Security Enhancements in Android 4.2.2

by Anand Narayanaswamy on Feb 18, 2013 |

Android 4.2 Jelly Bean has been refreshed with additional features to enhance security of applications. It includes a feature with which your users will be able to verify applications prior to installation thereby preventing harmful apps from entering the mobile device. It also has an ability to block installation if the app is bad.

If your app attempts to send SMS to a premium service short code that might incur additional charge, then Android will provide a notification and you can select whether to allow the application to send the message or block it.

The latest release enables you to configure VPN in such a way that it will not have access to the network until a VPN connection is established. Moreover, libcore SSL implementation provides support for certificate pinning and permissions have been organized into groups. It also provides detailed information about the permission upon clicking on it by users.

In Android 4.2.2, applications which target API level 17 will have export set to false by default for each ContentProvider which ultimately reduces default attack surface for applications.
The update reduces potential attack surface for root privilege escalation as the installd daemon does not run as the root user.

Moreover, the init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks. It also implements FORTIFY_SOURCE which is used by system libraries and applications to prevent memory corruption.

Android 4.2.2 has been modified to make use of OpenSSL for the default implementations of SecureRandom and Cipher.RSA. The release also adds SSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1 and also reduces default attack surface for applications. It also includes security fixes for WebKit, libpng, OpenSSL and LibXML open source libraries.

"A recommended approach is to generate a truly random AES key upon first launch and store that key in internal storage," says Fred Chung, Android Developer Relations team.

Android 4.2.2 introduces secure USB debugging which when enabled ensures only host computers authorized by the user can access the internals of a USB connected device using the ADB tool included with the Android SDK.

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

General Feedback
Marketing and all content copyright © 2006-2016 C4Media Inc. hosted at Contegix, the best ISP we've ever worked with.
Privacy policy

We notice you're using an ad blocker

We understand why you use ad blockers. However to keep InfoQ free we need your support. InfoQ will not provide your data to third parties without individual opt-in consent. We only work with advertisers relevant to our readers. Please consider whitelisting us.