Weekly Edition
Return to the Security page
| |||||||||||||
Android application securityRecent reports of a misbehaving Android application have rekindled concerns about the security of Android-based mobile phones. Because applications can be made available in the Android Market by anyone, without any review, it would seem to be an excellent target for malware purveyors. The Android security model is meant to sandbox applications, but some applications need more capabilities—to get them, they ask the user. While it appears that the application in question, MemoryUp, was actually innocent of what is was accused of doing, the incident highlights potential problems with Android security. Unlike the iPhone App Store, Android applications are not vetted before being placed into the Android Market. In addition, for now, Android applications must be distributed for free, though that is set to change sometime later this year. Given the problems with Apple's inconsistent and anti-competitive decisions on iPhone applications, Google's openness has some benefits. But it also has some pitfalls. Applications are required to be signed with a developer's private key, which should provide some measure of accountability. Given that it only takes a Google account and $25 to get into the developers program, it may not be very difficult for a malicious developer to get an "anonymous" (or largely untraceable) key. But there is a larger issue as well. The security model leaves it up to users to, essentially, guess whether they should allow an application to have additional privileges. As David "Lefty" Schlesinger points out in his blog, the security model in many ways faults the user: "I've commented in a variety of places about the problems with Android's security model, and how it essentially made any security problem the users' fault by asking them to approve what the application says it wants to do--in broad terms--on installation, without any policy component behind it at all." While it appears that MemoryUp neither asked for, nor received, any extra privileges, it is something that actual malware—or, worse in some ways, applications that live in the gray area between malware and benign-ware—developers will not hesitate to exploit. If an application needs network access to do its job, it will presumably be granted that access by the user at install time. But, there is nothing stopping that application from using that access in ways the user might never approve. Combining network access with access to personal data, leaves the user wide open to sharing that data in ways they might not expect—or approve of. In some ways, that is no different than Android's automatic syncing of contact information to Gmail, which ensures that Google has access to that info. Undoubtedly Google's privacy policy prohibits them doing anything overt with that information, but it is, or should be, worrisome. Mobile phones are rather sophisticated computing devices these days, with multiple connectivity choices, and lots more storage than even desktop machines had just a few years ago. Along with that sophistication goes the security risk. We have yet to train users to make sensible security decisions on their desktop machines—though it seems like it might be getting slowly better—do we truly expect them to make good decisions when "HotPhoneApp" asks for more access than it truly deserves? For Linux desktops and servers, distributors generally play the role of application examiners. In many ways, they are the first line of defense against malware. It is understandable why Google might not want to play that role, but users should keep it in mind when installing Android applications. (Log in to post comments)
Like browser extensions? Posted Feb 5, 2009 11:21 UTC (Thu) by NAR (subscriber, #1313) [Link]
I think this situation is somewhat similar to e.g. Firefox extensions. They can also do bad things to the user and I'm not sure if there's an actual review by Mozilla. However, the users can comment on the extensions and that's a useful feedback.
Like browser extensions? Posted Feb 9, 2009 18:07 UTC (Mon) by bronson (subscriber, #4806) [Link]
But have you seen the comments on Android Market applications? It's worse than Youtube!
Google's going to have to add a comment rating system if they want comments to be anything more than random noise.
Android application security => UAC? Posted Feb 5, 2009 17:25 UTC (Thu) by pflugstad (subscriber, #224) [Link] heh - asking the user to approve security dialogs... sounds like Windows User Access Control's to me :-)
Android application security Posted Feb 7, 2009 2:30 UTC (Sat) by jwb (guest, #15467) [Link]
Maybe Android's security is broken, and maybe not, but the premise of this article is FUD. The ability to install software from any place without "vetting" by incompetent middlemen like Apple is a feature, not a bug. Software for the BlackBerry is not vetted by anybody, and it can be installed from any web page, email message, or storage card. The BlackBerry store is optional, not a bottleneck. And yet no such security problems plague the BlackBerry platform, which is vastly more widespread than Android is.
So please, keep the blame on the technical side. Turning over control of your program to middlemen is not a security enhancement.
Android application security Posted Feb 7, 2009 3:48 UTC (Sat) by jake (editor, #205) [Link]
> Maybe Android's security is broken, and maybe not, but the premise of this article is FUD.
While you may disagree with the article, and you make some reasonable points, it is hardly 'FUD'. Calling everything we disagree with 'FUD' only serves to dilute that term.
One of my points, which may well have been inadequately stated, was that there is no one serving the role that Linux distributions traditionally play for Android. There is a distinct danger to Android users who download applications and install them without thought. Given what you say, I am shocked, actually, that there haven't been security problems for Blackberry. Surely you don't think there are no malicious entities out there who would like to get malware installed on Androids, Blackberrys, or iPhones.
But I don't see any 'Fear, Uncertainty, and Doubt' being promulgated here.
jake
Android application security Posted Feb 7, 2009 6:03 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
I don't doubt that there is malware available for the blackberry.
but it's enough for malware to just be available for there to be a significant security problem, there needs to be a way for that malware to be run.
on windows systems this happens through network holes or application flaws when seeing specific content.
on the blackberry (and the Android) this requires that the user actually install the malware.
that doesn't mean that bad things don't happen, but it does mean that the scale of them happening is low enough that it doesn't generate any attention.
