Android's defences against malicious apps dissed by security bods
Your hacker barriers are mostly dialogue boxes, Mr Wonka
Google's bold claims that Android doesn't have a malware problem and is more secure than Apple's iOS have singularly failed to convince security researchers.
No less a figure than Eric Schmidt, Google's executive chairman, declared Android to be “more secure” than the iPhone, during the Gartner Symposium/ITxpo in Orlando, Florida. The claim drew hoots of derision from the tech savvy crowd, USA Today reports. Schmidt's remarks are recorded in a YouTube clip here.
The apparent charm offensive continued with Android security chief, Adrian Ludwig, presenting a last-minute paper at the Virus Bulletin conference in Berlin last week entitled Android – practical security from the ground up, and summarised by Steven Max Patterson of Networkworld in a story complete with explanatory diagrams here.
Ludwig used Google’s unparalleled access to data about app installs on Android devices to put forward the argument that only 0.001 per cent of apps are able to get past the “multiple layers of security” that Android puts in their way and eventually cause harm to the user. The claim is hard to square with reports from anti-virus firms, such as Trend Micro, that mobile malware strains recently crossed the one million mark, and the vast majority of the problem is tied to Android. Google's smartphone and tablet platform is widely targeted by criminals, anti-malware firms unanimously agree.
According to the presentation, Google's various security layers are: Google Play, unknown sources warning, install confirmation, Verify Apps consent, Verify Apps warning, Runtime analysis and the permissions-based sandbox that each app must operate within.
This might sound impressive at first but a closer inspection of these various layers of defence in a blog post by Rik Ferguson, global veep of security research at Trend Micro, reveals that they are more likely to be treated as irksome pop-ups that users blindly click through.
If I understand the slides correctly then, in user terms, that equates to; Google Play, a dialogue box, a dialogue box, Verify Apps, a dialogue box, runtime analysis and a dialogue box.
While Google’s Verify Apps technology represents a great leap forward, particularly now that it has been decoupled from the OS itself, there are plenty of malicious apps that make it out there into Google Play’s storefront. In fact, at last count (12th October 2013) just over 46 per cent of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play.
When it comes to the unknown sources warning, the install confirmation dialogue and the permissions/sandbox warnings, it is fair to say that not only do app developers often massively over-request but also end-users rarely read the questions they are being asked, and even less often understand the potential implications of the permissions that they are granting. Who needs an exploit when you have permission? The questions regarding app permissions are only asked once, and they cannot be subsequently revoked in any granular fashion. It’s all or nothing and app developers are often going for the kitchen sink, encouraging the same “next, next, next” culture that we see in the traditional computing world.
Ferguson's description recalls the behaviour of User Account Control (UAC) prompts on Windows Vista that were supposed to make the computing experience more secure but only really succeeded in annoying users before the feature was modified and watered down in later versions of Windows.
Aside from the effectiveness of the dialogue boxes Google has put in place, Google's argument fails to note how many malicious apps are sloshing around in the Android ecosystem. This is a serious deficiency, Ferguson argues.
Aside from the fact that a large number of these security layers are left entirely at the discretion of the end-user in the form of a dialogue box, there lurks another potential pitfall. Nowhere in the data available have I seen an indication of how many apps Google actually recognise as being malicious in the first place, or how widely those apps are proactively sourced. Of course if your library of malicious and high-risk apps is limited, then the number of malicious installations that you notice will be consequently lower. I’m not saying that Google do not have a reliable library of such apps, I wouldn’t know. I am saying though, that presenting the figure of recognised malicious installs, without the context of the malware library leaves a pretty large hole in the conclusion that malicious apps are not being successful in the wild.
Trend Micro have so far analysed 3.7 million Android apps and updates, a figure that's growing every day. Nearly one in five (18 per cent) of these apps have been classed as malicious while a further 13 per cent are "high risk", according to figures from the net security firm. That works out at 670,000 malicious apps and a further 480,000 "high risk" apps and counting.
Nearly half (46 per cent) of the outright malicious apps were sourced directly from Google Play.
Ferguson defers to renowned hacker Charlie Miller for a response to Schmidt's headline claim that Android is more secure than Apple's iOS.
“As someone who has written exploits for both platforms, let me say 'no',” Miller said in a Twitter update. ®