Sunday, March 20, 2011

10 Android Security Risks

Top 10 Android Security Risks

This phishing variant uses texting to trick smartphone users into visiting fraudulent or malicious links. Hackers are now being drawn to Android's popularity and openness. For example, last summer, unlucky SMS recipients were invited to download Trojan-SMS.AndroidOS.FakePlayer, a free Movie Player. Once installed, FakePlayer started texting premium-rate numbers, without user knowledge, ringing up huge bills. To block potentially-costly texts, users can add SMS controls such as SMSLinkGuard. Enterprises may also consider using a Mobile Device Manager (MDM) that can monitor Android wireless expenses (e.g., SMS, roaming).Last year, Android became the world's second favorite mobile OS, racing past BlackBerry and Apple. 67 million of the nearly 300 million smartphones sold in 2010 were Android-powered devices like the Samsung Galaxy S, Motorola Droid X, and HTC EVO. New Android 3.0 ("Honeycomb") tablets will spur even more growth this year.

As a result, approximately half of enterprises are working to embrace Android devices. One of IT's biggest challenges: Android's consumer roots mean minimal support for enterprise-class security. Here, we consider today's biggest Android security risks and what can be done to mitigate them.

  1. AWOL Androids: The top concern about any mobile device is loss. In a Juniper survey, 58 percent of smartphone and tablet users feared not being able to recover lost content. Apple iPhone users can restore nearly everything from iTunes, but Androids are not managed via desktop sync. Data loss can be avoided in two ways. First, install an auto-backup app (e.g., WaveSecure, MyBackup) to enable quick restoration of all that matters to you. Second, enroll your Android with one of the many available "find me" services to locate and recover lost devices.

  2. Flimsy passwords: If your Android falls into the wrong hands, more is needed to prevent thieves from stealing broadband service, ringing up SMS fees, reading your email, or abusing VPN connections. In Juniper's survey, 3 out of 4 users locked their smartphones. This is an excellent first line of defense, but users need to understand Android's limitations.

    Researchers report using smudges to guess Android swipe-lock patterns over 90 percent of the time. Instead, Androids should be locked with PINs or passwords (2.2 or later) or third-party lock apps such as Norton Mobile or AppProtector. Users may also want to enroll in a remote lock service (often combined with find) but beware of SMS dependencies. Enterprises should use either Exchange ActiveSync or the Android 2.2 Device Admin to remotely enforce password policies, ensuring that devices are routinely locked and lost passwords can be reset.

  3. Naked data: A major business risk posed by Android is lack of hardware data encryption. Fortunately, Android 3.0 ("Honeycomb") adds an API to let manufacturers offer encryption and IT enforce use. Unfortunately, existing Androids cannot yet perform hardware encryption. Until self-encrypting Androids appear, stored data can be protected in two ways. First, those remote lock apps and APIs can request remote wipe as well, resetting the device to factory defaults – but only when reachable, without wiping SD card data. For more rigorous protection, enterprises should scramble sensitive data such as email and contacts using self-encrypted apps (e.g.,Good for Enterprise, Exchange Touchdown)

  • Unsafe surfing: Think web browsing on your Android is safe? Last fall, M.J. Keith showed that a known WebKit browser vulnerability could be exploited on Android 2.0 or 2.1. Thomas Cannon reported an Android 2.2 browser flaw that could give hackers full SD card access. Recently, Google fixed an Android Market cross-site scripting (XSS) vulnerability that enables arbitrary code execution, found byJohn Oberheide. Unfortunately, Android users cannot quickly patch around bugs, because OS updates are deployed infrequently by carriers. One work-around: Using an app like BadLink Check or TrendMicroto avoid known-malicious websites.

  • Nosy apps: Speaking of the Android Market, telling friend from foe can be hard. According to the App Genome Project, Android Market apps more than doubled in the past 6 months. A whopping 28 percent of those apps now access device location, while 7.5 percent access stored contacts. Do these apps really need to know that info and what are they doing with it? Android apps must request permissions during installation – users need to seriously review those requests, exercise caution, and avoid apps that seem too nosy. To flag intrusive apps already installed on your Android, check out Lookout Mobile Security's Privacy Advisor or Webroot.

  • Repackaged and fraudulent apps: Some apps aren't what they appear to be. Many repackaged apps found on third-party Android markets are legitimate free apps, repackaged to generate ad revenue. But repackaging is also used to implant Android trojans, such as the Android.Pjapps trojan (included in modified versions of the Steamy Windows app) and the Android.Geinimi trojan (turns infected phones into bots). Most of these can be avoided by installing apps only from the Google Android Market. Don't frequent unregulated third-party markets or manually install Android packages from untrusted sources.
  • But even apps distributed by the Google Android Market receive no official review. Last year, "09Droid" sold about 40 different mobile banking apps at the Android Market. Unfortunately, none were affiliated with those banks. It is unclear whether 09Droid intended to phish for banking passwords, but when banks complained, those fraudulent apps were pulled from the Market. Be very careful when downloading apps that access sensitive accounts. Check with banks or other institutions to confirm apps are distributed by an authorized developer and beware of look-alikes.

