Monday, December 9, 2013

Android's actual security risks

A clear-eyed guide to Android's actual security risks | Mobile Technology - InfoWorld

Android's two fundamental risks
The Android ecosystem has two main security risks, according to mobile security experts:
  • The Google Play Store
  • The fragmentation of devices and OS versions

The Google Play Store's risks.  

Android is a truly open OS, and that makes it risky, says Andrew Borg, research director for enterprise mobility and collaboration at research firm Aberdeen. "Unlike Microsoft Windows Phone or Apple iOS, there is no walled garden, and this leads to potential security vulnerabilities when not managed coherently," Borg says.

Google Play (formerly called the Android Market), the digital distribution platform for applications for Android devices, is itself a source of potential security risks. "With Google Play, there is a higher percentage of apps that contain malware, or social engineering to connect to malware, than any other app store by an order of magnitude," Borg says. "It's not a well-policed environment, and these factors continue to create friction or resistance toward greater adoption of Android in the enterprise."

When users download apps from Google Play, they often don't pay attention to the extent of permissions an app can have on their device, says Chandra Sekar, senior director of the Mobile Platforms Group at Citrix Systems, a provider of cloud-based mobility and collaboration products. "They usually just accept the permission during installation," he says. "And more often than not, apps ask for more permissions than they really need."

Why Does This Android App Need So Many Permissions?
It's true, even apps that seem to have legitimate uses for multiple permissions may be dangerous. MakeUseOf explains some of the permission types you should look out for, especially when they're combined in a single app, as does Matthew Pettitt in this great article. It's easy to get frightened when you see how much information many apps ask for—even apps from trustworthy sources—but you have to ask yourself these questions when you see these long permissions lists:
  • Is this app from a trustworthy developer? Does it look like malware?
  • Do I understand why this app needs these permissions?
  • Does the developer explain to me why they need these permissions? (Are they listed at Google Play, along with the reasons for each permission request? Often, they are.)
If the answer to all three of these questions is yes, you're in good shape. If you start answering no, you should begin to consider whether you really need the app in question. Even apps from trustworthy developers can collect a great deal of data, either for advertising and marketing purposes, or because someone screwed up. If you have an app from a developer you've never heard of and it doesn't explain why it needs the permissions it does, stay away unless you understand that the permissions are necessary for the type of app it is.


The security vulnerabilities affecting Android devices can cause actual performance issues and data loss -- not just minor inconveniences.

 ,,,

Hong Kong Google Play Store's Apps Security Risk Report (November 2013) - HKCERT
In this analysis, 170 apps were scanned for bad behaviors. Based on the level of security threat, the apps were divided into 2 categories: apps with malicious and apps with suspicious behaviors. Malicious behavior refers to apps behavior pose malicious level of security risk, which can be identified explicitly, that causes security threat to users. Suspicious behavior refers to apps behavior pose certain level of security risk, but no malicious behavior can be explicitly identified.

Among the 170 scanned apps, 8 apps were identified as security high risk. These 8 Apps were identified with the following high risk behavior signatures, Android.Adware.Adwo, Android.Adware.AirPush, Android.Trojan.Generic, Android.AdWare.Leadbolt, Android.Adware.SKplanet, Android.Adware.InMobiAds, Android.Adware.AdMogo, Android.Adware.Domob, Android.Adware.MobWIN, Android.Adware.TapjoyAds, and Android.Riskware.SmsReg.


Google Play changes bring cautious optimism on Android security - CSO Online - Security and Risk
oogle's decision to have Android apps on Google Play updated only through the online store will likely improve security on the mobile platform, but by how much remains to be seen, experts say.
Google recently changed its Play Developer Program Policies to say, "an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism." The APK, or Android application package file, is the format used to distribute and install apps onto the operating system.

The risks of Android's fragmentation. 

The Android platform also suffers the issue of fragmentation -- there are multiple versions of Android in the market, even on current devices. Manufacturers often make their own changes to Android, so they could be behind Google's current reference release. In addition, carriers and manufacturers may not update their devices' Android version when Google does, or they take months or even years to do so.

As a result, many people within the same organization might be using outdated versions that could be riddled with security vulnerabilities. "People focus on malware risks of Android, but arguably the greater risk is that fragmentation creates different user experiences," says Ojas Rege, vice president of strategy at MobileIron, a provider of enterprise mobility management products. "This variety of user experiences makes it hard to educate your employees about how to take security measures, because the experience on each device is different."

1 comment:

Misty said...
This comment has been removed by a blog administrator.