android-security1

Android may be the most popular mobile OS, but security is a major cause for concern on Google ‘s ecosystem, with fragmentation being one of the main reasons for this flaw.

Trend Micro recently put the security of the four major mobile platforms – iOS 5, Android 2.3, Windows Phone 7.5, and BlackBerry 7 – through the paces, running tests on built-in security, authentication, data protection, device protection, application security, and various other security-related attributes. BlackBerry topped the charts with an average score of 2.89, while the rest of the platforms fell behind by a significant margin. iOS clocked in at 1.7, Windows Phone came in just behind at 1.61, and Android brought up the rear with a 1.37 rating.

Granted, an older version of Android was tested, but with fragmentation rampant and an estimated 63.2-percent of Android users still using Gingerbread, it made the most sense as the test version. On the positive side, Trend Micro did note that on Ice Cream Sandwich, “full device encryption for data protection and Address Space Layout Randomization (ASLR) for buffer overflow protection” were implemented to improve security – it’s just too bad that less than three percent of Android devices are running ICS.

Updates are issued through individual manufacturers or carriers, which leaves the Android platform with no means of offering OS updates to all devices. This fragmentation can leave security holes and exploits unaddressed for months at a time, if not longer, which is why cyber criminals appear to favor Google’s Android as their targeted mobile platform of choice. Also, these cyber criminals can trick users into thinking a particular app on the marketplace is coming from a reliable, trusted source by using clever means of leveraging and promotion. While Google has taken some steps to curb the introduction of malicious apps, many still manage to regularly find their way onto the marketplace. It is estimated that well over 100,000 malicious apps will be on the marketplace by year’s end if steps are not taken to address these security issues.

Despite its impressive market performance, Android security and manageability are the lowest in the segment. The Google Android operating system is at its fourth commercial iteration and has recently seen some important security additions, such as device encryption support, however good Mobile Device Management APIs and a reliable control of the overall operating system versioning and application ecosystem are still conspicuous by their absence. The system is widely exposed to malware and data loss, and the platform fragmentation resulting from the rich OEM ecosystem has proved quite challenging for enterprise adoption. IT managers should definitely consider adding Android to their set of flexible policies but should probably limit its use to the least sensitive mobile roles.

Unfortunately, the end user often fails to closely inspect the permissions request dialogue in their haste to use the app and, for the average end user, it is unclear when permissions are given and what the application is actually capable of. Once the application is installed, the OS doesn’t recheck with the user and goes on to use the permissions without prompting the user again.

To compound things for Google, Trend Micro wasn’t the only company to recently run tests on Android’s security with negative results. Paul Brodeur of Leviathan Security took a unique approach and created a special Android app that looked to test what sort of data he could extract from a device even without any app permissions. Brodeur tested his app on both Ice Cream Sandwich and Gingerbread with alarming results, and they certainly don’t do the Android platform any favors.

Using his “No Permissions” app, Brodeur was able to read all non-hidden files on the SD card, which apps are installed on the device and whether you can pull sensitive data from their directories, and grab identifiable information about the device.

What can be done with the data once it’s collected? Without the INTERNET permission, how can it be sent anywhere? While it’s true that most network access is restricted, there is one network call that can be made without any permissions: the URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data. In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls.

If you have Android and you’ve ever installed an app, you’ve undoubtedly seen the app permissions that you have to accept before installing the app on your device. While this puts users in charge of their own security, most users seem to blindly accept app installation terms without thinking of the security ramifications. Some app permissions are understandable, but then there are those apps that ask for device permissions it has no business using. Can someone explain to me why an app called Application Folder, used to create folders to group apps, needs to directly call phone numbers or needs access to the personal information on my tablet?

Sometimes all it takes is a little common sense and careful reading to secure your device, but that’s not always the case with Android.

NO COMMENTS