CopperheadOS: Another Attempt At Securing Android OS
At times when mega-corps like Google fail to address issues on their own system for a sustained period of time, start-ups on shoestring budgets come to the rescue. CopperheadOS, by a two-man team based out of Toronto, is working to clean up the Android security loopholes that have been in conversation a lot lately.
The start-up has even demonstrated results where other “secure” Android phones have failed, not only raising but also addressing the security concerns with regard to what is unarguably the most used smartphone operating system on the planet.
CopperheadOS is a hardened open source operating system based on Android OS. The OS aims to integrate Grsecurity and PaX into their distribution. It also includes numerous security enhancements, including a port of OpenBSD’s malloc implementation, compiler hardening, enhanced SELinux policies, and function pointer protection in libc.
For those who do not speak the language of the computer geeks, what this simply means is that CopperheadOS is bringing to Android more privacy-centric features like alternatives to Google apps, and separate encryption and lock screen passwords.
It is, for now, available only on a select few Nexus devices.
The first challenge was to find a handset to support the OS variant — one that offered regular security updates, which is certainly not a small ask, in the world of Android!
Most companies do not ship out monthly security updates available from the AOSP.
It was thus that they zeroed in on the Nexus devices whose software, if not hardware, Google controls directly, and which receive prompt monthly security updates.
“What we’re doing is starting with the Nexus; a pretty good starting point,” Copperhead’s Daniel Micay explains. “And we’re significantly improving the security of the operating system. We’re making a lot of under-the-hood changes and exploit mitigation to make it harder to exploit the vulnerabilities that are there”.
“Copperhead is probably the most exciting thing happening in the world of Android security today”, Chris Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, said. “But the enigma with Copperhead is why do they even exist? Why is it that a company as large as Google and with as much money as Google and with such a respected security team — why is it there’s anything left for Copperhead to do?”
The question as to why is there still a space for Copperhead or the likes of it to exist has been raised many a time. While something like that does provide users with more security, but the question of why must Google (the world’s biggest computing company in many ways) behind Android, leave such large and obvious gaps in the security of the OS is raised.
One possible reason could be performance and ease of use. While Google Android Security team has accepted many of the security patches put forward by Copperhead into their own system, but a greater lot of them will perhaps never make their way to it, simply because of the performance trade-offs that come associated with them.
With measures like that in CopperheadOS, the enhanced experience of an average Android user is cut off. What you have then, is a limited number of features, limited apps from select third-party app stores, and other performance trade-offs that might not go too well with the large scale market.
On the other hand it’s telling that Android exists at the same space in time and with the same level of technical access, as iOS. Yet, in iOS security loopholes of such magnitude just cannot be imagined. “If I had to imagine the world where there’s a Copperhead for iOS, I don’t even know what I’d change”, said Dan Guido, CEO of Trails of Bits. “The Apple team almost always picked the more secure path to go and has found a way to overcome all these performance and user experience issues”.
The difference lies in the manner in which Apple controls its ecosystem, and in the manner which Google does not do so, in any significant or telling manner.
Google abdicated the control of the end experience of the OS, to each of the brands that manufacture Android devices, thus leaving the OS open to being manipulated and tweaked, as and however the brand wanted.
While this allowed handset manufacturers to find ways to differentiate their products, it also allowed wireless carriers to disable features that they thought would threaten their business model (with no real care of user data privacy).
CopperheadOS might serve as a proverbial band-aid on to the gaping wounds of security in the Android ecosystem for now, but whether it would actually able to patch the wound back together to a considerable extent, is only a matter of speculation at the moment.
As more security loopholes are revealed, no one can really say what Copperhead might really be in for.
Originally published at Chip-Monks.