Android Security Enhancement List

This page catalogues how android security has evolved over various versions of android. We strive to catalogue which version introduced a specific security feature or tweaked it as well as which version fixed a specific flaw.

Android Version Security Enhancement Details Reference / Bypass (if applicable)
5.0 Webview : de-coupled from core and OTA based upgrade WebView can now be updated independent of the framework and without a system OTA. This will allow for faster response to potential security issues in WebView Chrome developers G+ Post
WebView for android
5.0 Fixed : SQL injection vulnerability in WAPPushManager In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send malformed WAPPush message to launch any activity or service in the victim's phone (need permission check) Fixed commit
POC : CVE-2014-8507
5.0 Fixed : Privilege Escalation using ObjectInputStream In Android <5.0, java.io.ObjectInputStream did not check whether the Object that is being deserialized is actually serializable. Fixed Commit
POC : CVE-2014-7911
5.0 Fixed : SMS resend vulnerability Applications can send SMS without privilege leading to undesired cost to user or be used for data exfiltration Fixed commit
POC for CVE-2014-8610
5.0 FORTIFY_SOURCE improvements Protection against memory-corruption vulnerabilities involving stpcpy(), stpncpy(), read(), recvfrom(), FD_CLR(), FD_SET(), and FD_ISSET() libc functions
5.0 non-PIE linker support removed Enhancing Address Space Layout Randomization (ASLR) by requiring all dynamically linked executables to support PIE (Position-Independent Executables)
5.0 Cryptography SSL/TLS TLSv1.1 & TLSv1.2 are enabled, Forward Secrecy preferred and disabled weakcipher suits (MD5, 3DES) SSL Socket Reference : Android Developer Site
5.0 Guest mode & multiple profile support Guest mode and support for multiple user profiles Easier for providing easy temporary access to the device
5.0 Security Enhanced Linux (SELinux) SELinux Enforcing Mode is required for all applications on the device.
5.0 Full Disk Encryption by Default Devices shipped with Lollipop will have full disk encryption at first boot, using a unique key. This feature can be turned off by Vendor's.
5.0 Smart Lock (screen lock) Unlock your phone using Bluetooth pairing, NFC, Geofence (GPS Location) or simply your smile (Face unlock improvements)
4.4.4 Block access to java.lang.Object.getClass in injected Java objects Throws a java.lang.SecurityException on Browser UI thread when an attempt is made to execute java.lang.Object.getClass from JavaScript code via an injected Java object. Refer : Chromium BugTrack entry
Chromium Issue entry
4.4.4 Fix for OpenSSL man-in-the-middle CVE ID : CVE-2014-0224 Refer : CVE 2014-0224 Entry
4.4.3 Chrome Vulnerability Fix 1. timing-based security attack in Chrome2. fix for CVE-2014-1710 Chromium Bug Tracker Entry
Refer : CVE 2014-1710
4.4.3 Lock screen Credentials set vulnerability fix As per Changelog : Bug: 9858403 : lock screen credential reset w/o previous credentialsThe test asks the user to first set a lock screen password and then launch an intent to change it, using an EXTRA that was not being properly validated before the vulnerability was fixed. reference : AOSP Code Commit entry
4.4.2 Removal of the "App Ops" application permissions control system App Ops permission system which was available since 4.3 was removed completely from GUI in this release Bypass : Functionality launcher etc can be restored by an Xposed framework module
4.4 dm-verity transparent integrity checking of block devices. dm-verity helps prevent persistent rootkits that can hold onto root privileges and compromise devices.
4.4 SE_Linux => Enforced Mode all root domain binaries are working in enforced mode. remaining still work in permissive mode SE Linux Details
4.4 FORTIFY_SOURCE Level 2 : full source code compiled with FORTIFY_SOURCE and clang support added.
4.4 SSL CA Certificate Warnings Warns when any certificate is added to the device certificate store Bypass available already
4.4 WRITE_EXTERNAL_STORAGE permission to write to SDCARD This permission is required by applications in order to write to External Storage i.e. SDCARD. Android External Storage write permission
Also read Storing app data on SD cards
4.3 Restrict Setuid from Android Apps No Zygote spanned process is allowed to execute setuid program. /system is mounted with nosetuid Bypassed by Chainfire
4.3 FORTIFY_SOURCE Android x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls
4.3 SE_Linux => Permissive allows logging but doesn't restrict actions
4.3 Trusted Platform Module (TPM) support Hardware backed storage for KeyChain making keys unavailable for extraction
4.2.2 ADB Authentication Prevents unauthorised use of ADB by the use of RSA keypair for authentication Android 4.3 Security Enhancement Announcement
4.2 FORTIFY_SOURCE Level 1 : This is used by system libraries and applications to prevent memory corruption
4.2 Application verification user can opt for client side bouncer instance and google can verify malacious applications before installation.
4.2 Certificate Pinning if chain of certs doesn't match an error message is added.
4.2 installd config installd runs as non root from start.
4.2 ContentProvider security by default contentprovider will be set to false for API <=17
4.2 init config O_NOFOLLOW added to init to avoid symbolic link attacks.
4.2 premium SMS notification SMS to premium numbers now display a notification and only allow needing when explicitely accepted.
4.2 SecureRandom implementation SecureRandom implementation based on OpenSSL, Bounty castle implementation removed. details here
4.2 JavascriptInterface annotation JavascriptInterface needs to be annotated for webview exploit possible for <4.2 devices. and applications using API < 17 Reference : Metasploit Module
Test Page : identifies if browser or webview is vulnerable.
Additional Details
4.2 Cryptography SSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
4.1 PIE (Position Independent Executable) support Support for binaries compiled with GCC's -pie -fPIE flags (executables to be position independent)
4.1 Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now)
4.1 kernel address leakage prevention dmesg_restrict and kptr_restrict enabled kptr_restrict mitigates Levitator Exploit
4.1 ELF Hardening RELRO / BIND_NOW flag default. This hardens those binaries against attacks that may attempt to overwrite the GOT and other sensitive ELF structures by making them read-only at startup. breaks Gingerbreak Exploit
more details on RELRO here
4.1 ASLR support Full ASLR support
4.0.3 Randomize Heap/brk mapping kernel.randomize_va_space is set to 2
4.0 ASLR support ASLR support started appearing although not fully. Multiple flaws were present dynamic linker didn't had ASLR and many more outlined in reference link ASLR support review by duo security
3.0 full filesystem encryption Full disk encryption added Details on this archive link
2.3 format string vulnerability protection added -Wformat-security -Werror=format-security
2.3 code execution prevention on stack and heap Hardware-based No eXecute (NX)
2.3 null pointer dereference protection mmap_min_addr
2.2 Device Administration Android Device Administration API added Device Adminstration Guide
1.5 Stack / buffer overrun protection ProPolice to prevent stack buffer overruns (-fstack-protector) Memory Management Enhancement : Old Archive link
1.5 Integer overflow protection safe_iop
1.5 Integer overflow memory allocation OpenBSD calloc
1.5 chunk consolidation attack Extensions to OpenBSD dlmalloc() to prevent double free()

This page is an ongoing effort and we will try to maintain it in up to date condition to the best of our abilities.

Credits :

This list is aggregated by Anant Shrivastava and Prashant Mahajan. References where ever applicable are properly placed in the reference section.

Thanks to following folks for helping us with additional inputs.

Feel free to suggest corrections / additions in the list via either comments or a email to AndroidSecurityEnhancement at androidTamer dot com