It’s never easy being No. 1, as Windows XP discovered in the first decade of the 20th century. Mischief-makers attacked Windows XP because 80 percent of the world’s population used it, giving Windows a nagging reputation — which is somewhat unfair — of being significantly less secure than Mac. Mobile malware makers target Android for the same reason that others targeted Windows XP. Since most people who have mobile devices use the Android operating system, attackers who compromise Android get more bang for their effort.
In its 5.0 release, Android has taken some cues from iOS and added some new security features. Because the threat landscape is always shifting, it’s still prudent to install Android security software on any Android phone or tablet. However, people who have gravitated toward iOS for security reasons might find that Lollipop gives them a reason to switch to Android.
Better Access Management
One of the simplest updates Android 5.0 includes is improved access management. It accomplishes this through two main features: Smart Lock and multiple user roles.
Using Near-Field Communication (NFC) or Bluetooth, Android users can unlock their phones simply by tapping them on an NFC tag or putting them near a paired device. When they’re not near any of these devices, the password, pattern, or PIN lock is re-enabled.
Multiple User Roles
Jelly Bean allowed Android tablet users to set up multiple user roles, and now Lollipop extends this functionality to Android phones. Device owners can create roles for other family members who use the device, deciding which apps they can access and enabling specified settings. Lollipop also features a guest mode, which gives someone quick access to an Android phone without giving access to data or apps.
Android 5.0 features several improved encryption features that prevent data theft from lost or stolen phones as well as improve browser and application security.
Instead of requiring users to enable encryption on Android phones, Lollipop encrypts phones by default, which keeps thieves from accessing data without the password. Also, where past versions kept the device encryption and lock secret on the phone, Lollipop also binds the key to the hardware keystore and provides added protection against brute force passcode attacks.
Lollipop has disabled weak cipher suites such as 3DES, export, and MD5. Also, Android 5.0 establishes a preference for Forward Secrecy to protect session keys if the long-term key is compromised later, and it adds AES-GCM for encryption that doesn’t compromise performance.
Now, WebView is updatable from Google Play, which means that every application in the phone will use the same updated version of WebView, and users won’t have to download an OS update to keep WebView current. From a security standpoint, this allows for fast response to WebView security issues without an OS update.
Buffer Overflow Protection
Android security products don’t always prevent buffer overflow attacks, but new features in Lollipop can keep those attacks at bay.
Certain OS commands, like strcpy, execute without an awareness of buffer length. Several OS functions now utilize Fortify_Source protection in Android 5.0, which stops them from executing code that generates buffer overflows.
Position-Independent Executables (PIE)
Position-independent code keeps attackers from accessing existing executable code within memory to execute remote commands. PIEs are simply executable binaries made from position-independent code, and Android 5.0 no longer allows non-PIE linker support for dynamically executable code.
In addition to adding security features, Android 5.0 has significantly improved both design and usability compared to previous versions. Unfortunately, its popularity is its Achilles heel. Because Android remains the top mobile OS, it will remain a popular attack target, like Windows XP before it.
Lollipop is rolling out to Nexus devices and Google Play Edition devices. HTC, LG, Samsung, and Sony have all announced that they’ll get the update, just not when they’ll get it.