BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Security Enhancements in Android 4.2.2

| by Anand Narayanaswamy on Feb 18, 2013. Estimated reading time: 1 minute |

Android 4.2 Jelly Bean has been refreshed with additional features to enhance security of applications. It includes a feature with which your users will be able to verify applications prior to installation thereby preventing harmful apps from entering the mobile device. It also has an ability to block installation if the app is bad.

If your app attempts to send SMS to a premium service short code that might incur additional charge, then Android will provide a notification and you can select whether to allow the application to send the message or block it.

The latest release enables you to configure VPN in such a way that it will not have access to the network until a VPN connection is established. Moreover, libcore SSL implementation provides support for certificate pinning and permissions have been organized into groups. It also provides detailed information about the permission upon clicking on it by users.

In Android 4.2.2, applications which target API level 17 will have export set to false by default for each ContentProvider which ultimately reduces default attack surface for applications.
The update reduces potential attack surface for root privilege escalation as the installd daemon does not run as the root user.

Moreover, the init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks. It also implements FORTIFY_SOURCE which is used by system libraries and applications to prevent memory corruption.

Android 4.2.2 has been modified to make use of OpenSSL for the default implementations of SecureRandom and Cipher.RSA. The release also adds SSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1 and also reduces default attack surface for applications. It also includes security fixes for WebKit, libpng, OpenSSL and LibXML open source libraries.

"A recommended approach is to generate a truly random AES key upon first launch and store that key in internal storage," says Fred Chung, Android Developer Relations team.

Android 4.2.2 introduces secure USB debugging which when enabled ensures only host computers authorized by the user can access the internals of a USB connected device using the ADB tool included with the Android SDK.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and dont miss out on content that matters to you

BT