Sunday, March 20, 2011
Top 10 Android Security Risks
SMShing: This phishing variant uses texting to trick smartphone users into visiting fraudulent or malicious links. Hackers are now being drawn to Android's popularity and openness. For example, last summer, unlucky SMS recipients were invited to download Trojan-SMS.AndroidOS.FakePlayer, a free Movie Player. Once installed, FakePlayer started texting premium-rate numbers, without user knowledge, ringing up huge bills. To block potentially-costly texts, users can add SMS controls such as SMSLinkGuard. Enterprises may also consider using a Mobile Device Manager (MDM) that can monitor Android wireless expenses (e.g., SMS, roaming).Last year, Android became the world's second favorite mobile OS, racing past BlackBerry and Apple. 67 million of the nearly 300 million smartphones sold in 2010 were Android-powered devices like the Samsung Galaxy S, Motorola Droid X, and HTC EVO. New Android 3.0 ("Honeycomb") tablets will spur even more growth this year.
As a result, approximately half of enterprises are working to embrace Android devices. One of IT's biggest challenges: Android's consumer roots mean minimal support for enterprise-class security. Here, we consider today's biggest Android security risks and what can be done to mitigate them.
- AWOL Androids: The top concern about any mobile device is loss. In a Juniper survey, 58 percent of smartphone and tablet users feared not being able to recover lost content. Apple iPhone users can restore nearly everything from iTunes, but Androids are not managed via desktop sync. Data loss can be avoided in two ways. First, install an auto-backup app (e.g., WaveSecure, MyBackup) to enable quick restoration of all that matters to you. Second, enroll your Android with one of the many available "find me" services to locate and recover lost devices.
- Flimsy passwords: If your Android falls into the wrong hands, more is needed to prevent thieves from stealing broadband service, ringing up SMS fees, reading your email, or abusing VPN connections. In Juniper's survey, 3 out of 4 users locked their smartphones. This is an excellent first line of defense, but users need to understand Android's limitations.
Researchers report using smudges to guess Android swipe-lock patterns over 90 percent of the time. Instead, Androids should be locked with PINs or passwords (2.2 or later) or third-party lock apps such as Norton Mobile or AppProtector. Users may also want to enroll in a remote lock service (often combined with find) but beware of SMS dependencies. Enterprises should use either Exchange ActiveSync or the Android 2.2 Device Admin to remotely enforce password policies, ensuring that devices are routinely locked and lost passwords can be reset.
- Naked data: A major risk posed by Android is lack of hardware data encryption. Fortunately, Android 3.0 ("Honeycomb") adds an API to let manufacturers offer encryption and IT enforce use. Unfortunately, existing Androids cannot yet perform hardware encryption. Until self-encrypting Androids appear, stored data can be protected in two ways. First, those remote lock apps and APIs can request remote wipe as well, resetting the device to factory defaults – but only when reachable, without wiping SD card data. For more rigorous protection, enterprises should scramble sensitive data such as email and contacts using self-encrypted apps (e.g.,Good for Enterprise, Exchange Touchdown)
But even apps distributed by the Google Android Market receive no official review. Last year, "09Droid" sold about 40 different mobile banking apps at the Android Market. Unfortunately, none were affiliated with those banks. It is unclear whether 09Droid intended to phish for banking passwords, but when banks complained, those fraudulent apps were pulled from the Market. Be very careful when downloading apps that access sensitive accounts. Check with banks or other institutions to confirm apps are distributed by an authorized developer and beware of look-alikes.
Fortunately, application sandboxing is built into Android to limit potential damage by malicious apps – unless malware breaks out of that sandbox. That is apparently what DroidDream did last month. Hidden inside about 50 Android Market apps, including Sexy Girls, Advanced File Manager, Task Killer Pro, and Advanced Sound Manager, DroidDream "rooted" infected phones, sending IMEI/IMSI and OS version back to a command-and-control server. The "nature of this exploit" so concerned Google that it remotely removed installed apps from an estimated 50K phones. This "kill switch" was a fail-safe measure of last resort, but users can proactively defend themselves using Android anti-malware apps (e.g., Kaspersky, F-Secure).
Note: Many of the apps cited above are actually suites that include multiple security tools – for example, remote find, lock, and wipe plus password and anti-malware. We included many different examples for the sake of diversity; shop around to find Android security suite(s) that best fit your own needs
Monday, March 14, 2011
At next week's Mobile World Congress event inBarcelona, the company will demonstrate its Alien Dalvik virtual machine solution, which enables phones running other mobile operating systems to use Android software.
The approach could be useful to consumers who own devices for which applications are limited, as well as help Android developers and carriers widen their audiences and boost revenues.
How could a non-Android device run software made specifically for Google's Android platform? It sounds like a stretch. In reality, all apps that run on Android phones or tablets run in a virtual machine, which Google calls Dalvik.
The solution is much like the Java Virtual Machine on a desktop: it's a constrained software implementation of a computer via software code. It brings greater security because apps in a VM are essentially walled off from other applications and from the device's operating system.
When the app in a VM crashes, it has no effect on other applications or on the operating system, ensuring stability. This video demo of Myriad's solution on a Nokia N900 running MeeGo shows that it performs on a level equal to that of the same app running on a comparable Android device.
Myriad's Alien Dalvik is a VM that supports Android applications, just like Google's Dalvik VM does, but it's one that can run on other devices. The company says that its first supported iteration will run on Nokia's MeeGo devices, which are also likely to be introduced next week—although they aren't likely to ship for some time.
Myriad has probably targeted MeeGo for its Linux underpinnings: Android too, is based on Linux, making for a bit of a common denominator. Palm's webOS is another Linux-based system; given the relative lack of applications when compared to other popular platforms, webOS could be a further target for Myriad.
Shadow of Oracle-Google litigation
Although its similarity to Google's Dalvik VM is clearly a positive, there could be a negative aspect, too. Last October, Oracle sued Google over the Dalvik VM, claiming that Google's implementation uses code stolen from Sun's Java VM.
Oracle purchased Sun Microsystems for $4.7 billion in 2009, gaining its Java virtualization technology and code. The suit is active and there's no indication yet if Myriad's VM uses any disputed code or if it has sought licensing or permission from Oracle.
If the Alien Dalvik solution delivers as advertised in the video demo—and if there's no fallout from the Oracle complaint—it could open Google's Android Market ecosystem up to a far wider range of consumers who use other smartphones or even higher-end feature phones.
Contrast that to Apple's iTunes App Store, which although it's the biggest platform store for software, serves only Apple iOS devices. Android software running on further platforms could draw greater developer interest in building Android applications. Carriers that adopt Myriad's VM on non-Android devices might gain a competitive advantage over peers that don't.
The proof will be in the pudding. Myriad will have to establish its Alien Dalvik as a viable way to get Android apps on other platforms. If Myriad does deliver, it could be a win for consumers, developers, and carriers alike—and could keep Android's general growth trajectory rising.
Saturday, March 12, 2011
Friday, March 11, 2011
It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
Find more at http://code.google.com/p/android-apktool/
Tuesday, March 8, 2011
Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.
I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, Its been found that, it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.
So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.
This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format.
UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.