The upcoming version of Google's Android operating system offers several enhancements designed to strengthen handset security, particularly in businesses and other large organizations. Ars will be giving the just-unveiled version 4.3 a thorough review in the coming days. In the meantime, here's a quick rundown of the security improvements.

The most significant change is the addition of a security extension known as SELinux—short for Security-Enhanced Linux—to reinforce Android's current hack-mitigation model. Since Android's debut, apps have run inside a "sandbox" that restricts the data they can access and isolates code they can execute from other apps and the operating system as a whole. Built on a traditional Unix scheme known as discretionary access control, Android sandboxing prevents the pilfering of sensitive passwords by a rogue app a user has been tricked into installing or by a legitimate app that has been commandeered by a hacker.

Originally developed by programmers from the National Security Agency, SELinux enforces a much finer-grained series of mandatory access control policies. Among other things, SELinux allows varying levels of trust to each app and dictates what kind of data an app can access inside its confined domain.

"SELinux will help cut off some of the attack surface of a modern Android device," Jon Oberheide, CTO of Duo Security and an expert in smartphone security, told Ars. He went on to say much will depend on the specific implementation of SELinux in Android and the policies it defines. On desktop computers and servers, the extensions sometimes fail to prevent hacks that exploit flaws in the operating-system kernel itself. That may be less of an issue with Android, because it has been considerably trimmed down from its Linux origins.

"A good number of privilege escalations on Android have targeted non-kernel privileged attack surfaces, which SELinux theoretically could do a decent job of mitigating," Oberheide explained.

Keys to the kingdom

The other big security enhancement introduced in Android 4.3 is a more robust way to store cryptographic credentials used to access sensitive information and resources. This means changes to the Android KeyChain, which stores digital certificates used to access Wi-Fi networks and virtual private networks used by large corporations and government agencies. Security professionals have long warned that storing such sensitive keys on smartphones is risky, given the ease of losing handsets, or worse, having them stolen. Attackers who are able to root the device may then be able to retrieve the credentials and use them to gain unauthorized access to highly sensitive networks.

"With the keychain enhancements, the system-wide keys are bound to a hardware-based root of trust process devices that support this," said Pau Oliva Fora, senior mobile security engineer at viaForensics. "The phone needs to have a secure element, such as a Trusted Platform Module, so that private keys can't be stolen, even if the phone is rooted and the attacker has full access to the operating system." Phones that don't have this hardware capability will fall back to software protections for securing credentials.

Enhancements to the Android Keystore, a similar resource that also stores credentials, allows users to create keys that can be accessed and used exclusively by a single application. Under version 4.3, "apps can create or store private keys that cannot be seen or used by other apps and can be added to the keystore without any user interaction," a brief description provided by Google explained.

A third enhancement is Android's ability to create secondary user profiles that implement fine-grained restrictions. "Each restricted profile offers an isolated and secure space with its own local storage, home screens, widgets, and settings," the Google description said. "Unlike with users, profiles are created from the tablet owner's environment, based on the owner's installed apps and system accounts. The owner controls which installed apps are enabled in the new profile, and access to the owner's accounts is disabled by default."

Another security improvement is the ability of apps to configure Wi-Fi credentials based on WPA2 enterprise access points and the extensible authentication protocol, both of which are used to make Wi-Fi networks more secure. Android will also reduce attack surfaces by changing the system partition so handset security can't be compromised by weaknesses in so-called setuid programs.

It will take time for outside security researchers to test these enhancements to make sure they work as intended. Until then, it's hard to know just how much additional protection they provide. Still, it's good to see Google developers working to improve the overall security of Android.

Article updated to remove reference to NSA in the headline