  • Android malware: According to traffic analysis by AdaptiveMobile, Android malware spike 400 percent last year. The total is still miniscule compared to other platforms, but more malware is likely to target Android's rapidly-expanding pool of potential victims. When Coverityassessed the Android kernel, it identified 359 code vulnerabilities, 88 of which posed "high risk" of exploitation. Because Android is an open development platform, hackers have ample opportunity to find and learn how to take advantage of these kinds of flaws.

    Fortunately, application sandboxing is built into Android to limit potential damage by malicious apps – unless malware breaks out of that sandbox. That is apparently what DroidDream did last month. Hidden inside about 50 Android Market apps, including Sexy Girls, Advanced File Manager, Task Killer Pro, and Advanced Sound Manager, DroidDream "rooted" infected phones, sending IMEI/IMSI and OS version back to a command-and-control server. The "nature of this exploit" so concerned Google that it remotely removed installed apps from an estimated 50K phones. This "kill switch" was a fail-safe measure of last resort, but users can proactively defend themselves using Android anti-malware apps (e.g., Kaspersky, F-Secure).

  • Fake anti-malware: Alas, the fake anti-virus trend sweeping the PC world has now emerged for Android as well. When Google killed DroidDream, it installed a clean-up app called "Android Market Security Tool 2011." Android.Bgserv soon appeared on a third-party Chinese market, pretending to be Google's tool but carrying an SMS trojan. The lesson: Hackers prey on user emotions like fear – don't assume that security apps are legitimate. Check out sellers and read reviews. Enterprises should go further by testing apps in a lab environment, then using an MDM to suggest or auto-install verified safe apps on employee Androids. For example, Sybase Afaria now provides over-the-air app management for Android.

  • Lack of visibility and control: Ultimately, enterprises must embrace Androids – even employee-purchased Androids – so that IT can regain visibility into and control over business activities on these devices. Unlike iOS, Android does not yet offer native MDM to enable third-party device management. However, Android does provide APIs that MDM agent apps can use to read/write settings (e.g., password complexity), query attributes (e.g., installed apps, GPS location), and invoke remote lock or wipe. A bit of this can also be done via Exchange ActiveSync. Either way, IT can enroll Android devices, track their use, and enforce (at least limited) policies. Configurable settings are limited but rapidly expanding – more so for some manufacturers than others. But putting a management framework in place can help you leverage new Android security capabilities as they emerge.
  • Note: Many of the apps cited above are actually suites that include multiple security tools – for example, remote find, lock, and wipe plus password and anti-malware. We included many different examples for the sake of diversity; shop around to find Android security suite(s) that best fit your own needs

    Enhanced by Zemanta

    Monday, March 14, 2011

    Android Apps on non Android Phones

    The intriguing idea of running Google Androidapplications on non-Android phones is about to become a reality, courtesy of Myriad, a Z├╝rich-based mobile applications software company.

    At next week's Mobile World Congress event inBarcelona, the company will demonstrate its Alien Dalvik virtual machine solution, which enables phones running other mobile operating systems to use Android software.

    The approach could be useful to consumers who own devices for which applications are limited, as well as help Android developers and carriers widen their audiences and boost revenues.

    How could a non-Android device run software made specifically for Google's Android platform? It sounds like a stretch. In reality, all apps that run on Android phones or tablets run in a virtual machine, which Google calls Dalvik.

    The solution is much like the Java Virtual Machine on a desktop: it's a constrained software implementation of a computer via software code. It brings greater security because apps in a VM are essentially walled off from other applications and from the device's operating system.

    When the app in a VM crashes, it has no effect on other applications or on the operating system, ensuring stability. This video demo of Myriad's solution on a Nokia N900 running MeeGo shows that it performs on a level equal to that of the same app running on a comparable Android device.

    Myriad's Alien Dalvik is a VM that supports Android applications, just like Google's Dalvik VM does, but it's one that can run on other devices. The company says that its first supported iteration will run on Nokia's MeeGo devices, which are also likely to be introduced next week—although they aren't likely to ship for some time.

    Myriad has probably targeted MeeGo for its Linux underpinnings: Android too, is based on Linux, making for a bit of a common denominator. Palm's webOS is another Linux-based system; given the relative lack of applications when compared to other popular platforms, webOS could be a further target for Myriad.

    Shadow of Oracle-Google litigation
    Although its similarity to Google's Dalvik VM is clearly a positive, there could be a negative aspect, too. Last October, Oracle sued Google over the Dalvik VM, claiming that Google's implementation uses code stolen from Sun's Java VM.

    Oracle purchased Sun Microsystems for $4.7 billion in 2009, gaining its Java virtualization technology and code. The suit is active and there's no indication yet if Myriad's VM uses any disputed code or if it has sought licensing or permission from Oracle.

    If the Alien Dalvik solution delivers as advertised in the video demo—and if there's no fallout from the Oracle complaint—it could open Google's Android Market ecosystem up to a far wider range of consumers who use other smartphones or even higher-end feature phones.

