OFFICIAL SECURITY BLOG
July 25, 2013 | BY Joshua Cannell
Yesterday, Google unveiled the latest version of it’s renowned Android Operating System at an event in San Francisco.
Labeled as a “sweeter version of Jelly Bean”, Android 4.3 comes with a myriad of new features (including security updates), and is available as an upgrade now on Google Nexus devices. The updated version of Android will also be included on the 2nd generation Nexus 7 tablet that’s available on the 30th.
Of the improvements to security, the most notable is the implementation of SELinux, a Mandatory Access Control (MAC) system which grants users greater access control.
According to the wiki, “Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.”
Ok so maybe that isn’t clear enough for everyone. Basically, you can add access control policies.
This is great news since SELinux will add another layer of security to Android and can potentially reduce the effect that Android malware has on a device. SELinux is also compatible with the existing applications you have installed, so you don’t have to worry about losing any apps in the process.
But that’s not all that’s included with the 4.3 update.
Several vulnerabilities have been patched with the latest Android release, including the master key vulnerability that’s garnered lots of media attention as of late. Al Sutton, founder of Funky Android, confirmed this on Twitter earlier this morning.
Well that all sounds great, so what’s the bad news?
Unfortunately for users without a Nexus device, there is no guarantee that you’ll be getting this update anytime soon, if not at all.
As we’ve mentioned earlier, Android’s fragmented update model continues to prevent users from getting the latest version of the popular mobile OS. While it seems obvious that receiving updates would be slower when using a Google OS on a non-Google device, most Android users with older devices will never receive security updates, unless they do so manually.
Android clearly needs a more unified update model to ensure the protection of all its users. Perhaps something like Windows-style updates would suffice, as suggested by ZDNet contributor Steven J. Vaughan-Nichols.
To read more about everything that’s coming with the 4.3 update, click here.
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell