Feeds

Android's defences against malicious apps dissed by security bods

Your hacker barriers are mostly dialogue boxes, Mr Wonka

Internet Security Threat Report 2014

Google's bold claims that Android doesn't have a malware problem and is more secure than Apple's iOS have singularly failed to convince security researchers.

No less a figure than Eric Schmidt, Google's executive chairman, declared Android to be “more secure” than the iPhone, during the Gartner Symposium/ITxpo in Orlando, Florida. The claim drew hoots of derision from the tech savvy crowd, USA Today reports. Schmidt's remarks are recorded in a YouTube clip here.

The apparent charm offensive continued with Android security chief, Adrian Ludwig, presenting a last-minute paper at the Virus Bulletin conference in Berlin last week entitled Android – practical security from the ground up, and summarised by Steven Max Patterson of Networkworld in a story complete with explanatory diagrams here.

Ludwig used Google’s unparalleled access to data about app installs on Android devices to put forward the argument that only 0.001 per cent of apps are able to get past the “multiple layers of security” that Android puts in their way and eventually cause harm to the user. The claim is hard to square with reports from anti-virus firms, such as Trend Micro, that mobile malware strains recently crossed the one million mark, and the vast majority of the problem is tied to Android. Google's smartphone and tablet platform is widely targeted by criminals, anti-malware firms unanimously agree.

According to the presentation, Google's various security layers are: Google Play, unknown sources warning, install confirmation, Verify Apps consent, Verify Apps warning, Runtime analysis and the permissions-based sandbox that each app must operate within.

This might sound impressive at first but a closer inspection of these various layers of defence in a blog post by Rik Ferguson, global veep of security research at Trend Micro, reveals that they are more likely to be treated as irksome pop-ups that users blindly click through.

If I understand the slides correctly then, in user terms, that equates to; Google Play, a dialogue box, a dialogue box, Verify Apps, a dialogue box, runtime analysis and a dialogue box.

While Google’s Verify Apps technology represents a great leap forward, particularly now that it has been decoupled from the OS itself, there are plenty of malicious apps that make it out there into Google Play’s storefront. In fact, at last count (12th October 2013) just over 46 per cent of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play.

When it comes to the unknown sources warning, the install confirmation dialogue and the permissions/sandbox warnings, it is fair to say that not only do app developers often massively over-request but also end-users rarely read the questions they are being asked, and even less often understand the potential implications of the permissions that they are granting. Who needs an exploit when you have permission? The questions regarding app permissions are only asked once, and they cannot be subsequently revoked in any granular fashion. It’s all or nothing and app developers are often going for the kitchen sink, encouraging the same “next, next, next” culture that we see in the traditional computing world.

Ferguson's description recalls the behaviour of User Account Control (UAC) prompts on Windows Vista that were supposed to make the computing experience more secure but only really succeeded in annoying users before the feature was modified and watered down in later versions of Windows.

Aside from the effectiveness of the dialogue boxes Google has put in place, Google's argument fails to note how many malicious apps are sloshing around in the Android ecosystem. This is a serious deficiency, Ferguson argues.

Aside from the fact that a large number of these security layers are left entirely at the discretion of the end-user in the form of a dialogue box, there lurks another potential pitfall. Nowhere in the data available have I seen an indication of how many apps Google actually recognise as being malicious in the first place, or how widely those apps are proactively sourced. Of course if your library of malicious and high-risk apps is limited, then the number of malicious installations that you notice will be consequently lower. I’m not saying that Google do not have a reliable library of such apps, I wouldn’t know. I am saying though, that presenting the figure of recognised malicious installs, without the context of the malware library leaves a pretty large hole in the conclusion that malicious apps are not being successful in the wild.

Trend Micro have so far analysed 3.7 million Android apps and updates, a figure that's growing every day. Nearly one in five (18 per cent) of these apps have been classed as malicious while a further 13 per cent are "high risk", according to figures from the net security firm. That works out at 670,000 malicious apps and a further 480,000 "high risk" apps and counting.

Nearly half (46 per cent) of the outright malicious apps were sourced directly from Google Play.

Ferguson defers to renowned hacker Charlie Miller for a response to Schmidt's headline claim that Android is more secure than Apple's iOS.

“As someone who has written exploits for both platforms, let me say 'no',” Miller said in a Twitter update. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.