| <html devsite> |
| <head> |
| <title>Security Enhancements in Android 4.4</title> |
| <meta name="project_path" value="/_project.yaml" /> |
| <meta name="book_path" value="/_book.yaml" /> |
| </head> |
| <body> |
| <!-- |
| Copyright 2017 The Android Open Source Project |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| |
| |
| <p> |
| Every Android release includes dozens of security enhancements to protect |
| users. The following are some of the security enhancements available |
| in Android 4.4: |
| </p> |
| |
| <ul> |
| <li><strong>Android sandbox reinforced with SELinux.</strong> |
| Android now uses SELinux in enforcing mode. SELinux is a mandatory |
| access control (MAC) system in the Linux kernel used to augment the |
| existing discretionary access control (DAC) based security model. |
| This provides additional protection against potential security |
| vulnerabilities.</li> |
| |
| <li><strong>Per User VPN.</strong> |
| On multi-user devices, VPNs are now applied per user. |
| This can allow a user to route all network traffic through a VPN |
| without affecting other users on the device.</li> |
| |
| <li><strong>ECDSA Provider support in AndroidKeyStore.</strong> |
| Android now has a keystore provider that allows use of ECDSA and |
| DSA algorithms.</li> |
| |
| <li><strong>Device Monitoring Warnings.</strong> |
| Android provides users with a warning if any certificate has been |
| added to the device certificate store that could allow monitoring of |
| encrypted network traffic.</li> |
| |
| <li><strong>FORTIFY_SOURCE.</strong> |
| Android now supports FORTIFY_SOURCE level 2, and all code is compiled |
| with these protections. FORTIFY_SOURCE has been enhanced to work with |
| clang.</li> |
| |
| <li><strong>Certificate Pinning.</strong> |
| Android 4.4 detects and prevents the use of fraudulent Google |
| certificates used in secure SSL/TLS communications.</li> |
| |
| <li><strong>Security Fixes.</strong> |
| Android 4.4 also includes fixes for Android-specific vulnerabilities. |
| Information about these vulnerabilities has been provided to Open |
| Handset Alliance members and fixes are available in Android Open Source |
| Project. To improve security, some devices with earlier versions of |
| Android may also include these fixes.</li> |
| |
| </ul> |
| |
| </body> |
| </html> |