Facial unlocking
Want to unlock that phone? Smile. (Credit: Google)

There's more to Ice Cream Sandwich than just better camera controls, near-field communication support, and the redesigned interface. Google has also been working on making the latest version of Android the safest yet, and several of the features are mighty sharp for a melty brick of ice cream.

The biggest of them all is that you'll be able to fully encrypt your ICS device. This means that all your data will be on lockdown, inaccessible even to you until you enter in the passcode or personal identification number.

The benefit of this obvious: if lose your phone, you won't have to worry about remotely wiping it. The downside, of course, is that if you forget your password, you're locked out and the only way to get your phone back is to factory restore it. Expect to see renewed interest in cloud-based backup services for Android.

How apps manage authentication and secure sessions will get easier in ICS, thanks to a new keychain API that works in conjunction with the underlying encrypted storage. Any app will be able to use the keychain API to install and store user certificates and certificate authorities securely. It's a very technical change that will nevertheless allow apps to be written more safely from the get-go.

Another significant change to how the operating system manages memory is the Android introduction of address space layout randomization (ASLR). Basically, the feature protects both the system and apps from memory-related exploits, such as buffer overflows.

The lockscreen itself has received some effective enhancements, too. The first, and the most widely-talked about, is that you'll be able to unlock your phone using native facial-recognition technology. Called Face Unlock, this tech has been around for a while for other systems, such as Windows, so it's good to see it being ported to a high-profile mobile platform natively.

The most common concern with facial recognition technology is that it can be fooled by a photograph. Android developer Tim Bray says that it can't; and my own tests in 2010 with the Windows facial recognition software Blink failed to fool it then. Obviously, a Windows program and an Android feature are not the same, but given that I wasn't able to log in with a photo two years ago, it'd be a massive failure for the feature if it could happen now.

Other potential facial recognition problems include alterations to your appearance, such as facial hair or make-up, or poor lighting conditions. If the feature can't tell that you're you, it'll open the passcode box for manual unlocking.

Android 4.0 will also let you customize a lockscreen message. This isn't world-shaking, to be sure, but it will allow you to set a "please return to" message for anybody who finds your phone, potentially improving your chances of getting a lost device returned to you.

Lastly, big improvements have been made to app control. You'll be able to disable bloatware, those apps that come pre-installed on your device, and you'll have the ability to disable background data on a per-app basis.

The disable option promises to let you render an app fully inactive. It won't be able to send or receive data, it won't be able to launch, and it won't display an icon in your app tray. However, because those apps are part of the system partition, you won't be able to fully remove them. That will still require rooting your phone. Nevertheless, this is a massive improvement for people wondering what the heck a Citrix is.

Being able to disable data transfers for apps running in the background provides a stopgap measure for controlling apps without taking the harsher measure of disabling the app outright. While some apps such as JuiceDefender already give users that kind of control, it's enormously helpful to have that as a default Android feature.

These are solid improvements to Android security, although I'd like to see more in the way of exposing permissions and either simplifying them, or helping users understand them, or both. For instance, you might notice that your violent bird-throwing game has permission to send out your location. On the face of it, that sounds bad. But what if the game has a new social networking component that allows you to compete against nearby friends? Making clear how a particular permission is used by an app would be a big boon.

If there are security improvements you'd like to see made to Android, tell me in the comments below.

Update, 2:56 p.m. PST: Added new paragraph on address space layout randomization.