Tuesday, December 10, 2013

Android, is it Secure?

Author: Nitin Gulia


Today our small devices like phone, tablets and note books works on open source operating systems and these devices are capable of doing most of the work that we used to do on Desktops and laptops. The Next generation of open operating system won’t be on desktops or mainframes but on our small devices that we carry every time with us.
The openness of these new environments will lead to new applications and markets and will enable greater integration with existing online services. However, as the importance of the data and services our cell phones support increases, so too do the opportunities for vulnerability. It’s essential that this next generation of platforms provides a comprehensive and usable security infrastructure. Android is now becoming the most popular open source platform for smartphones and tablets. Its security model is based on application-oriented mandatory access control and sandboxing. Technically, this is realized by assigning each application its own UserID and a set of permissions, which are fixed at installation time and cannot be changed afterwards. Permissions are needed to access system resources or to communicate with other applications. Android checks corresponding permission assignments at runtime. Hence, an application is not allowed to access privileged resources without having the right permissions.


However, Lucas, Alexandra, Ahmad-Reza and Marcel, students of Ruhr-University Bochum, Germany explained how Privilege Escalations Attacks are possible on Android. In their paper they claimed that Android’s sandbox model is conceptually flawed and actually allows privilege escalation attacks. While Android provides a well-structured permission system, it does not protect against a transitive permission usage, which ultimately results in allowing an adversary to perform actions the application’s sandbox is not authorized to do. Note that this is not an implementation bug, but rather a fundamental flaw.

Besides this, there were various vulnerabilities identified since the android has been introduced. It is also true that various vulnerabilities had been fixed with the upgrade of android versions. For instance, Android 2.3 (froyo) had vulnerabilities like Code Execution on the stack and heap and integer overflow during memory allocation, which were mitigated in the later versions of the Android. Latest version know as jelly bean ( Android 4.1+) introduced Address Space Layout Randomization (ASLR) to randomize key locations in memory to mitigate the null pointer dereference privilege escalation vulnerability. Jelly Bean also pulled in a couple easy enhancements inherited from the upstream Linux kernel that can prevent information leakage.

However, question here is that, how many devices support these upcoming updates and how many people bother to update their devices as soon as update comes. There are various devices which don’t support new and upcoming updates and most of the users which are not tech savvy don’t even bother about updating their devices.  Recent results by Duo security states that over 50% of Android devices are vulnerable. Considering the fact that most of the most of the users don’t want to update their devices it will be very easy for hackers to exploit the vulnerabilities with the help of malicious app or adversary.

Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. Nevertheless, F-secure labs mobile threat report for Q4 2013 makes it clear that most popular smartphone operating system is also the leading target for online criminals.

94% of all mobile malware the F-Secure Response Labs analyzed in Q4 targets Google’s Android platform.

As we are using our smart phones 24×7 with internet enabled there are few things that one should kept me mind while using these devices for instance:
  • If update or patches are available always update your devices with latest patches and updates.
Your smartphone is a mini PC with the same software issues that your PC has including software that continually needs to be updated. This may require some help from your carrier depending on your phone – but the basic rule is: The more current, the better.
  • Always check Application-defined permissions to control application data on a per-app basis while installing in your device. As in Android most of the attacks happens by using rouge applications.
  • Install good Mobile antivirus to protect your phone from malicious content.
  •  Stick to the official app stores.
  • Apple and Microsoft have strict guidelines for their app stores and Google’s Play store is increasingly adopting restrictions that prevent bad apps from ever showing up. If you only get apps in the official stores, your chances of getting a bad app are almost zero.
 The threat is real. But it isn’t just a threat; it is real data being stolen, real data being destroyed and real costs impacting your business. If you’re allowing BYOD in your company, implement security measures now. Hire a top notch security consultant and check your current status. Chances are very good that your data has already been compromised. If it has, you need to know.

No comments:

Post a Comment