Android's biggest security flaws

Android is widely accepted as being iOS' greatest rival, but, according to Dell SecureWorks security researcher Timothy Vidas, it has a host of issues that have made it a target for malware authors.

Android is widely accepted as being iOS' greatest rival, but, according to Dell SecureWorks security researcher Timothy Vidas, it has a host of issues that have made it a target for malware authors.

Speaking at security conference AusCERT 2012 last week, Vidas outlined some of the problems that exist in the Android operating system, while highlighting that his concern is based on malware figures, rather than his preference for a particular vendor.

"Malware is definitely targeting Android. We could debate whether it's a deficiency in Android, and Apple's actually done something right, or if it's targeting just based on market penetration ... but the fact is, it's pretty clear that both in volume and in unique samples ... Android is definitely getting more malware right now than any of the other mobile platforms."

Poor permissions

Vidas pointed out that the huge host of permissions that users must understand are driving them into information paralysis; they are choosing to ignore the warnings presented to them, and not considering whether they may be dangerous or unnecessary.

"There's empirical academic research that shows that people just don't do this. It's not even that we assume that it's not happening, it's really not happening," he said.

What makes things worse is that while discerning users might be smart enough to question suspicious permissions (such as a torch program requiring access to location information), they may still be fooled, due to the way that some seemingly innocent permissions provide equivalent access.

"The latitude and longitude is regularly present in the log files, so I can recreate the permission "find location" using just the permission "read logs". Now, how many users are will be able make that jump and know that capability is present when they're looking at that screen?"

He also pointed out that there is an overlap between potentially dangerous permissions, such as providing an application with access to the internet, and legitimate applications that need them, such as free applications that are funded using ads from the internet. In those cases, it is impossible to know at a glance how these permissions are being used.

Open marketplace

Vidas also took issue with the difference between Google's open marketplace, Google Play, and Apple's closed App Store.

"The marketplace is basically open. Apple at least claims to vet applications before they make it into the app store. The vetting process is very black-boxed. It arguably adds some security properties to the marketplace, whereas Android doesn't vet applications at all."

Google Play does have an automated scanning program called Bouncer, but its effectiveness is as yet unknown. Vidas said that "at best, it's similar to Apple, and at worst, we can assume it doesn't do anything".

Google has taken action in the past to remove known malware from Google Play, but it has also prompted malware authors to write additional malware that poses as Google's official cleansing application.

Posing as an official company is often also used for Android apps, as malware authors have realised that not all applications are available in all countries or for all devices, and, when this occurs, they are hidden from the marketplace.

"Netflix only supports a certain range of device, in particular the devices that have the video capabilities to play videos. If only 10 per cent of [users] have the ability to use that app, the other 90 per cent want that app — there's market demand and desire to have that feature," he said. It's this demand, and a quirk in Google Play, that malware authors use to trick users.

"If you go to the marketplace ... the marketplace doesn't show you the official app, because it's not compatible with your [location or device], [so] the top hit is going to be some other app that claims to be compatible with your [location or device]. There's an interesting market demand, where spoofing actually has a strong ability to work."

That said, Vidas sees the incident rate of malware in the official Google Play as being near insignificant.

"In the official market, it's actually really low. It's sort of on the scale of 30 apps for these three days, so if you don't sample the market at the right time, you might not find malware at all."

However, in unofficial, third-party marketplaces, he said that the incidence of malware varies wildly, and that there are some marketplaces that exist purely to infect users.

"Many Russian and Chinese alternative markets basically distribute 100 per cent malware," he said.

Inexperienced or malicious developers?

One of the advantages to developing applications on Android is that the barrier to entry is very low from a programming perspective; but Vidas said that this is a double-edged sword, since Android developers are not as experienced.

"If they don't know much about software development, then it's reasonable to conclude that they don't know much about secure development."

The result is that even if they don't have any malicious intent, the developers could introduce new vulnerabilities into the target device, or create features that have unintended side effects.

This also applies to vendors' developers who write customised versions of Android for their hardware, and who inadvertently or purposefully including backdoors into the operating system.

"HTC nicely demonstrated this with a logging application. This is essentially very similar to the access to the read-logs capability," Vidas said.

Another backdoor providing root access to a phone, which opens it up to exploitation by other applications, has recently been discovered on phones made by ZTE.

"Your phone might actually come with bad stuff on it."