Google this week shared details on how it is fighting memory bugs in Android 11, as well as on other security improvements that the upcoming platform version will deliver.
Android 11, the 18th version of the mobile operating system, is set to arrive in the third quarter of the year, but has been available for developers since the beginning of 2020.
One of the main improvements in the new operating system iteration is related to initialization of memory, which is expected to eliminate an entire class of issues that occur in C/C++: uninitialized memory bugs.
Such flaws usually appear when the used memory hasn’t first been initialized to a known safe value. Thus, a variable has the value previously placed there, and attackers could predict and even control the value, Google explains.
This could result in information disclosure, including the bypass of ASLR (Address Space Layout Randomization), or control flow hijacks using stack or heap spray.
“When uninitialized memory results in a bug, it is often challenging to identify the source of the error, particularly if it is rarely triggered. Eliminating an entire class of such bugs is a lot more effective than hunting them down individually,” Google says.
The alternative is automatic stack variable initialization, which would initialize local variables with either zeros or a pattern: the former is safer for strings, pointers, indexes, and sizes, while the latter is generally safer for return values.
With automatic stack and heap initialization merged in the upstream Linux kernel, Android will benefit from these features as well, so that attackers can no longer control local variables and heap.
Despite performance overhead, both stability and security are improved, Google says.
With the release of Android 11, Google is making Scudo the default native allocator for Android.
Although it doesn’t fully prevent exploitation, Scudo can help identify and mitigate heap memory corruption bugs such as double free, arbitrary free, heap-based buffer overflow, and use-after-free.
“It also proactively organizes the heap in a way that makes exploitation of memory corruption more difficult, by reducing the predictability of the allocation patterns, and separating allocations by sizes,” the tech giant says.
The upcoming Android iteration also includes the in-production heap memory safety bug detection tool GWP-ASan, which is integrated in Scudo, and support for kernel HWASAN (also referred to as Software Tag-Based KASAN (KernelAddressSANitizer)).
Additionally, Google has expanded compiler mitigations and the use of CFI (Control Flow Integrity) to mitigate exploits and harden the NFC stack.
Related: Researcher Demonstrates Android App Hacking via Intents
Related: StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices
Related: The Security of Your Android Device May Depend on Where You Live

More from Ionut Arghire
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
Latest News
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
