MobilityLeaks: Simmons Drops Mic
On 12/4/2012 9:04 PM, Ram wrote:
Doug Simmons, hopefully your Android is not one of the victims: Security Threat Report 2013
Sent from Windows Mail
Doug Simmons: Ram my man, Android is as open, and therefore as vulnerable to malware, as you choose to make it.
Among these choices: rooting your phone, enabling sideloading, unlocking your bootloader, installing custom roms from XDA, blithely zipping through and ignoring the warnings of what apps you’re installing will be granted access to when installing them, not using the Verify Apps feature of Jelly Bean that check apps you try to install — whether it came from Google Play or from some Chinese piracy site — against a database Google has been building of apps known to be malicious in some manner.
And if something gets onto Google Play that you install that turns out to be bad news, Google does have a remote kill switch they can use to force uninstalls. This happens, but it happens very infrequently because these are extremely rare and isolated events in reality.
In the other direction I can encrypt my phone (full FDE like WP8 I believe), I can have a variety of ways to keep my phone locked unless I’m the guy trying to unlock it including facial recognition, I can just use the apps that came with the phone or only install apps from vendors I trust, if I’m a business I can use Google Apps to set BES-like restrictions on my employees’ Android phones and so forth. And if I’m so inclined, which I’m not, I can install some antivirus that I’m guessing Sophos offers and other vendors that make what you’d call linkbait exaggerations were it about WP.
No, I did not get hit by whatever Sophos is vaguely warning about in this promotional video knocking Google for their own gain using a content distribution service provided by Google.
By the way Ram, can you name a piece of malware that is sitting on Google Play right now that I can install, get mislead by and subsequently screwed somehow? You know, something like Skype 2.0 (at the time owned by Microsoft) which left contacts vulnerable to other apps? You can’t do it, but can you even get someone in our audience to do it? Probably not. Will you concede that?
Yes, Android should have prevented Skype’s mistake from affecting users, you could say both Skype and Android were to blame for that incident, but it was rapidly patched on both sides because of a prolific and large developer interest behind Android (and heavy embarrassment lying on Microsoft and Skype).
For example, along with the military (ours and others), the National Security Agency likes Android apparently, but they wanted to bump up its security a few notches, tweak it a bit before . Because Android is an open source operating system (possibly the reason they favored it in the first place), they were able to modify it to their satisfaction, dubbing it Security Enhanced Android, not just to use themselves but to release to the public (why not). I could build and flash it right now but I’m happy with Paranoid Android and if I want security I can just use my company Blackberry that does virtually nothing other than email and make calls with its stupid reversed shift and alt keys (who’s idea was that?).
I’m not knocking Microsoft for not being open-source — in fact Microsoft Research makes major contributions to the world of open source, like, to give you a recent example, a compiler that takes programs written in a single-threaded manner and magically cranks out a multi-threaded binary so that the application can take advantage of multi-core processors without having been written for them. That’s pretty badass. I bet you didn’t even know about that, let alone run a story on it. Instead you, the guy who bought a phone that can break if I send it an evil text message, throw this Android-bashing bullshit at me, your idea of time well-spent.
[drops mic]
Related Posts
About The Author
Doug Simmons
Biographical info.. hmm. I have a history of not being able to strike the balance between what is "safe" to put into these forms and what is, in my mind at least, funny. Can't do it.
Malware in mobile is overblown. Most get affected the same way in mobile as they do on the desktop by doing stupid stuff like clicking on obvious troll links.
Interesting Murani. Perhaps you could explain to me why dealing with PC malware is almost a daily routine for me and cleaning up mobile malware has never touched my to do list. In fact I rely on my phone to find out about PC malware that I have to in turn deal with.
In short you or those you are around are using your PC wrong, lol.
I haven’t dealt with any malware or PC virus in at least a year. Then again i’m the guy who pretty much stays in the walled garden of the sites I trust. If I don’t trust a site I usually use my phone to visit first to see what it is all about.
C’mon Simmons you’re better than this. You should have a foolproof method of avoiding/killing any type of malware you run across. Then again you do have a compulsion to step on the wild side and let the chips fall as they may. Good luck with that.
If the sites you trust include our own, on at least two occasions we were compromised by SQL injections and spat out dirty javascript code aiming every single one of our visitors, except those with scripting disabled, at some Lithuanian server to download and execute who knows what.
If you think you’re computer’s clean, maybe you’re right, maybe; but just to double check why not reboot and run netstat to see how many Lithuanian sites your computer’s phoning home to.
So, when it comes to Andriod (Linux), it is simply users fault and they are morons, but if it is Windows Eco System, then it is Microsoft’s fault. Typical Linux Dev Mentality.
