Sunday, August 18, 2013

New Security features of Android 4.3

The new version of Android rolled out, 4.3 Jelly Bean, also brings new security features.

By most count, it seems there are 7 security features rolled out.

1.  First off, we have Restricted Profiles.  This is a feature ONLY for tablets, as these are devices that are often shared among people, especially family members.  This allows for different profiles to be setup, some with restrictions, for, say, children.   More on this HERE.

2.  Next there is strengthening of encryption.  This includes tools to make sure neither hackers or other malicious entities can access the keys.  There are a new set of APIs for this, known as the Keychain/Keystore system API.

3.  There is a Nousid command that makes sure no program can obtain root privileges by setting the setuid bit.  The /system partition is also better secured as part of this.

4.  The new Find My Phone app (Android Device Manager) can be used to find/locate a lost or stolen device.  And the user can use this to remotely manage, lock, or wipe clean the device.  This I find interesting, as this is a service that many obtain thru MDM systems.  For a corporate user, this is usually part of such a corporate MDM system, run by their company admins.  For the individual user, one can obtain their own such service from third parties.  So I would think this would compete against that more so then the corporate MDM.  But could this be a competition for the corporate MDM systems?  Here is more info on this feature.

5.  Again, something that is not actually in Android, there is the Verify Apps feature that is part of Google Play.  I already blogged about this in a previous posting.  This should extend the protection of Bouncer, but we've already see Bouncer failing (see my previous postings).  So while Google seems to feel that such things (Bouncer and probably Verify Apps) negates the need for anti-malware apps on Android, I am a bit skeptical of this.

6.  They have activited within Android SELinux.  Now, many may not realize that Android is actually built on Linux.  SELinux is "Security Enhanced Linux", which adds mandatory access controls (MAC) to the Linux kernal.  For more on SELinux, go to the project page HERE.

7.  Finally, there is new WPA2 Wi-Fi security capabilities.  This isn't something the end user can use, but only programmers.  It allows for the use of the new WPA2 (Wi-Fi Protected Access 2) features of Wi-Fi.

These are pretty nice set of additions.  I would like to see how the security of Android 4.3 compares to the latest versions of iOS and Windows Phone.  Not seen a side-by-side comparison.  If any know of one, I'd like to know.

On a related note, I came across THIS article at the Official Google blog on securing your Android phone. They basically give 3 tips:  1) screen lock, 2) be secure on apps you install, but Bouncer & Verify Apps will protect you, and 3) used Find My Phone to be able to find and/or wipe your phone.

I used this article for the source of this posting: HERE  Another good resource I found is HERE.

Friday, August 16, 2013

Security in the "Internet of Things"

During the recent round of IT Security/Hacker conferences in Las Vegas (Defcon, Black Hat, BSides), a variety of interesting security issues have been revealed in various "non-computer" devices that are networks.

Here is a high level overview of several:

  • Hacking of the "Smart Home":  HERE  and HERE   and HERE
  • Hacking of the "Smart Car":   HERE   and longer commentary on the issue HERE
  • Hacking of the "Smart Toilet":   HERE  and HERE
  • Hacking of a baby monitor:   HERE  and HERE  (Updated)
  • Hacking of networked lightbulbs:  HERE