The newly released Android 4.4 features a tasty new codename (KitKat), some design improvements, revamped Contacts and Hangouts apps, and, of course, several security-related changes. So, how much more secure is Android 4.4?
From a security standpoint, major improvements in 4.4 fall into one of two categories – certificates handling and OS hardening.
Improved handling of digital certificates
Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.
Deep inside Android, there is a Linux core, and Google made some changes to it to enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. This makes it harder for Android 4.4 users to get root access on their device. On the bright side, it also makes it harder for malware to do the same, which is an important step in the infection of Android devices.
In general, these enhancements do not really make a big difference and won’t decrease infection rates. The most common Android infection source remains the same: unofficial apps downloaded from third-party stores.
A chance to reduce fragmentation
One of the biggest problems in the Android ecosystem is the large number of different versions of the OS, including ancient ones that are still running on users’ mobile devices – this is known as version fragmentation. For example, more than 25% of the users are still running Android 2.3, which was released years ago. This is a major security issue.
KitKat could potentially address that because of its lowered resource usage. Android 4.4 can run on devices with just 512MB of RAM, making it possible to install 4.4 on some legacy devices.
The real problem is the fact that most non-technical users will have to rely on hardware vendors to get an Android update. Sadly, many mobile phone makers prefer to withhold updates as a method of forcing users to purchase newer devices. At the same time, this is effectively increasing malware risks across their entire user base. Only by discussing this issue openly among both users and vendors can this problem begin to be dealt with.