Android application security Posted Feb 7, 2009 17:08 UTC (Sat) by jake (editor, #205) [Link]
> on windows systems this happens through network holes or application flaws when seeing specific content.
that's certainly one vector, but people installing malware on windows (and elsewhere) is pretty common. spyware, adware, etc. come with the latest codec that has to be installed to see the cool video of the day, etc.
less than clueful users (and even some clueful ones) voluntarily install dubious stuff on their computers all the time, why do we expect mobile phones to be any different?
jake
Android application security Posted Feb 8, 2009 8:54 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]
mobile phones are not receiving spam targeted at them or seeing the same barage of advertisements that a desktop user sees.
the spam thing may change (especially if there is a way to identify vunerable users), but the number of portable users is much less than the number if normal computer users, and the connectivity of the portable users is significantly less (although it may be on full-time). as a result taking over thse system is less attractive to the bad guys.
the smaller screen means that a 'typical web page' with a paragraph of info surrounded by advertisements is unreadable, so users don't go there, or if they do, would have to go to extra effort to see the advertisements.
so, for all these reasons, I just don't see the mobile malware problem ever getting as bad as the windows malware problem currently is.
Android application security Posted Feb 9, 2009 18:13 UTC (Mon) by bronson (subscriber, #4806) [Link]
> for all these reasons, I just don't see the mobile malware problem ever getting as bad as the windows malware problem currently is.
You don't see mobile malware bringing entire power distribution grids to their knees? Or infecting 1 in 3 handsets? Or spawning a $500 million / year industry devoted to broken-by-design antivirus snake oil?
Well, that's a relief! Guess we don't need to worry about it then.
Android application security Posted Feb 11, 2009 10:40 UTC (Wed) by job (guest, #670) [Link]
Smartphones and PDAs aren't new. Symbian and Palm has orders of magnitude more user installable software than iPhone and Android. I fail to see the 1-in-3-handsets malware you speak of.
Android application security Posted Feb 7, 2009 19:41 UTC (Sat) by jwb (guest, #15467) [Link] You say:Unlike the iPhone App Store, Android applications are not vetted before being placed into the Android Market. I think that's FUD. You hold up Apple as a positive example, and then you portray Android in a bad light because they don't follow the Apple example. But the fact is that the iPhone is the least secure mobile platform by a huge margin. Any iPhone application can do whatever the hell it wants, and "jailbreaking" is just a fancy word for exploitation of the platform's numerous gaping security holes. Their attempt to socially enforce security rules by bottlenecking application distribution is just a whitewash over their horrible security record. By contrast both Android and BlackBerry have functioning technical security defenses. They should be applauded for having these security features, even if in Android's case those features are faulty and in need of fixing.
Android application security Posted Feb 7, 2009 20:08 UTC (Sat) by jake (editor, #205) [Link]
> You hold up Apple as a positive example, and then you portray Android in
> a bad light because they don't follow the Apple example.
well, i am sorry you see it that way. i don't think Apple is a positive example, nor do i think was portraying Android in a particularly bad light. i was simply pointing out a vulnerability. but, evidently, i didn't do it clearly enough.
the last sentences of the paragraph you quoted are possibly of interest:
"Given the problems with Apple's inconsistent and anti-competitive decisions on iPhone applications, Google's openness has some benefits. But it also has some pitfalls."
but i still find it very difficult to see how the article is spreading "fear, uncertainty, and doubt". YMMV
jake
Android application security Posted Feb 8, 2009 23:42 UTC (Sun) by mikov (subscriber, #33179) [Link]
I for one found the article well written and thought provoking and did not think it was FUD (even though I am a huge fan of Android).
jwb does have a very valid point that the Android has a functioning security system, while the iPhone has none. Even though I already knew that, it didn't spring to my mind while I was reading, so perhaps it should have been mentioned. For better or worse Apple really has no choice but to carefully vet every single application.
Perhaps the best solution is a combination of both. Allow both verified and un-verified applications to be distributed and installed, and it is up to the user to choose to install an unverified one. The question is who is doing the vetting, how expensive it is and does it make economic sense?
Android application security Posted Feb 9, 2009 11:48 UTC (Mon) by massimiliano (subscriber, #3048) [Link] The question is who is doing the vetting, how expensive it is and does it make economic sense? Well, IMHO one key point is the freedom of doing the vetting, and the freedom of setting up a vetting system that is acceptable for the users. With the Apple model this simply is not possible. The Android model, on the other hand, gives users a choice. We should not accomplish security by denying choice (the freedom to instal any application he wants) to the user! What I'd really like is seeing a healthy ecosystem of Free Sofware (or Open Source, as you like) applications available for Android. That would allow the review process to be public and distributed, which is the real reason why I trust my Linux distribution more that how I would trust a closed OS. And it would be nice to educate the users to this kind of sensibility to freedom... which at least with Android is possible.
My 2c,
Android application security Posted Feb 17, 2009 12:33 UTC (Tue) by robbe (guest, #16131) [Link]
To put one or more applications into the iPhone app store costs USD 99
annually. While it is true that Apple needs to approve applications I cannot imagine any serious security review for this kind of money.
They can, of course, pull any program at any time ... and they have your
So Apple perhaps has more leverage in the legal domain, but truly
Android application security Posted Apr 8, 2009 16:58 UTC (Wed) by anomalizer (subscriber, #53112) [Link]
For all it's scrutiny, firefox 3 by default shares your browsing details with google to report phising sites and this happens by default.
|
|||||||||||||