Summary: Android 4.3 added significant new security features, and Google has also added two other new security features to older versions of Android. Now, if only the carriers and OEMs would patch the Bluebox security hole every Android user would be happier. By Steven J. Vaughan-Nichols for Linux and Open Source |August 2, 2013 -- 20:51 GMT (13:51 PDT) Google's latest version of Android, Jelly Bean 4.3, has many good features. Under the surface, though, Google added five significant security features. On top of that, Google has added two other new features that work with almost all currently used versions of Android. Android, and not just the latest version, has gotten a lot more secure in recent weeks. The new 4.3 features are, besides adding restricted profiles: Android sandbox reinforced with SELinux: Android 4.3 now includes SELinux, a mandatory access control (MAC) system in the Linux kernel to augment the Unique Identification Number (UID) based application sandbox. This makes almost all apps with the Android sandbox much more secure. Some users are wary of SELinux, since the NSA had a large hand in creating it. Since SELinux, just like all of Linux, is open source that seems foolish to me. After all, the code is right in plain sight for anyone to look for security holes. KeyChain enhancements: If you're still worried about the NSA snooping on your messages you'll be happy to see Google's new KeyChain API provides a method that enables applications to confirm that system-wide keys are bound to a hardware root of trust. This means that carrier and OEM developers can add private keys that cannot be copied off the device, even if it's otherwise completely compromised. This won't stop the NSA -- or most major Internet companies -- from using big data, metadata, and traffic analysis to keep an eye on you, but it will eventually help to keep the contents of your messages and apps secure. Android Keystore Provider: At the same time, Android 4.3 also introduces a keystore provider and APIs that allow applications to create exclusive-use keys. What that means is that apps can create or store private keys that no other app can see or use. Restrict Setuid from Android Apps: Your device's /system partition is now mounted "nosuid" for Zygote-spawned processes. This helps prevent Android applications from executing setuid programs. In turn, this reduces root attack surface and likelihood of potential security vulnerabilities. In English, this means malicious apps will have a much harder time trying to take over your device's superuser/root privileges. It sounds good, and it is good. Unfortunately, it's also already obsolete. Chainfire, creator of SuperSU, an Android rooting program, has found a way to root Android 4.3 "by using an "su daemon," which is started from init [A vital Android boot-up program] and not from a Zygote process." Wi-Fi support for WPA2-Enterprise networks: New application programming interfaces (API)s can now be used configure the Wi-Fi credentials needed for connections to access points using WPA2 enterprise with Extensible Authentication Protocol (EAP) and Encapsulated EAP (Phase 2). With this, developers will be able to create apps that can join business Access Points (APs) that use EAP and Phase 2 authentication methods. Beyond Android 4.3: Google has also been adding improved security features for older versions of Android as well. First, Verify Apps, a security feature introduced in Android 4.2, is no longer part of the operating system. Instead, it's been incorporated into Google Play Services, which is incorporated on Android 2.3 and higher. This service is client-side process that scans apps for malware as you install them. This works even if you're side-loading your new apps as Android application package files (APKs) from a third-party Android app store and not Google's Play Store. Second, and boy have we waited a long time for this one, Google has finally added a lost phone finder to Android. Like Verify Apps you don't need a new smartphone to use it. This service will also be available to anyone using an Android device using Android 2.2 or above. With it you can make your little lost phone ring at maximum volume, signal you from a map, or, if worse comes to worse and it's been stolen, you can erase all your data from it remotely. So much for the good news. The bad news is that OEMs are still being slow as an old dog on a hot day about rolling out Google's Bluebox Security patch. Adding insult to injury, the first malware-infected apps using this security hole have started appearing. Even with this Android security has been improving this summer. Now, if only Google started forcing vendors and carriers to push security updates to users, I'd be a lot happier and you'd be a lot safer.