What?
Pull up an Android XDA overclocked kernel thread and right up front, usually in large red text, you’ll see a warning that overclocking or undervolting, or messing with the color levels of your screen, could destroy your phone, especially at the super duper hot level, do so at your own risk or don’t do it.
Try to disable sideloading and get an explanation regarding what dangers you’re about to expose yourself to.
Try unlocking your bootloader, you get hit with a well-written warning first.
Want to install some volume boosting tweak? I guarantee you it will warn you you may go deaf or break your headphones.
Pull up an application on the Play market like Tango, the video conferencing thing available on WP as well, and you’ll be crisply warned that, if you proceed to press the install button, you’re giving the Tango people the ability, if they wanted, to monitor or delete your text messages, to disable your lockscreen and password, to take pictures at any time without your confirmation, to monitor your use of the calling function of the phone, to reroute and prevent outgoing calls you make, to manipulate your system wifi settings, to modify your contacts, to read and share your call log without telling you, to modify your call log, to have full access not only to your contacts but stats on how frequently you’ve communicated with each one and in which ways to do with that information whatever it pleases without notifying you. Do you have a problem with that? Yes? Then move along.
Really want Tango anyway — as long as it doesn’t access your SMS? Fire up CyanogenMOD and use its permission spoofing/blocking feature. If you’re comfortable with that degree of access Tango has over your phone, and then one day the developers release an update that gives the Tango people access to your web history, you can safely expect to be warned about it in advance.
Are you a trusting person and figure the Tango people are both competent and would only take advantage of these permissions for good and/or not inclined to read what I just typed out? Okay, grab your app, but it’s on you if everyone on your address book winds up on spam lists and your phone history includes a bunch of phone sex numbers because you were warned and you gave Tango permission to do that.
I imagine Windows Phone does something along those lines when you try to install Tango, warning you like that, and that most of the apps run sandboxed nicely in C#, Android in Java. From a developer’s standpoint, isn’t whether developing a program for the platform involves knowing this language or that language more relevant than on which kernel it’s based?
But do you want to install a different keyboard that you can let run through your Gmail account to figure out what words you are most likely to type after other words to improve its predictive functions? Okay, but you have to accept the warning, on top of exercising some common sense, that you’re giving Swiftkey access to your email.
So if the Swiftkey and Tango people don’t keep their own servers secure and hackers manage to get all of your information and dump it on pastebin, how is it Google’s or Android’s fault?
Let me try to break this down for you with a car analogy.
Don’t you want a button somewhere in your car to disable your anti-lock braking system? You don’t have to press it, it can be tucked away so that you don’t accidentally flip it and so that it doesn’t clutter up your dashboard, but do you want to have that option or would you prefer it be taken away from you? But why would you want to disable anti-lock braking, cars with anti-lock are 37% less likely to be in a fatal accident and you’re probably not more skilled than your anti-lock braking system. But maybe you are. Maybe you’ve got a job that entails doing 180s. Maybe you just like skidding once in a while. Or maybe you drive, or one day might drive, in deep snow, sand or gravel sometimes, and when you do, you’d like the ability to disable this system so that when needing to stop short on this terrain you may lock your tires so that they dig in and stop you in a shorter distance than you would with anti-lock enabled. Or maybe you want an app for your car that has a more finely-tuned anti-lock system that can detect when you’re on that terrain and disable itself accordingly — but wait, the developer of that app released it only on the Amazon Android market. Well hey bro, that’s okay, just disable sideloading and whip up an Amazon account.
Make sense or did I lose you there?
I agree with you on everything you wrote, but you didn’t answer my question though.
My question, when it comes to Android or Linux or OSX or whatever OS it is, it is users fault because they users didn’t read the warning or sucked to the app. But when it comes to Microsoft eco system like Windows, it is Microsoft’s fault, not the users’. Isn’t that what the OSS pundits and gurus say, it is Microsoft’s fault.
“An ongoing jihad here is critical.” Guess who wrote that in 2001 in reference to Linux and FOSS. So there’s some history here.
But when you say OSS and open source gurus I take it you mean people who admire Google’s uniquely strong embracing of general transparency and user choice, right? Not the likes of this guy? And your problem is why does Google get a pass in ugly situations where Microsoft wouldn’t? So maybe this isn’t specific to the technology but the companies sort of personified and given a double standard and that irks you and you’re asking me why?
