It seems there is an app for almost anything these days. Need to turn your phone into a dictation device – no problem. Looking for the cheapest price on your favorite beer? Guess what, your app store has you covered. Just download the latest barcode scanner and – presto – a list for that tasty brew, complete with prices, is available at your fingertips. Apps can be fun and games and, sometimes, even a bit useful.
Think about what type of information that cool app has access to on your smartphone. The truth is, most of us don’t think about this aspect of ‘app-iness’. Now imagine you are responsible for your organization’s IT security, and many of your employees are clamoring to use their personal smartphone devices – nifty apps and all – on your network. Where do you draw the line between safety and utility – between productivity and security? After all, if it’s a personal device, then security managers will have little, if any, control over the particular app a user downloads.
While mobile apps have been around for some time, thanks to the meteoric rise of Apple’s iPhone and iPad devices, there is a new kid in the class, and its name is Android. And, by all accounts, it is quickly becoming the most popular ‘smart’ gadget out there.
But Android is different from its cousin at Apple. Android’s apps exist within an open-source framework, with its Android Market open to any and all application developers. Surely Android, created by Google, has rules in place regarding its apps, but by most accounts, the iron hand exhibited by Apple over its iTunes store does not exist in the Android Market.
This can be a positive for users, as they will eventually have access to more apps and greater variety. The drawback lies in the security aspects of Android’s openness. Many security experts warned that Android’s open-source nature presented security vulnerabilities, and recent developments have placed a bull’s eye squarely on Google, Android, and the risks associated with its application bazaar.
It’s Brutal at the Top
It was all-but-inevitable that Android would become a popular target for malware writers. Data released in March by industry analyst Gartner pegged Android as the second largest mobile operating system, after having sold 67.2 million units in 2010. When compared with the 6.8 million Android units sold in 2009, Gartner labeled it the fastest growing mobile OS, mainly because it is available on scores of devices, in contrast to only a handful of models for its largest competitors.
Before the ink had dried on Gartner’s announcement, data from both comScore and Nielsen Research had Android occupying the top spot among US smartphones, holding somewhere between 29–32% of the market.
In February, just a few weeks before these reports of Google’s ascendency to the smarphone throne, Andy Hayter, anti-malcode program manager with ICSA Labs, sat down with Infosecurity at the 2011 RSA Conference in San Francisco. The main topic of conversation was mobile malware.
| "I think Android should learn from the existing operating system world in that they need to put in a lot more due diligence into protecting the end user" |
| Andy Hayter, ICSA Labs |
Hayter said the hype surrounding mobile malware had yet to catch up to reality, but with the explosion of mobile devices like Android, he expected more real-world incidents to occur. He told Infosecurity that application stores, such as the Android Market, were doing very little with respect to security. “They leave it up to the end users to do their quality assurance testing for them”, he expressed in bewilderment. Even more disturbing from a security perspective, continued Hayter, is that the app stores lack a sufficient method for testing the security of the programs they offer, simply waiting for the user to get infected before responding.
More Hands
Proponents of open-source software development would say that the glasnost-like nature of the process allows vulnerabilities to be identified and fixed faster than proprietary models. This is the premise of the Android Market, where more hands have access to the application code.
The robustness of the Android operating system seems to be less controversial than the security of the apps that can be run on the device. ICSA Labs’ Hayter summed it up quite simply: whereas Google does have a facility to help verify the trustworthiness of application developers and license holders, it does not have an equally sound method to actually test the security of these applications before they go into the marketplace. In other words, there is no rigorous quality control to determine if the applications contain malware.
“At the moment, the potential for malicious code to potentially attack via the download of an app is scary from my point of view”, said Steve Durbin, vice president of the non-profit Information Security Forum (ISF). He told Infosecurity that with the huge increase in smartphones and tablets, too many users “have become accustomed to click and go”, with little consideration about whether the app they are about to download comes from a trusted source.
“It never occurs to [the user] that there might be some issue with it, or that it may contain some malicious code”, Durbin added. “I then connect that into my corporate network, and before you know it, the whole thing has come crashing down.”
Durbin feels the Android operating system, and the developers who work on it, have a good handle on security. He is more concerned about the app side of things. “We access and download them at will, on a daily basis, without any second thoughts.”
| "I don’t care if you are Google or Apple, I think that if you provide [an app store], then you have a duty of care to your users" |
| Steve Durbin, ISF |
Although Google does have a system to check developers’ credentials, literally anyone can create an app for the Android Market. In fact, after Google released its App Inventor tool for Android in July 2010 – a development process based on MIT’s Open Blocks Java library – it enabled novices with no programing experience to design an app using a visual interface.
Whether an app store is open-source or contains more of the propriety constraints of Apple is irrelevant, according to Hayter. What is important, from an attack and malware perspective, “is the prevalence of the operating system. And Android, to their own [Google’s] bragging, has more devices out there than the iOS right now.
“The typical malware author mentalities go after the highest user base, because that’s where the most money is. In the past, they went after the Symbian base and left the iOS alone. Now they are going after Android, for the same reason they went after Windows. That’s the malware model; it hasn’t changed in 20 years.”
Early Warning Signs
Reports about Android applications ‘stealing’ data from devices have been around for several months. June 2010 saw the release of research published by Ohio-based mobile security provider S-Mobile (subsequently purchased by Juniper Networks) claiming that approximately 20% of the apps in the Android Market were permitted access to on-phone data. The company claimed that its survey of 20,000 apps concluded that nearly half “requested user permissions that researchers would consider suspicious”.
