Android 4.1 Jelly Bean includes proper address randomisation
With the release of Android 4.1 "Jelly Bean", Google has provided its open source mobile operating system with fully-featured address space layout randomisation (ASLR) support. Its predecessor – Android 4.0 (Ice Cream Sandwich) – contained some ASLR features, but a few important areas, such as app code and the linker, still had fixed addresses. Apple introduced ASLR for the iPhone, iPod Touch and iPad over a year ago in version 4.3 of iOS.
ASLR is considered to be a key technique for making it harder for attackers to exploit security vulnerabilities. By using random addresses for program code, the stack, the heap and libraries, it prevents exploit coders from being able to jump to known memory locations in order to execute specific code fragments – return-oriented programming (ROP) becomes impossible. The result is that a fully functional exploit often has to make skilful use of multiple security vulnerabilities.
Security specalist Jon Oberheide from Duo Security has analysed the new Jelly Bean security features and is predicting that attackers will now target vulnerabilities in 32-bit ASLR, where there is simply not enough space for proper randomisation. Further details on Android's security functions are referred to in "Worth Reading: Android security overview" from The H Security.