Feeds

Android's defences against malicious apps dissed by security bods

Your hacker barriers are mostly dialogue boxes, Mr Wonka

SANS - Survey on application security programs

Google's bold claims that Android doesn't have a malware problem and is more secure than Apple's iOS have singularly failed to convince security researchers.

No less a figure than Eric Schmidt, Google's executive chairman, declared Android to be “more secure” than the iPhone, during the Gartner Symposium/ITxpo in Orlando, Florida. The claim drew hoots of derision from the tech savvy crowd, USA Today reports. Schmidt's remarks are recorded in a YouTube clip here.

The apparent charm offensive continued with Android security chief, Adrian Ludwig, presenting a last-minute paper at the Virus Bulletin conference in Berlin last week entitled Android – practical security from the ground up, and summarised by Steven Max Patterson of Networkworld in a story complete with explanatory diagrams here.

Ludwig used Google’s unparalleled access to data about app installs on Android devices to put forward the argument that only 0.001 per cent of apps are able to get past the “multiple layers of security” that Android puts in their way and eventually cause harm to the user. The claim is hard to square with reports from anti-virus firms, such as Trend Micro, that mobile malware strains recently crossed the one million mark, and the vast majority of the problem is tied to Android. Google's smartphone and tablet platform is widely targeted by criminals, anti-malware firms unanimously agree.

According to the presentation, Google's various security layers are: Google Play, unknown sources warning, install confirmation, Verify Apps consent, Verify Apps warning, Runtime analysis and the permissions-based sandbox that each app must operate within.

This might sound impressive at first but a closer inspection of these various layers of defence in a blog post by Rik Ferguson, global veep of security research at Trend Micro, reveals that they are more likely to be treated as irksome pop-ups that users blindly click through.

If I understand the slides correctly then, in user terms, that equates to; Google Play, a dialogue box, a dialogue box, Verify Apps, a dialogue box, runtime analysis and a dialogue box.

While Google’s Verify Apps technology represents a great leap forward, particularly now that it has been decoupled from the OS itself, there are plenty of malicious apps that make it out there into Google Play’s storefront. In fact, at last count (12th October 2013) just over 46 per cent of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play.

When it comes to the unknown sources warning, the install confirmation dialogue and the permissions/sandbox warnings, it is fair to say that not only do app developers often massively over-request but also end-users rarely read the questions they are being asked, and even less often understand the potential implications of the permissions that they are granting. Who needs an exploit when you have permission? The questions regarding app permissions are only asked once, and they cannot be subsequently revoked in any granular fashion. It’s all or nothing and app developers are often going for the kitchen sink, encouraging the same “next, next, next” culture that we see in the traditional computing world.

Ferguson's description recalls the behaviour of User Account Control (UAC) prompts on Windows Vista that were supposed to make the computing experience more secure but only really succeeded in annoying users before the feature was modified and watered down in later versions of Windows.

Aside from the effectiveness of the dialogue boxes Google has put in place, Google's argument fails to note how many malicious apps are sloshing around in the Android ecosystem. This is a serious deficiency, Ferguson argues.

Aside from the fact that a large number of these security layers are left entirely at the discretion of the end-user in the form of a dialogue box, there lurks another potential pitfall. Nowhere in the data available have I seen an indication of how many apps Google actually recognise as being malicious in the first place, or how widely those apps are proactively sourced. Of course if your library of malicious and high-risk apps is limited, then the number of malicious installations that you notice will be consequently lower. I’m not saying that Google do not have a reliable library of such apps, I wouldn’t know. I am saying though, that presenting the figure of recognised malicious installs, without the context of the malware library leaves a pretty large hole in the conclusion that malicious apps are not being successful in the wild.

Trend Micro have so far analysed 3.7 million Android apps and updates, a figure that's growing every day. Nearly one in five (18 per cent) of these apps have been classed as malicious while a further 13 per cent are "high risk", according to figures from the net security firm. That works out at 670,000 malicious apps and a further 480,000 "high risk" apps and counting.

Nearly half (46 per cent) of the outright malicious apps were sourced directly from Google Play.

Ferguson defers to renowned hacker Charlie Miller for a response to Schmidt's headline claim that Android is more secure than Apple's iOS.

“As someone who has written exploits for both platforms, let me say 'no',” Miller said in a Twitter update. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.