Android architecture continues to expose concerns

The days of losing a phone and only losing your mobile contacts are long gone. Nowadays your smartphone is your ‘ilife’ and it (and the network) collects (logs) data not only from text messages, emails and calls, but your Facebook and Twitter profiles as well and much much more. I’d go as far as to say mobile technology is revolutionising the way we all live and work. I’m sure none of my readers will dispute this.

So what is all the fuss about Android malware? Some technology analysts claim the mobile AV vendors are scaremongering, I’m not one of those who thinks its scaremongering. Mobile malware will evolve from the standard PRS/rogue app/phishing URL threat vector given time and some of us will look back and say ‘I told you so’. I think it will mirror the desktop malware curve. Here is why….

Malware writers will need to wait to establish the lead mobile OS platforms to compile on – after all they work to budgets too. 🙂 I’ll stick my head on the line and say that Android (regardless of whether it is gingerbread or ice cream sandwich) and Windows Phone 7 (and WP8 which is in final testing) will be the main OS targets (the latter is dependent on Nokia getting it’s act together, which I believe with Microsoft ad dollars it will do so). So, what are the real security issues facing Google Android?

Android is a particular target given that the Dalvik VM (even though this is a sandbox as part of Android Runtime) allows apps (which are all sandboxed – thumbs up here) to interact with one another using ‘intents’ or what we call remote procedure calls (RPC). My main worry here has to be what if someone finds a vulnerability in the Linux kernel that allows a user to run as the system? (think rooted device here) – it’s certainly possible and has been done. Big concern? Absolutely yes.

The accounts database on Android is centrally managed by account credentials, this includes usernames and passwords and is stored as a plain text file but has strict file permissions. The problem here is what would happen if a third-party app gains root permission to be able to read the accounts database file? This is actually possible. For the benefit of my some of my readers who are not technical, root access allows “full” access to everything on your mobile device. Not a nice thought I can tell you!

Anything else to be concerned about? Stacked applications and MitM attacks could also be commonplace given the HTTP protocol uses plain text communication. However right now we are all seeing rogue apps in Android Market. These apps can be self-signed with little or no code review by Google.

A quick glance across the Internet and it will not take long to learn how to reverse engineer an Android app to embed malicious files in the libraries (developed by Google BTW), kernel and Android Runtime. Then there is the issue of lack of documentation on implementing the Android API, so developers are implementing over privileges in apps which should not actually be allowed. Over privileging apps is a growing concern right now. I really like ’Stowaway’ which is an Android tool that informs you whether an app is over privileged. This is a very cool tool to have in your developer armoury – end users can also use this tool too. So where does this leave Android?

Android isn’t the only platform that will become the focus of mobile malware writers. As I said earlier, Windows Phone 7 will also be heavily targeted as well as iOS (do you believe this OS isn’t vulnerable?) which I believe given time, will indeed be exploited. Currently jailbroken (rooted) iPhone devices are the main threat vector, but I suspect this will not always be the case. Malware developers will focus on the cash cow operating system and for now that is Android. Remember, no operating system, whether it be QNX (BlackBerry Playbook was rooted recently), Windows Phone 7, Android or iOS will ever be 100% secure.

All of you who read my blog have a major part to play in securing your devices. My advice is to start learning how you secure your device right now! More on how you can do this very soon..

Safe surfing folks!

This entry was posted in android, mobile and tagged , , . Bookmark the permalink.

2 Responses to Android architecture continues to expose concerns

  1. Igor G. says:

    How can I get the Stowaway app on my Android phone?

    • Julian says:

      #Igor G.# Unfortunately it’s cloud-based right now. You can upload your app to their server(s) and it will report back any unnecessary permissions within a minute or so. Stowaway is a static analysis tool which doesn’t require Android SDK/emulator nor ADB/Fastboot client-side skill sets. Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *