How KitKat Update Doesn't Fix Android's Fatal Flaw

Android 4.4 KitKat brings not only a new look and feel to Google's mobile operating system, but adds drastic security enhancements.

Will those improvements finally make Android a match for Apple iOS, which has had an unbroken six-year streak of being malware-free?

Experts fear it won't. None of the security features added in KitKat address Android's central flaw, which is also one of its top selling points — the fact that it allows users to install apps from any source.

MORE: 7 Best Smartphones on the Market Right Now

Here's an overview of the security features added in KitKat, some of which won't be immediately apparent to users.

— The Security-Enhanced Linux module, introduced in Android 4.3 Jelly Bean, runs in "enforcing" rather than merely "passive" mode, acting as an OS policeman and making sure apps and users don't do anything they're not supposed to.

— Support for next-generation elliptic-curve cryptography, preparing Android for the possible "cryptopocalypse" as older forms of cryptography fail.

— User alerts if a new digital-certificate authority is added to a device's list of trusted authorities. Flagging such additions makes it more difficult for attackers — and corporate and hotel Wi-Fi networks — to impersonate well-known online services via "man in the middle" attacks.

— File-system security checks to prevent unauthorized modifications and rootkit intrusions, which will also hinder Android hobbyists' attempt to "root" systems.

Despite those security enhancements, however, corporate security professionals still don't really trust Android. Nor, for that matter, do they trust Apple's iOS, said Roger Kay, principal analyst at Massachusetts-based Endpoint Technologies Associates.

But when it comes to Google's non-corporate customers, the fact that Android devices now offer top-flight internal security is a good selling point.

"There are a lot of people out there who do their own personal security calculations," Kay said. "Reassuring them that their devices now have commercial-grade security is well suited for them. They then can say, 'OK, I can do my banking via my mobile device and not worry too much.' They won't feel too threatened by what might happen."

Why sideloading apps is a permanent threat

Yet these new security enhancements don't really deal with the main security flaw in the Android operating system: the practice of sideloading, or installing apps from sources other than the official Google Play app store.

(Android users who want to avoid non-Google Play apps should go into Settings à Security and make sure "Unknown sources" is left unchecked.)

"So as long as sideloading is there, I don't know what else [users] can do," said Rob Enderle, principal analyst for the San Jose, Calif.-based market-research firm Enderle Group.

"But Google has included a security feature to better assure [users] that something hasn't gone in and changed the operating system to a degree that the change can't be detected," he added. "That's been a problem with Android, but Google has made it much more difficult to go in and apply a rootkit," a piece of malware that gets full control of an operating system.

MORE: Mobile Security Guide: Everything You Need to Know

Still, that doesn't change the major problem with Android security.

"Both Microsoft and Apple have fully curated, locked-in [mobile] app stores, so the apps are curated going in, and it's relatively hard to get malware on those devices," Enderle said.

"Android allows sideloading, so it's comparatively easy to get malware on the device," he added. "So while it's now harder to put rootkits on the device, tricking somebody into loading an application that actually tracks the individual's activities is still not very difficult at all."

Why walled-off Android just wouldn't be Android

Until Google can limit the Android user's choice of app sources and by default lock the device down, Enderle said, the operating system will be relatively exposed to malware.

But taking away the user's ability to freely choose apps would negate one of Android's top selling points over the more cloistered Apple iOS app universe.

"To lock down sideloading is relatively hard without locking down the app store altogether," he said. "That kind of destroys Android, so what you have to do is remove permissions to install apps. But what is the user going to do with the device if he can't install applications?"

Follow us @tomsguide, on Facebook and on Google+.

TOPICS

Linda Rosencrance is a freelance writer with more than a dozen years' experience covering IT. Her work has appeared on many sites, including Computerworld, TechNewsDaily, Tom's Guide, and more. She has also worked as an investigative journalist, and has written and published five true-crime books. She lives and works in Boston.