|
|
Subscribe / Log in / New account

EFF: Don't Sacrifice Security on Mobile Devices

[Posted January 22, 2011 by corbet]

The Electronic Frontier Foundation has sent out a release on mobile device security, noting that open devices can be made more secure even if the original vendor is not interested. "By contrast, mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements."
to post comments

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 22, 2011 5:52 UTC (Sat) by anon@mailinator (guest, #72513) [Link] (1 responses)

But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements.

Well, just like what the Linux kernel is doing all the time (on the security fixes side).

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 14:37 UTC (Sun) by intgr (subscriber, #39733) [Link]

I don't see how these are related. Linux kernel isn't the vendor. Linux kernel is the upstream and distributions (including Android) are the vendors. Most distributions do make security announcements, unlike Google.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 1:50 UTC (Sun) by foom (subscriber, #14868) [Link] (15 responses)

The whole Android OS upgrade story seems like a huge disaster: a huge percentage of users are running horribly outdated OS releases [1], with afaict, absolutely zero security support. And you can't blame the users for this: there is quite simply no upgrade path for them. The manufactures abandon the devices and let the OS rot, before they've even released the device!

For example: I have this android 1.5 device (a Cliq XT). That's the latest OS that Motorola has gotten around to releasing for it. And, BTW, it was first released in March 2010 (when 2.1 was current), and is still being made and sold today [2], still with Android 1.5 (hopefully goes without saying: don't buy it, it's utter crap, as are most other phones made by Motorola).

So I've really gotta wonder: just how many *known and already fixed by Google* remotely exploitable security holes does it have? Motorola promised to upgrade it to Android 2.1 someday ("2Q 2010", haha). If that ever actually happens, how many *known and already fixed by Google* remotely exploitable security holes will it still have at that point?

This situation seems rather untenable. I'm just waiting for some hackers to start trawling the latest code releases looking for bugs to exploit the older OS versions with...

[1] http://developer.android.com/resources/dashboard/platform...
[2] http://www.walmart.com/ip/Walmart-Family-Mobile-Motorola-...

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 19:23 UTC (Sun) by Aissen (subscriber, #59976) [Link] (11 responses)

I agree 100% with you. What OEMs are doing is criminal, and I'm eagerly waiting for the first mobile worms/botnets targetting these devices in particular, because it seems it's the only things vendors would listen to.

Google seems to do an OK job with the two devices it's managing (for now…), but it's far from being enough, and some of the EFF's remarks apply to them too(no responsible disclosure).

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 19:37 UTC (Sun) by drag (guest, #31333) [Link] (10 responses)

> I agree 100% with you. What OEMs are doing is criminal, and I'm eagerly waiting for the first mobile worms/botnets targetting these devices in particular, because it seems it's the only things vendors would listen to.

If users decide that is important to have updated firmware on their phones then their purchasing decision will reflect this. Companies will see a financial reward for keeping their stuff up to date. I don't see anything criminal at all about not updating the firmware. It's a problem between the manufacturers, carriers, and their customers.

You can't force people not to suck. You just don't give them money.

Google might be able to force them a little bit. Google has compliance rules that go along with their proprietary Google Apps add-ons so they could add versioning requirements on top of them.

This is a classic problem with dealing with embedded developers. They have had no need in their professional experiences to make sure their customer's firmwares are up to date. It's expensive and difficult and the market dictates that new devices have priority over updating old ones.

The only thing that can be done is to make it cheaper and easier as far as the Linux kernel and friends are involved to make updates for phones combined with educating the buying public why having newer Android versions is in their advantage and what phones to buy that will provide them with up to date features.

Personally I only buy phones that I know will get supported by third parties like Cyanogenmod, but this approach is not suitable for most people for a whole host of reasons.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 20:56 UTC (Sun) by Aissen (subscriber, #59976) [Link] (5 responses)

You are right, the users decide what's important for them. Once viruses and worms start stealing data, money and bricking or resetting their phones, they will decide (as well as the OEMs) that having latests security updates is important.
Or maybe they will decide that having an open phone with replaceable firmware is important (but that is a dream… for now…).

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 21:18 UTC (Sun) by foom (subscriber, #14868) [Link] (1 responses)

1) If that happens, I suspect the news will instead be "Massive data-stealing/phone-bricking/money-stealing worm for Android phones!!", not "${all that} for phones from OEMs which ship massively outdated versions of Android! (which BTW is nearly all of them)". It seems like something Google should want to put some pressure (or give some assistance to) the OEMs in order to avoid having that news release actually happen...

2) How are users even supposed to know if there are any security holes in their phones that their OEMs haven't fixed if Google doesn't release advisories?

