Skip to main content

Report claims Jelly Bean is most secure Android version to date

Android 4.1 'Jelly Bean' is the most secure version of the mobile operating system Google has ever released, according to a report from security researcher Jon Oberheide which has been making the rounds.

Jelly Bean, which Google began rolling out this month as the successor to Android 4.0 'Ice Cream Sandwich,' is the first Android OS to properly implement address space layout randomisation (ASLR) security, Oberheide said.

ASLR makes it tough for hackers and malware merchants to exploit memory corruption vulnerabilities because they can only guess at where their malicious payloads will load due to the fact that memory mapping for OS processes are randomised. Combined with the data execution prevention technologies Google has also built into Jelly Bean, fully implemented ASLR provides the most robust security the world's most popular smartphone OS has ever had, the Duo Bulletin researcher said.

Although Ice Cream Sandwich was actually the first version of Android to implement ASLR, it wasn't done very well and didn't mitigate enough real-world attacks, according to Oberheide. But Jelly Bean should be a different story.

"[T]he executable mapping in the process address space was not randomised in Ice Cream Sandwich, making ROP-style attacks possible using the whole executable as a source of gadgets. In Jelly Bean, most binaries are now compiled/linked with the PIE flag (commits for the linker, ARM and x86), which means the executable mapping will be properly randomised when executed," he wrote in a Duo Bulletin blog post published Monday.

Oberheide said two other randomisation pieces of the ASLR puzzle that weren't well implemented in Ice Cream Sandwich have been fully built into Jelly Bean, "giving it full stack, heap/brk, lib/mmap, linker, and executable ASLR."

The researcher said Google's latest version of Android also implements better defences against malicious code execution and information leakage.

However, Oberheide also pointed to some weaknesses in the 32-bit ASLR Google is using in Jelly Bean. And he said Apple's integration of an even more secure form of the technology called in-kernel ASLR in its next-gen iOS 6 operating system, released this week in beta and due out this fall, is likely to become the new security gold standard for mobile OSes.

"One could claim that iOS is being proactive with such techniques, but in reality, they're simply being reactive to the type of exploits that typically target the iOS platform," the researcher said.

"However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation by employing effective userspace mitigations such as NX, ASLR, and mandatory code signing. Thankfully, Android is getting there, and Jelly Bean is a major step towards that goal."