Feeds

Android's defences against malicious apps dissed by security bods

Your hacker barriers are mostly dialogue boxes, Mr Wonka

Seven Steps to Software Security

Google's bold claims that Android doesn't have a malware problem and is more secure than Apple's iOS have singularly failed to convince security researchers.

No less a figure than Eric Schmidt, Google's executive chairman, declared Android to be “more secure” than the iPhone, during the Gartner Symposium/ITxpo in Orlando, Florida. The claim drew hoots of derision from the tech savvy crowd, USA Today reports. Schmidt's remarks are recorded in a YouTube clip here.

The apparent charm offensive continued with Android security chief, Adrian Ludwig, presenting a last-minute paper at the Virus Bulletin conference in Berlin last week entitled Android – practical security from the ground up, and summarised by Steven Max Patterson of Networkworld in a story complete with explanatory diagrams here.

Ludwig used Google’s unparalleled access to data about app installs on Android devices to put forward the argument that only 0.001 per cent of apps are able to get past the “multiple layers of security” that Android puts in their way and eventually cause harm to the user. The claim is hard to square with reports from anti-virus firms, such as Trend Micro, that mobile malware strains recently crossed the one million mark, and the vast majority of the problem is tied to Android. Google's smartphone and tablet platform is widely targeted by criminals, anti-malware firms unanimously agree.

According to the presentation, Google's various security layers are: Google Play, unknown sources warning, install confirmation, Verify Apps consent, Verify Apps warning, Runtime analysis and the permissions-based sandbox that each app must operate within.

This might sound impressive at first but a closer inspection of these various layers of defence in a blog post by Rik Ferguson, global veep of security research at Trend Micro, reveals that they are more likely to be treated as irksome pop-ups that users blindly click through.

If I understand the slides correctly then, in user terms, that equates to; Google Play, a dialogue box, a dialogue box, Verify Apps, a dialogue box, runtime analysis and a dialogue box.

While Google’s Verify Apps technology represents a great leap forward, particularly now that it has been decoupled from the OS itself, there are plenty of malicious apps that make it out there into Google Play’s storefront. In fact, at last count (12th October 2013) just over 46 per cent of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play.

When it comes to the unknown sources warning, the install confirmation dialogue and the permissions/sandbox warnings, it is fair to say that not only do app developers often massively over-request but also end-users rarely read the questions they are being asked, and even less often understand the potential implications of the permissions that they are granting. Who needs an exploit when you have permission? The questions regarding app permissions are only asked once, and they cannot be subsequently revoked in any granular fashion. It’s all or nothing and app developers are often going for the kitchen sink, encouraging the same “next, next, next” culture that we see in the traditional computing world.

Ferguson's description recalls the behaviour of User Account Control (UAC) prompts on Windows Vista that were supposed to make the computing experience more secure but only really succeeded in annoying users before the feature was modified and watered down in later versions of Windows.

Aside from the effectiveness of the dialogue boxes Google has put in place, Google's argument fails to note how many malicious apps are sloshing around in the Android ecosystem. This is a serious deficiency, Ferguson argues.

Aside from the fact that a large number of these security layers are left entirely at the discretion of the end-user in the form of a dialogue box, there lurks another potential pitfall. Nowhere in the data available have I seen an indication of how many apps Google actually recognise as being malicious in the first place, or how widely those apps are proactively sourced. Of course if your library of malicious and high-risk apps is limited, then the number of malicious installations that you notice will be consequently lower. I’m not saying that Google do not have a reliable library of such apps, I wouldn’t know. I am saying though, that presenting the figure of recognised malicious installs, without the context of the malware library leaves a pretty large hole in the conclusion that malicious apps are not being successful in the wild.

Trend Micro have so far analysed 3.7 million Android apps and updates, a figure that's growing every day. Nearly one in five (18 per cent) of these apps have been classed as malicious while a further 13 per cent are "high risk", according to figures from the net security firm. That works out at 670,000 malicious apps and a further 480,000 "high risk" apps and counting.

Nearly half (46 per cent) of the outright malicious apps were sourced directly from Google Play.

Ferguson defers to renowned hacker Charlie Miller for a response to Schmidt's headline claim that Android is more secure than Apple's iOS.

“As someone who has written exploits for both platforms, let me say 'no',” Miller said in a Twitter update. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.