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 21:51 UTC (Sun) by Aissen (subscriber, #59976) [Link]

1) I agree. If Google can't give enough incentives or apply enough pressure, mainstream media will do it, the hard way. It's a scenario no one wants.

2) True, that's what I tried to say in my first comment above.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 24, 2011 1:34 UTC (Mon) by drag (guest, #31333) [Link] (2 responses)

> You are right, the users decide what's important for them. Once viruses and worms start stealing data, money and bricking or resetting their phones, they will decide (as well as the OEMs) that having latests security updates is important.

Yes. That is about it. They decide how important something is to them then they give their money out accordingly. Manufacturers that do a decent job providing what the users actually want and need will probably do better then those that don't.

BTW. Android virus is found in the wild in China. Unlike the bank widget thing that happened in Android market that was entirely blown out of proportion (the one group that actually examined the software instead of just speculating dismissed the idea that he was using the software to steal bank information as fantasy with no evidence in the software) this is a actual virus infecting applications.

I didn't see much details, but from what I remember it was a virus attached to legit software. Found in third party repos (aka app markets).

> Or maybe they will decide that having an open phone with replaceable firmware is important (but that is a dream… for now…).

Possibly.

One of the big things that we have going for us is the desire to cut costs will probably lead to a standardized platform. This will raise the cost of the development of the hardware a bit and increase complexity, but per unit costs shouldn't be affected much and it will lower the cost of development and support. This should have the effect of dramatically lower the barrier for third party software to support phones.

Since now we have phones and hardware developed from the ground up to work specifically with Linux kernel in Android then we can hopefully avoid most of the 'What would Windows Do?' solutions to work around bugs in ACPI and such.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 24, 2011 2:46 UTC (Mon) by drag (guest, #31333) [Link] (1 responses)

Here is some details:
http://blog.mylookout.com/2010/12/geinimi_trojan/

Of course this does not come close to the level of really horrible crap that was a constant plague on Symbian and Windows mobile phones, especially in that area of the world. But it's just the beginning.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 25, 2011 7:32 UTC (Tue) by cmccabe (guest, #60281) [Link]

I don't think stuff like that is really a technical problem. People make unwise decisions with their personal information all the time. Some people email their bank account numbers to Nigerian scammers. Some people post drunken pictures of themselves on Facebook. Technology can't stop that.

Unless you create an Apple-style lockdown on the platform, people are always going to be able to download trojan'ed applications from shady pirate sites and install them. Some people will also be unwise enough to give those shady applications full security capabilities.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 25, 2011 0:18 UTC (Tue) by AndreE (guest, #60148) [Link] (3 responses)

Right, and what choices exactly do consumers have?

Who has published definitive support and update timelines for their phone.

And what level of warranty does Cynogenmod provide again? Do they have a security team patching security flaws?

The consumer has no choice in the matter, period, and neither the software nor hardware vendors seem to really care.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 27, 2011 10:27 UTC (Thu) by trasz (guest, #45786) [Link] (2 responses)

Apple is very user-friendly when it comes to firmware upgrades, even for old devices.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Feb 1, 2011 19:34 UTC (Tue) by leoc (guest, #39773) [Link] (1 responses)

Not really. The original iPhone, which is not even 3 years old, is no longer supported by Apple.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Feb 1, 2011 20:33 UTC (Tue) by foom (subscriber, #14868) [Link]

Well, it's better than the situation with android phones, where they don't even get firmware upgrades that existed well before the phone was released...

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 24, 2011 19:01 UTC (Mon) by cmccabe (guest, #60281) [Link] (2 responses)

In Daniel J. Bernstein's "Thoughts on Security after Ten Years of Qmail 1.0" (http://cr.yp.to/qmail/qmailsec-20071101.pdf), he points out that "chasing attackers" is more of a distraction than a solution to security problems. As he writes, security patches "do nothing to fix the software engineering deficiencies that led to the security holes being produced in the first place." Instead, Dan thinks the best idea is to minimize the size of the trusted code base-- i.e., the code that needs to be audited for security bugs.

Android certainly seems to have minimized the trusted code base, compared to a typical Windows or Ubuntu install. Since most software is Java, there are no such things as buffer overflows, return-to-libc attacks, and so on. There is a better security model-- for example, random applications can't just read and write the user's data unless they've specifically been given that capability. Another advantage Google has against malware is that it can remove known malware from Google Market, which is the only way that most users get their applications.

Of course, since Android now supports native code, hackers can attack the kernel API. I kind of hate to admit this, but that API might be one of the more vulnerable parts of the system at the moment.

