verify applications prior to installation thereby preventing harmful apps from entering the mobile device. It also has an ability to block installation if the app is bad.
If your app attempts to send SMS to a premium service short code that might incur additional charge, then Android will provide a notification and you can select whether to allow the application to send the message or block it.
The latest release enables you to configure VPN in such a way that it will not have access to the network until a VPN connection is established. Moreover, libcore SSL implementation provides support for certificate pinning and permissions have been organized into groups. It also provides detailed information about the permission upon clicking on it by users.
In Android 4.2.2, applications which target API level 17 will have export set to false by default for each ContentProvider which ultimately reduces default attack surface for applications.
The update reduces potential attack surface for root privilege escalation as the installd daemon does not run as the root user.
Moreover, the init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks. It also implements FORTIFY_SOURCE which is used by system libraries and applications to prevent memory corruption.
Android 4.2.2 has been modified to make use of OpenSSL for the default implementations of SecureRandom and Cipher.RSA. The release also adds SSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1 and also reduces default attack surface for applications. It also includes security fixes for WebKit, libpng, OpenSSL and LibXML open source libraries.
"A recommended approach is to generate a truly random AES key upon first launch and store that key in internal storage," says Fred Chung, Android Developer Relations team.
Android 4.2.2 introduces secure USB debugging which when enabled ensures only host computers authorized by the user can access the internals of a USB connected device using the ADB tool included with the Android SDK.
John Krewson, Steve Ropa and Matt Badgley Nov 24, 2014