Top 10 Android Security Risks
SMShing: This phishing variant uses texting to trick smartphone users into visiting fraudulent or malicious links. Hackers are now being drawn to Android's popularity and openness. For example, last summer, unlucky SMS recipients were invited to download Trojan-SMS.AndroidOS.FakePlayer, a free Movie Player. Once installed, FakePlayer started texting premium-rate numbers, without user knowledge, ringing up huge bills. To block potentially-costly texts, users can add SMS controls such as SMSLinkGuard. Enterprises may also consider using a Mobile Device Manager (MDM) that can monitor Android wireless expenses (e.g., SMS, roaming).Last year, Android became the world's second favorite mobile OS, racing past BlackBerry and Apple. 67 million of the nearly 300 million smartphones sold in 2010 were Android-powered devices like the Samsung Galaxy S, Motorola Droid X, and HTC EVO. New Android 3.0 ("Honeycomb") tablets will spur even more growth this year.
As a result, approximately half of enterprises are working to embrace Android devices. One of IT's biggest challenges: Android's consumer roots mean minimal support for enterprise-class security. Here, we consider today's biggest Android security risks and what can be done to mitigate them.
- AWOL Androids: The top concern about any mobile device is loss. In a Juniper survey, 58 percent of smartphone and tablet users feared not being able to recover lost content. Apple iPhone users can restore nearly everything from iTunes, but Androids are not managed via desktop sync. Data loss can be avoided in two ways. First, install an auto-backup app (e.g., WaveSecure, MyBackup) to enable quick restoration of all that matters to you. Second, enroll your Android with one of the many available "find me" services to locate and recover lost devices.
- Flimsy passwords: If your Android falls into the wrong hands, more is needed to prevent thieves from stealing broadband service, ringing up SMS fees, reading your email, or abusing VPN connections. In Juniper's survey, 3 out of 4 users locked their smartphones. This is an excellent first line of defense, but users need to understand Android's limitations.
Researchers report using smudges to guess Android swipe-lock patterns over 90 percent of the time. Instead, Androids should be locked with PINs or passwords (2.2 or later) or third-party lock apps such as Norton Mobile or AppProtector. Users may also want to enroll in a remote lock service (often combined with find) but beware of SMS dependencies. Enterprises should use either Exchange ActiveSync or the Android 2.2 Device Admin to remotely enforce password policies, ensuring that devices are routinely locked and lost passwords can be reset.
- Naked data: A major risk posed by Android is lack of hardware data encryption. Fortunately, Android 3.0 ("Honeycomb") adds an API to let manufacturers offer encryption and IT enforce use. Unfortunately, existing Androids cannot yet perform hardware encryption. Until self-encrypting Androids appear, stored data can be protected in two ways. First, those remote lock apps and APIs can request remote wipe as well, resetting the device to factory defaults – but only when reachable, without wiping SD card data. For more rigorous protection, enterprises should scramble sensitive data such as email and contacts using self-encrypted apps (e.g.,Good for Enterprise, Exchange Touchdown)
But even apps distributed by the Google Android Market receive no official review. Last year, "09Droid" sold about 40 different mobile banking apps at the Android Market. Unfortunately, none were affiliated with those banks. It is unclear whether 09Droid intended to phish for banking passwords, but when banks complained, those fraudulent apps were pulled from the Market. Be very careful when downloading apps that access sensitive accounts. Check with banks or other institutions to confirm apps are distributed by an authorized developer and beware of look-alikes.
Fortunately, application sandboxing is built into Android to limit potential damage by malicious apps – unless malware breaks out of that sandbox. That is apparently what DroidDream did last month. Hidden inside about 50 Android Market apps, including Sexy Girls, Advanced File Manager, Task Killer Pro, and Advanced Sound Manager, DroidDream "rooted" infected phones, sending IMEI/IMSI and OS version back to a command-and-control server. The "nature of this exploit" so concerned Google that it remotely removed installed apps from an estimated 50K phones. This "kill switch" was a fail-safe measure of last resort, but users can proactively defend themselves using Android anti-malware apps (e.g., Kaspersky, F-Secure).
Note: Many of the apps cited above are actually suites that include multiple security tools – for example, remote find, lock, and wipe plus password and anti-malware. We included many different examples for the sake of diversity; shop around to find Android security suite(s) that best fit your own needs