The latest version of the Android OS, version 4.1 (Jelly Bean), significantly improves the security of the platform.
"In an analysis published Monday, security researcher Jon Oberheide said Android version 4.1, aka Jelly Bean, is the first version of the Google-developed OS to properly implement a protection known as address space layout randomization," writes Ars Technica's Dan Goodin. "ASLR, as it's more often referred to, randomizes the memory locations for the library, stack, heap, and most other OS data structures. As a result, hackers who exploit memory corruption bugs that inevitably crop up in complex pieces of code are unable to know in advance where their malicious payloads will be loaded. When combined with a separate defense known as data execution prevention, ASLR can effectively neutralize such attacks."
"Google first included ASLR ... support in Android 4.0, known as Ice Cream Sandwich in Google's dessert-centric nomenclature, but that implementation was only a partial solution," writes Threatpost's Dennis Fisher. "The ASLR support in Android 4.0 only randomized certain key locations in memory and did not prevent some common return-oriented programming attacks. Several other key parts of the Android operating system memory space were not randomized."
"While Android is still playing a bit of catch-up, other mobile platforms are moving ahead with more innovative exploit mitigation techniques, such as the in-kernel ASLR present in Apple’s iOS 6," Oberheide wrote in his analysis. "One could claim that iOS is being proactive with such techniques, but in reality, they’re simply being reactive to the type of exploits that typically target the iOS platform. However, Apple does deserve credit for raising the barrier up to the point of kernel exploitation by employing effective userspace mitigations such NX, ASLR, and mandatory code signing. Thankfully, Android is getting there, and Jelly Bean is a major step towards that goal."