    Contrast that to Apple's iTunes App Store, which although it's the biggest platform store for software, serves only Apple iOS devices. Android software running on further platforms could draw greater developer interest in building Android applications. Carriers that adopt Myriad's VM on non-Android devices might gain a competitive advantage over peers that don't.

    The proof will be in the pudding. Myriad will have to establish its Alien Dalvik as a viable way to get Android apps on other platforms. If Myriad does deliver, it could be a win for consumers, developers, and carriers alike—and could keep Android's general growth trajectory rising.
    Enhanced by Zemanta

    Saturday, March 12, 2011

    Analysis Of Android Froyo 2.2

    An analysis of Google Android Froyo’s open source kernel has uncovered 88 flaws that could expose users’ data

    An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.

    The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC’s Droid Incredible handset.

    Enterprise fears

    The results arrive as Android is increasing its market share and increasingly being used in the enterprise.

    While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.

    The report analysed a total of 61 million lines of open source code from 291 widely used projects, including Apache, Linux, PHP and Samba.

    While Android’s density of bugs per thousand lines of code was lower than the average found in open source software overall, it was higher than that of the Linux kernel, according to Coverity. The company said some of the bugs appeared to be important enough to have been addressed before the code was released.

    Fixes demanded

    Coverity said it will hold off releasing the details of the flaws until January to allow Google and handset vendors to issue fixes. The flaws could be patched via an over-the-air update, Coverity said.

    Canalys reported on Monday that Android now dominates the US smartphone market with a 44 percent share, up from 33 percent in the second quarter of this year.

    While the deployment of Android on large numbers of handsets has allowed the software to claw market share away from competitors such as RIM, some have criticised Google’s “hands-off” approach for harming the quality of Android and its applications.

    -- EWeek Europe

    Enhanced by Zemanta

    Friday, March 11, 2011

    Android .apk reengineering tool

    It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.

    Find more at

    Tuesday, March 8, 2011

    Malware in Android Market

    Every day, we see more reports about malware in the Android Market. This time three developers known as MYOURNET, Kingmall2010, and we20090202, possibly the same person, were offering a number of Android apps for free download.

    Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.

    I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, Its been found that, it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.

    So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.

    This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format.

    UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.

    Enhanced by Zemanta

    An Update on Android Market Security

    Android MarketImage via Wikipedia

    Google has acknowledged that it removed “a number” of malicious malware applications from the Android Market on March 1, and it has now reached out over the airwaves to remove the apps from end users devices as well.

    Last week, reports indicated that more than 50 Android apps had been loaded with info-pilfering software known as DroidDream. Google immediately responded by pulling the apps from the Market, but the company remained silent on the matter until tossing up a blog post on Saturday evening.

    According to Google, the malware exploited known vulnerabilities that had been patched in Android versions 2.2.2 and higher. Google “believes” the attacker or attackers was only able to gather device-specific information, including unique used to identify mobile devices and the version of Android running on the device. But the company added that attackers could have accessed other data.

    In addition to removing the apps from the Android Market, Google suspended the accounts of the developers involved and contacted law enforcement about the attack, and as it did on one previous occasion, the company used the “kill switch” that lets it remotely remove mobile apps that have already been installed by end users.

    So Google does have a kill switch for software already installed on end user devices, some may complain – but honestly it’s only responsible to have such a thing (Apple has one for iOS of course).

    And it’s all well and good saying it only effects phones with Android versions lower than 2.2.2…but sadly that is still the majority of phones. Only the phones directly pushed out by Google get the most recent version of Android, all the other (HTC, Samsung, Motorola etc.) models out there still have older (vulnerable) versions.

    Image representing Google as depicted in Crunc...Image via CrunchBase

    Google maintains a persistent connection to Android phones that let the company not only remotely remove applications from devices but remotely install them as well. The remote install tool is used when Android owners purchase apps via the new web incarnation of the Android Market. The Android Market Web Store lets you browse and purchase applications via a browser, as opposed to Android client loaded on handsets.

    Apple maintains its own “kill switch” for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone, and Steve Jobs later confirmed its existence. “Hopefully, we never have to pull that lever,” Jobs said, “but we would be irresponsible not to have a lever like that to pull.”

    On Saturday, Google also said that it is pushing a security update to all Android devices affected by the malware in question. If your device was affected, the company said, you will receive an email from, and you’ll get a notification on your phone that a package called “Android Market Security Tool March 2011” has been installed. You may also receive a notification that the offending apps have been removed.

    The company is taking additional measures to stop such attacks in the future, but it did not provide specifics. “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues,” the blog post read.

    Google will also be pushing out a security update to all Andoird hansets that were affected, if you’re an Android user you’ll see package called “Android Market Security Tool March 2011″ installed which combats the malware.

    Apparently it was quite easy to foil the malware if you were handy on the command line, all you needed to do was a create a file at /system/bin/profile/ using the terminal and the touch command then chmod 644 and you’re done.

    Source: The Register

    Enhanced by Zemanta