Google immediately issued a strong rebuke of the findings. “This report falsely suggests that Android users don’t have control over which apps access their data”, a Google spokesperson told Infosecurity at the time. The company said that each Android app requires “users’ permission to access sensitive information”, in addition to developers being subjected to “billing background checks to confirm their real identities”. The spokesperson also added that Google would disable any apps it found to be malicious.
In July 2010, members of security research firm Lookout told attendees of the Black Hat conference in Las Vegas about an Android wallpaper app that clandestinely transmitted user data to a server located in China. While the company did not know if there was malicious intent involved, phone numbers, subscriber identifiers, and voicemail numbers may have been taken from any of the more than one million people who downloaded the app.
| "Smartphone users tend to be a whole lot less smart than when they are using a laptop or desktop computer" |
| Chris Larsen, Blue Coat |
Android, like any other operating system, does have its vulnerabilities that well-written malware seeks to exploit. MJ Keith, a researcher with security firm Alert Logic, released his web-based attack code for Android 2.1 devices during the HouSecCon security conference in November 2010. Google moved quickly to patch the vulnerability, issuing a fix less than a month later.
Regardless of Google’s quick action on the operating system side, a December survey by network-based security firm AdapitiveMobile painted a grim picture of the Android malware situation. Its data showed a four-fold increase in the amount of malware written for Android, a trend it expected to continue “at an exponential rate” into 2011.
A Winter of Discontent
This past winter was one of misery across wide swaths of North America and Europe – with many areas experiencing freezing cold temperatures and record snowfall amounts. The season was also one of melancholy for those with a vested interest in the security of Google’s Android mobile OS.
Researchers from North Carolina to Hong Kong were busy working up well-publicized proof-of-concept attacks targeting the devices. Add to this the discovery by Chinese smartphone security specialist, NetQin Mobile, of two Android viruses circulating in the wild.
Then, in early March, the warnings became reality, and as one Infosecurity reporter put it, “the DroidDream trojan became a nightmare for thousands of Android users”. It was then that McAfee Labs announced its analysis of a new breed of Android trojan that infected 55 apps in the Android Market. Google was subsequently forced to pull the affected applications from its market.
Dave Marcus, director of security research at McAfee Labs, delivered the sobering results: “Analysis has shown that these apps can break out of the typical sandbox that most apps reside in, to potentially gain control over the entire device and its data. In terms of attacks and malware, it doesn’t get any worse than root access, which this malware has.”
ICSA Labs’ Hayter had predicted, just weeks before, that such problems with the Android Market were likely to occur. “Sometimes you can predict the inevitable”, he joked in his follow-up analysis. “There will be Android malware, and it will be big someday.” For this malware researcher, someday had already arrived.
“I don’t care if you are Google or Apple, I think that if you provide [an app store], then you have a duty of care to your users”, ISF’s Durbin said in response to the DroidDream incident. It is this balance between protecting their brands and supplying users with the latest apps, he added, that is the biggest security challenge that application marketplaces face going forward.
Google, which chose not to comment for this article, took steps to increase security in wake of the DroidDream fiasco, including remotely wiping the apps from infected devices. But even this was not enough to kill the drama.
“What’s even more interesting is that the fix tool that Google put out there got hacked, and that has a trojan in it”, Hayter added. He was referring to the bogus fix-it download that appeared on the Android Market just days after the DroidDream exploit was made public. Google had released a security tool in response to the DroidDream infections, but this too was compromised by hackers, who infected it with a trojan. “As best as Google tried to fix the problem”, Hayter continued, “they actually created another one at the same time”.
User Beware
So what lessons can be learned from Android’s recent spate of bad luck? “This proves that you have vulnerabilities that are caught by the malware guys before the operating system developers get to them”, said Hayter. “You have to ask, how much testing and how much application security review has gone into the operating system already, and how much more does it need before it is released to the public?”
“Microsoft learned [this lesson] the hard way”, asserted the malware researcher. “I think Android should learn from the existing operating system world in that they need to put in a lot more due diligence into protecting the end user.”
But, when it comes down to it, security is often a matter of personal responsibility. Whether or not one takes the time to read the disclosures, an Android device will tell the user which resources and what information a particular app will access. While some can claim ignorance as to what the disclaimers mean, lack of information about what an app is doing on a particular Android device proves to be a weak defense.
“End users have to be a lot more diligent about what they do with their phones”, Hayter concluded, including what they click on. He realizes that not many users understand everything in the user agreement that accompanies mobile apps. “Instead they just click – yes, yes, yes, yes, yes”. What is needed, Hayter insisted, is for users to become less “click happy”.
Chris Larsen sees the value in such advice, and the head of the security research labs for Blue Coat also reminded us that scams, such phishing attacks, exist independent of platform. “Smartphone users tend to be a whole lot less smart than when they are using a laptop or desktop computer”, he asserted. Larsen believes users tend to let their guard down when using a mobile device, “thinking that they are impervious to malicious activity or outside of where phishing occurs”.
Steve Durbin of the ISF is also a member of the self-reliance school of smart device security. “I think there is a big mental shift that needs to take place”, he implored. “If you are sitting at a laptop or a computer, you are aware of the fact that you could download something malicious”, and this is why users must employ a combination of common sense and technology to prevent infection of their device.
The big challenge, said Durbin in closing, is for the user to recondition their mental approach to smartphone security. “The smartphone isn’t just a phone anymore, it’s a computer”, he affirmed, “and it must be protected as such”.