Android Security: Investigating Google’s

Mobile OSKadra Alvaro April,2010

Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future of the Android OS

Outline

The Android operating system was originally developed by Android Inc

A small company that was purchased by Google in July of 2005.

Android is both a platform and an operating system.

By using Java, Google hopes to make Android development more accessible and easier to participate in.

Introduction: The Android Platform

When smartphones first came out, the threats to them were minimal.

These days smartphones are one of the most prevalent handheld devices; ◦ accessing their email, ◦ their bank account,◦ the internet◦ texting and calling plans

All from one portable device.

Threats to Smartphones

The fact that most users don’t install security software on their phones.

Some of the more common threats to mobile devices◦ Bluetooth exploits, ◦ SMS/MMS attacks (usually injection), ◦ web browser,◦ malware (usually distributed by third-party

sources in the form of Apps or other downloads),

Threats to Smartphones

SMS and MMS are vulnerable to a variety of attacks these days.

SMS is much more than just text or picture messaging; SMS is often used for voicemail notifications and visual voicemail.

SMS fuzzing and shellcode injection hit the iPhone soon after its debut, and has been known to attack Windows Mobile and Android phones as well.

SMS Vulnerabilities

Most of the exploits on phones are man-in-the-middle attacks, where software is injected between the modem and the telephony stack where it can eavesdrop on incoming and outgoing messages.

SMS Vulnerabilities

There has been an upsurge in malicious Apps since Apple’s App Store debuted.

They include games designed to surreptitiously record phone numbers and other private user data and steal ID numbers or bank info.

This could be one of the most prominent threats to Android phones because of the mostly unregulated Android App Market.

Malware

The web browser is one of the most complex components running on the relatively slim handset operating systems.

The mobile web browser is constantly evolving and being reinvented by different third-party vendors.

Most smartphone browsers are filled with bugs and badly written code that can be exploited.

Web Browser Exploits

Many phones come with default settings that will allow the phone to connect to a Bluetooth piece without any authorization or encryption.

Bluetooth Vulnerabilities

Its open-source nature makes it a prime target for hackers since every detail of its inner workings are laid bare to anyone with internet access.

Android-Specific Threats

Perhaps the most prominent potential danger is Android’s free and open Application Market, which undergoes very little monitoring by Google, which strikes a sharp contrast with Apple’s infamously fussy App Store regulations.

Third-Party Applications/Software

Apple was the first company to create a popular online technology store that was capable of directly interfacing with handheld Apple devices.

The iTunes store is one of the most widely used music applications for organizing and purchasing media.

Apple knows that a troupe of vicious Applications roaming around their App Store would be very bad for business.

Apple’s App Store: The Iron Fist

Once they finish producing their App, they send it to Apple, who then assigns a team of two employees to review the App.

Apple not accepted Apps contain◦ private API’s, ◦ more than a few bugs, ◦ violates the user’s privacy (such as

stealing/logging his data), ◦ help the user break any law ◦ perform VoIP calls without AT&T’s permission are

disqualified

Apple’s App Store: The Iron Fist

Any Apps that are designed to replace a core Apple program (such as a web browser, email manager, or a calendar App) are also not accepted.

Many users who are unsatisfied with Apps that play by Apple’s rules jailbreak their iPhones to download unapproved Apps, which leads many to unknowingly infect their phones with malicious programs.

Apple’s App Store: The Iron Fist

Google’s security policy is altogether different from Apple’s in that it transfer responsibility onto the users and Google itself takes little part in patrolling the Market.

The Android Market: Laissez Faire

Unlike the closely regulated Apple App Store, the Android Market allows all kinds of malicious Apps to be posted, and users perusing the latest uploads need to be wary.

Malware in the Market

Security researchers Derek Brown and Daniel Tijerina tested the potential for damage by creating a simple weather App called WeatherFist that collects user data like GPS coordinates and phone numbers.

Twenty-four hours after the App was released, the researchers had 1,862 phones roped into a potential botnet.

Malware in the Market

Disable automatic Bluetooth sharing and keep it turned off when you’re not using it (it also saves battery).

It’s not a bad idea to keep your GPS turned off too.

How to Secure Your Android Device

Useful free App, called Mobile Defense, will also track down lost or stolen handsets.

After the device syncs with your account, the App promptly “uninstalls” itself, leaving no trace that the program was ever downloaded or installed.

As it is possible for a thief to uninstall the highly visible Antivirus software.

How to Secure Your Android Device

Android is running on quite a few phones, both new and old.

If Android devices continue to remain so scattered and unsupported, it could have a negative aspect on security for Android owners.

The Future of the Android OS

Google’s policy regarding Android seems to be very hands-off so far in the development of the young OS.

However, more than a few people think that more regulation from Google is necessary to keep users safe.

The Future of the Android OS

Question