What's the purpose of ASLR on android?
https://stackoverflow.com/questions/7819809
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Android 4.0 added ASLR
http://developer.android.com/sdk/android-4.0-highlights.html#DeveloperApis
Afaik, ASLR is mainly useful to avoid letting some malicious code leak/put a payload in another library when exploiting a buffer overflow vulnerability
But almost all of the code that'll run on android will be managed, so it shouldn't be affected by memory management errors
It can probably be useful for native code. Otoh, I thought that most of the programs that make use of the NDK (like opengl game engines made in C), still have a layer of java code to deal with the user input and such (and I think user supplied files/strings would be the main vector for malicious code)
Clearly I'm missing something in my picture
Solution
Even if you can add only programs written in a managed language like Java, the existing C libraries are still vulnerables to buffer overflow.
By example, the library used to play mp3 is probably written in C and a specially crafted mp3 file could trigger a buffer overflow and execute a shellcode. Adding ASLR (Address Space Layout Randomization) in Android will increase the difficulty of writing such an exploit by randomizing some memory addresses.