One thing that annoys me about Android is that you can't install an app without granting it all the security capabilities it wants. This has led to me uninstalling things like the Pandora radio application, because it just wanted too much power.

A lot of people think that the computer security battle has more or less been lost on the desktop front. Developers keep adding features, which also add security bugs, and hackers keep finding those bugs. It's a never-ending cycle which will never lead to real security. In order to really start winning, we need to change the game so that new bugs get put in at a lower rate than they're discovered. Higher level languages and better security models are a good start. You don't have to constantly patch applications and libraries unless they're part of the trusted code base.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 24, 2011 20:16 UTC (Mon) by foom (subscriber, #14868) [Link] (1 responses)

> Of course, since Android now supports native code, hackers can attack the kernel API. I kind of hate to admit this, but that API might be one of the more vulnerable parts of the system at the moment.

I think the image display libraries and the web browser are still prime attack targets (written in C, note!). Think of an MMS message, spam email, or webpage that takes control of your phone. And of course emails or MMSes itself to all your contacts to continue propagation.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 25, 2011 1:12 UTC (Tue) by cmccabe (guest, #60281) [Link]

> I think the image display libraries and the web browser are still prime
> attack targets (written in C, note!). Think of an MMS message, spam email,
> or webpage that takes control of your phone. And of course emails or MMSes
> itself to all your contacts to continue propagation.

Remember that just because code is written in C, doesn't mean it's part of the trusted codebase.

For example, the Chrome web browser is sandboxed. So if you can buffer overflow a webkit HTML rendering thread (not a very hard task), you get control of... what is displayed on the screen. Nothing else.

There was an article on the sandbox at http://lwn.net/Articles/347547/

I'm not 100% sure if Google has deplyed the seccomp stuff yet on Chrome for Android (I haven't checked the source.)

On the other hand, I'm guessing that the image display libraries are built into Dalvik itself. They probably are part of the trusted codebase.

C.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 13:53 UTC (Sun) by clump (subscriber, #27801) [Link] (3 responses)

One troublesome aspect of Android phones (no experience with iPhones) is that updates come bundled as huge releases. I have an original Motorola Droid, and it received huge updates over the air. This seems backwards given the history of modular Linux distro management. If the kernel is updated, send a kernel update. If the browser needs an update, send a browser update. I think there's much evidence that the 'service pack' model of security and bug fix management doesn't work well.

I've since moved the phone to Cyanogen. Now I'm responsible for keeping it up to date, though sadly Cyanogen doesn't appear to do per-problem updates either.

Evidence? Where is it?

Posted Jan 23, 2011 14:09 UTC (Sun) by khim (subscriber, #9252) [Link] (1 responses)

This seems backwards given the history of modular Linux distro management. If the kernel is updated, send a kernel update. If the browser needs an update, send a browser update

Well, in my experience such modular updates need a lot of hand-holding. Kernel is updated and X server no longer starts (rememeber that all phones include proprietary 3D acceleration module), browser is update and help no longer works (because new security settings don't work with old JS library in help system), etc. For the non-geeks partial updates are huge disaster. What they need are delta-updates (to save bandwidth if it's OTA update) and it looks like recent phones (like Nexus S) support them.

I think there's much evidence that the 'service pack' model of security and bug fix management doesn't work well.

Do you have any statistic? Anecdote evidence looks mixed: iPhone uses 'service pack' model of security and it's broken again and again, but XBox360 is totally different story (take a look on the price of JTAGed consoles: they are 2x-3x vs original price which suggests scarcity).

Evidence? Where is it?

Posted Jan 23, 2011 23:00 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, Android actually has a pretty good architecture for data&apps, so in case of a catastrophic failure it should be easy to reset phone to factory settings. Also, there'll be lot less components than in a common Linux distribution (which can be stable, my Debian installation on a bunch of servers has been living without problems through 2 stable Debian revisions).

But the fact that Android is monolithic is already starting to take its toll. Vendors aren't going to be able to keep up with all the changes (and they little motivation to do this). So separating Android into a set of 'core' components and vendor-specific additions (aka 'crap') should do wonders.

Ongoing work on standardization in the ARM space should also help this.

EFF: Don't Sacrifice Security on Mobile Devices

Posted Jan 23, 2011 19:17 UTC (Sun) by Aissen (subscriber, #59976) [Link]

Latests Google updates for their Nexus are far more in line with what you describe (Android 2.3.1, 2.2.1, 2.2.2 and 2.3.2). These are all minor updates with security and bugfixes all over the place, but especially in the browser and application management (biggest attack surfaces).


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds