Google Android: how secure is its future?

Android, the smartphone and tablet operating system of the moment according to some, celebrated its fourth birthday last November. However, it hit the headlines in a big way throughout the year owing to an apparent tidal wave of malware that infected the apps – the software that loads on to the platform – available on the mobile Internet.

As an operating system (OS), Android is still relatively young – it was developed by the Open Handset Alliance, an open-source initiative piloted by Google. Google acquired the company, Android Inc, back in 2005 and, after a couple of years gestation, Android 1.0 was unveiled in November 2007. Due to the continued support of the Open Handset Alliance – a consortium of more than 80 software, hardware and telecoms companies – Google has released most of the Android code under the free Apache software licence, and has the backup of the Android Open Source Project (AOSP) when for maintenance and development of the smartphone/tablet computer operating system.

Structurally, Android consists of a kernel based on the original Linux kernel, with middleware, libraries, and APIs coded in C running on an application framework that includes Java-compatible libraries based on Apache Harmony.

Overlaying this is a Dalvik virtual machine – the coding equivalent of Windows 98 sitting on top of a DOS environment – which runs the apps developed by Google's Android operation, as well as a raft of third-party developers.

Unlike Windows, however, which had the luxury of evolving through Win 3.x, Win98, WinXP, Windows 7, and now Windows 8, Android has developed against a backdrop of an experienced cybercriminal fraternity that has enriched itself by finding ways of subverting desktop Internet users, using a mixture of phishing, targeted attacks and, of course, all manner of malware.

Enter the Android Market

Like the iTunes online store, from which various iPhone, iPad, and iPod Touch apps can be downloaded, Google provides a similar central store with the Android Market. Unlike iTunes, however, the Market is not actively policed for errant apps. Developers can pay a $25 registration fee and, after a few cursory checks, can upload their apps to the Android Market.

Google does review the apps on the Market on an on-going basis, but tends to remove offenders only when they are reported to its abuse and admin accounts – by disgruntled users who have found their smartphone or tablet computer sending text messages to premium rate numbers and running down their credit, for example.

After a number of security scares that started in the spring of 2011, it appears Google is now taking its responsibilities more seriously by monitoring many apps on the official Android Market. The problem facing Android users, however, is that there are many third party markets – including some run by smartphone and tablet computer vendors.

Almost all apps run in a customised version of Java and it is now recognised as a fork or offshoot of the main Linux development stream.

Note that Android does not have a native X Window System, nor does it support the full set of standard GNU libraries – limitations that make it difficult to port existing Linux applications or libraries to the smartphone/tablet computing platform.

Data storage is similarly non-standard: Android uses SQLite, a lightweight relational'database, for data storage purposes. Just as non-standard is the multi-tasking approach taken by Android: rather than operate on a threaded basis, the operating system allows multiple applications to run at the same time. It is a true multi-tasking operating system, despite the hardware limitations of many budget and mid-range smartphones plus tablet computers that have been seen to date.

Put simply, this means a malware app can operate in the background of Android and, if the coder knows his onions, there is little or no trace of the app actually running once it has been installed.

How bad are the problems?

According to Denis Maslennikov, senior malware analyst with Kaspersky Lab, while there have been no major targeted attacks on mobile devices – as has been the case with desktop platforms in recent years – it is clear that cybercriminals are focusing their attention on smartphones.

Maslennikov's research team has analysed the incidence of portable device malware in Q2 and Q3 of 2011, and found that 95.8 per cent of malware was aimed at the Android OS – compared with 3.02 per cent at Symbian and 0.62 per cent for the Apple iOS platform.

"It's also clear that the cybercriminals are using social networks to get an 'in' on to users' smartphones, with sites such as LinkedIn being used in addition to Facebook," says Maslennikov. "LinkedIn is popular, because it has a business focus, giving the cybercriminals the chance to infect a business user's smartphone or tablet computer, rather than a home user."

He adds: "Social networks are extremely useful for cybercriminals, as they allow criminals to 'look up' potential victims before making a targeted attack using customised malware that gives them complete remote access to the users' smartphone or tablet computer. This allows them to gain access to a variety of information, including user credentials for a variety of online services, as well as the office VPN."

Once 'in' to a user's smartphone or tablet, Maslennikov says that cybercriminals can then monetise their information and remote access, both by racking up charges to premium rate text numbers, as well as selling on data on the person/business concerned to third parties – typically via underground forums, where debit and credit card data is also traded.

Avoiding an Android infection

Kaspersky Labs' Maslennikov also advises users to avoid using public access Wi-Fi services such as those seen in airports, bus stations, and railway stations, and stick to using 3G cellular as a data conduit. It may not be as fast, he says, but it is a lot more secure. "Smartphone users also need to make life difficult for cybercriminals. Install pay-for IT security software on your Android device and keep an eye on your data flows. Ignore unknown messages on any of the usual suspects, such as Skype and Facebook, and install a remote wipe app on your portable device – if you suspect something is wrong, trigger the remote wipe option and restore the handset from the cloud data you have backed up previously."

Google, he says, has done a lot to make Android 4.0 more secure than earlier versions of the OS, but he adds, there is much more to be done. Users should, he says, also consider using encryption (a native device feature on Android 3.0 and later) for their data, and only store the data that they really need to access on the smartphone or tablet itself. By using the smartphone or tablet Android device as a gateway to access company data securely across the Internet, Maslennikov avers that users can still access the data they want to, but remotely.

This cautious approach to Android is echoed over at Qualys, the cloud security specialist, where Wolfgang Kandek, the firm's CTO, revealed last November that his research team was developing a version of BrowserCheck for Android that will be available at some point in Q1/2012.

BrowserCheck is a security utility that scans your browser – and its plug-ins – to find potential vulnerabilities and security holes, and then help you fix them.

Kandek reckons that, despite the Android platform hitting the headlines because of the amount of infected malware in circulation, Google has done a "good job" in developing a portable device OS that provides a framework for developers to create a secure smartphone or tablet platform: "Google provided the basic tools for developers. You have centralised administration and lots of controls."

As 2012 progresses, we "will start to see the arrival of secure Android app stores, with telcos and ISPs offering them as a value-add for their customers", he predicts. "Corporates want to use Android for their employees."

Kandek's comments come as a division of Motorola Mobility (now part of Google) is developing Android 3LM. The secure version of Android, which will be chargeable to smartphone and tablet vendors, should be seen in the second and third quarters of 2012. A VPN feature of the new operating system is billed as supporting secure remote access, remote device health and status checking, and ability to identify each device using a unique IP address.

Reverse engineering is the problem

Matt Peachey, vice president of software security firm Veracode, says his latest (December 2011) set of bi-annual research into software vulnerabilities – the first to include smartphone apps in its analysis – has identified a problem with Android apps, with more than 40 per cent of apps analysed featuring a hard-coded cryptographic key as part of the program code.

This, according to Peachey, is a potential problem as, because Android is a fork (variant) of Linux, it is very easy to reverse engineer most apps, meaning that reverse engineering a cryptographic key is equally easy.

"From there you have a problem that, if another app uses the same cryptographic key, then the hackers have access to the key from day one," Peachey warns. "This is a potential problem on the business front, as our research shows that 33 per cent of apps are developed for online retail usage."

The situation with the security of Android apps, he asserts, is similar to those of desktop/Windows software, in that software'developers seem blithely unaware of the need to develop security as a key feature of their apps from day one, rather than retrofitting security after their app has been developed.

Peachey's comments are echoed by research group Bit9: it listed the 'dirty dozen' smartphones that it considers the most vulnerable, in November 2011, and noted that all of them are Android-based:

1. Samsung Galaxy Mini

2. HTC Desire

3. Sony Ericsson Xperia X10

4. Sanyo Zio

5. HTC Wildfire

6. Samsung Epic 4G

7. LG Optimus S

8. Samsung Galaxy S

9. Motorola Droid X

10. LG Optimus One

11. Motorola Droid 2

12. HTC Evo 4G

Part of the problem, says Bit9, is that 56 per cent of the Android smartphones on the market are running on out-of-date versions of the Android OS, opening up security holes. It adds that smartphone manufacturers are not loading new phones with the most upgraded versions, but launching phones with 'outdated software out of the box', as phone-makers move on to newer products without ensuring their current models are running the most secure versions of released software.

"Smartphones are the new laptop and represent the fastest emerging threat vector," says Harry Sverdlove, Bit9's CTO, who adds that, in our 'bring-your-own-device-to-work' culture, people are using their smartphones for both personal and business use, and attacks on these devices are on the rise. He says: "This dynamic is changing the way corporations think about protecting their confidential data and intellectual property – this is the new security frontier." Sverdlove argues that the open nature of the platform has enabled both innovation and creativity in the mobile space, but that providing software updates for Android phones is now the responsibility of the individual hardware vendors along with their different carriers. This would be similar, he argues, to buying a PC from Dell and relying on Dell to co-ordinate with your ISP – instead of Microsoft – to update your Windows software.

With so many PC makers and Internet providers, the result would be a complete fragmentation of the market, with different computers having different versions of Windows depending on where they purchased the PC and where they live. The irony of this posited scenario will not be lost on PC users and software engineers mature enough to remember the 'wild west' contingencies of personal computing environments in the 1980s. Indeed, to step back even further in tech time, as any old mainframe lag will tell you, in computing what goes around comes around...

That, he adds, is exactly what has occurred within the Android smartphone market. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone.

Sverdlove says that security professionals and consumers need to put pressure on the manufacturers to be more responsible in prioritising security updates - and, much like the PC industry, he sees the manufacturers as relinquishing control of the operating system software updates.

This process, Sverdlove notes, has already been implemented with the Apple iPhone and Google Nexus phone. Like Qualys' Kandek, he foresees businesses as creating a secure app store and allowing only specific devices plus trustworthy applications into their environment. *

Further information

• www.bloorresearch.com/
• www.android.com/
• www.kaspersky.co.uk/
• www.bit9.com/
• www.qualys.com/
• source.android.com/