Or are you just baiting me to bash Microsoft, a company that pays me dividends and employees a friend of mine on a generously-packaged maternity leave? Okay:
Google’s made its share of mistakes, both technological and strategic, but when they do they tend to be forthright about it and fix the problem swiftly rather than waiting for their own Patch Tuesday to come clean. Google’s making robot cars, Google’s cooling their data centers with some underground water thing, Google does Google Doodles now and then, Google makes money by making people more likely to make money at lower entry barriers (IE they are good at brokering well-targeted advertising).
Microsoft does not have that reputation. For some reason you people think they’re hip, which makes you unique.
Among the things Microsoft is known for is patent abuse, vendor lock-in, the Windows tax, the elusive Windows refund, Vista, playing follow the leader, predatory legal practices against Linux, bullying Apple (actually getting Steve Jobs to praise IE6), predatory litigation against anyone friendly with Google, predatory litigation against some freelancing guy slash domain purchaser named Mike Rowe, making more money from Android than from their own competing product, being a monopoly too much, ripping off Google Search, making partnerships with the Chinese government to advance their censorship capabilities when Google was taking a stand against censorship, rampant government-directed corporate and human rights groups espionage, meanwhile Microsoft continues, and I almost can’t believe this, to hand over Windows source code to the Chinese and to the Russians, feeling compelled to call everything Windows even though it’s time to move on, being too late to every party and then trying to “embrace, extend and extinguish” the competition and failing at an accelerating rate, too many flops, a tech stock whose value has been flat for ten years and counting, southern trends in PCs and Windows sales, …
Here’s a potentially good resource to check the pulse on how people feel about Microsoft.
They still haven’t even managed to leapfrog the Blackberry and even you’d admit that’s pretty damn sad.
Maybe that stuff has something to do with this disproportionate ballbreaking you perceive.
Man, giving Windows source code to the Chinese and Russians. Well hey, I guess that’s just Microsoft’s answer to FOSS.
Doug, very good thread. Thanks for the links and thought provocative dialogue. I am going back to read totally into it and get back to you. I think we both agree there are defects on both the sides of the world, OSS/transparency and Closed Source/walled garden. I will get back to you once I totally read the links you have provided. π
Just to add to the Microsoft security issues:
I make a very good living because Microsoft software is horribly unsecured by default, and even when properly locked down per DoD, NSA, Cyber etc standards, it’s still incredibly vulnerable to attacks via 1st and 3rd party software issues.
Android can be locked down very nicely, but requires a closed ecosystem in order to maintain that security.
Which brings me to nod towards a model that people have mocked for years.. the Apple iOS (and now OS X) AppStore. All apps are approved and monitored by Apple. Some slip through from time to time, but they are almost immediately removed when issues are found. Does this limit some of the potential functionality? Sure, but only when the devs have written potentially unstable code using custom APIs or hardware calls which are not supported by Apple’s dev agreements. Lots of people (who own iOS devices) like this model because most software can be trusted, and most of it runs without any issues. And guess who now likes this model as well?
Microsoft.
they just haven’t gotten the dev backing on their marketplace yet. (not to mention a piss poor showing of hardware to date)
What are talking about iChris? Security in Microsoft products is totally improved while the competition started sucking at there.
Did you miss the bit where the Microsoft approach to a closed ecosystem has already completely invalidated their in app purchase system? And that it was outed by a Nokia engineer?
Their security sucks. It’s how I make a living, and I have a damn good life π
Chris, you are very wrong. Even the STIG for the iPad which broke functionality is deemed not good enough by most dod agencies.
Doug, you are also living in a dream world. Google is not hip and looking increasingly evil. People recognize the brand from everyday searches, that’s not the same as cool. If mfg’s paid for android, how many phones would it be on?
Rob, when did I mention anything about the iPad/iOS STIG?
Chris, you mentioned that even when Windows is secured via the US gov standards its still vulnerable…and hinted that IOS is secure by default because of its app store model. Just not true.
No. I sure didn’t. Not even a little.
But at least one part of that is true. Windows locked down to DISA STIG standards is still vulnerable. A system locked down 100% to DISA standards simply won’t operate properly. IAO/DAA will assume responsibility and awareness of issues that are not able to be fixed due to operations requirements.
What I said about apple was to demonstrate that the approach they have been taking for years is now being emulated by Microsoft. Never said (or hinted at) that the STIGs on iOS were better. They’re a hell of a lot more restrictive than the stock iOS, but Good server can only do so much and each device is individually controlled vs an approach like GPO in the Microsoft camp. And that’s assuming you’re not in a BYOD environment. Of course, in a DoD environment, they’re locked down very well. No third party apps, IP access list is well defined, etc. I’ve seen it. I give it a year before there’s an even better solution for iOS devices.