Hacking Android just got trickier

Android 4.1, Jelly Bean, has just been given the once over by security researcher Jon Oberheide who claims it is a lot harder to hack.

According to Ars Technica, he said that the latest release of Android has been properly fortified with an industry-standard defence – which should help protect users against hack attacks that installing malware on their handsets.

In his analysis, Oberheide noted that 4.1 was the first version of Android to properly implement a protection known as address space layout randomisation.

Known as ASLR, it randomises the memory locations for the library, stack, heap, and most other OS data structures and makes it hard for hackers who exploit memory corruption bugs. When used with data execution prevention, ASLR can effectively neutralise such attacks.

Android 4.0 did have ASLR but it was rubbish at mitigating real-world attacks because Android’s executable region, heap, libraries, and linker was loaded at the same locations each time.

Charlie Miller, a veteran smartphone hacker and principal research consultant at security firm Accuvant, who has made a living hacking phones, said that it is going to be difficult to write exploits for 4.1.

There are still weaknesses in Android, the report notes. The operating system has yet to introduce code signing which would stop unauthorised apps from running on the device by requiring code loaded into memory to carry a valid digital signature before it can be executed.