According to elite and respected Android developer Pulser_G2, the new Android 4.4 KitKat comes with overall security improvements that is also aimed to reduce the risks of rootkits on the platform.
Let’s go through the security changes on Android 4.4 KitKat
SELinux in Enforce Mode
SELinux was first introduced in Android 4.3, where it is a ‘mandatory’ access control system built into the Linux kernel, to help enforce the existing access control rights.
In Android 4.4, SELinux has moved from running in permissive mode (which simply logs failures), into enforcing mode.
Elliptic Curve Cryptography Support
Signing keys in AndroidKeyStore
The integrated Android keystore provider now supports Eliptic Curve signing keys.
It is a viable form of public key cryptography that can provide a good alternative to RSA and other similar algorithms.
SSL CA Certificate Warnings
SSL monitoring adds Certificate Authority (CA) to your computer and browser to permit the corporate web filtering software to carry out a “man in the middle” attack on your HTTPS sessions for security and monitoring purposes by adding an additional CA key to the device.
Automated Buffer Overflow Detection
Android 4.4 now compiles with FORTIFY_SOURCE running at level 2, and ensures all C code is compiled with this protection. Code compiled with clang is also covered by this. FORTIFY_SOURCE is a security feature of the compiler, which attempts to identify some buffer overflow opportunities (which can be exploited by malicious software or users to gain arbitrary code execution on a device).
Google Certificate Pinning
Android 4.4 KitKat has added more protection against certificate substitution for Google certificates. Without certificate pinning, your device would accept this valid SSL certificate (as SSL allows any trusted CA to issue any certificate).
With certificate pinning, only the hard-coded valid certificate will be accepted by your phone, protecting you from a man-in-the-middle attack.
But what Pulser_G2 talked about the most was about the inclusion of dm-verity, which can be a big problem for people with locked bootloaders who likes rooting and modifying their devices. you can read more about it here.
Google has definitely added some much needed security enhancements with Android 4.4 KitKat but how will these changes (especially the dm-verity part) affect users who likes tinkering with their devices? Pulser_G2 said it’s hard to tell what it would mean for now, at least until we see other OEMs shipping devices with Android 4.4. But there could be a noticeable impact on casual users wishing to make small changes to their devices.
1,496 total views, 2 views today