tech|sphere

I have been doing some research lately on the security of Android platform. I recently presented to a group of security researchers on the state of security applications available in Android Marketplace, and what can possibly be done in terms of security on Android application level. My presentation contains more details; the summary of my major findings goes below:

• Most of the security applications (such as OI Safe, B-folder + sync, Secrets-for-android, etc.) available on Android platform  at the moment focus on the encryption and secure storage of user generated content and data. They do not do anything on the system level. The primary reason for that is Android manifest only allows limited number of application permissions, thus possible permissions declarations in Android manifest define the upper boundary for what a developer can achieve with an Android app. Nothing more can be achieved, at least not on a phone, which is not rooted. (It’s a bad news if you want to do something with the network traffic, like monitor traffic etc.)
• Anti-malware apps (such as Smobile Security Shield, WaveSecure, etc.) offer some useful functionality, but it is nothing compared to what is offered by anti-virus software on PCs. Android anti-malware apps do signature-based and permission-based malware detection (more details in the presentation). However, I found permission-based detection quite pre-mature; it’s proved by Smobile security report that 29 apps on Marketplace require the same application permissions as known spyware apps do. Thus, it clearly shows that reliance on permission-based detection will lead to a greater number of false-positives.
• Some new apps (RedPhone, SecureText, etc.) implement encrypted phone calls and text messages. However, there is no way to replace the default phone or text messaging applications pre-installed on Android unless the phone is rooted. Therefore, the possibility of being more creative with user authentication (such as authenticating users with accelerometer & GPS sensors instead of typed passwords) is simply not possible (at least until Android 2.2).

Smobile Android security report revealed some astounding numbers very recently that I found quite remarkable. Such as:

• About 20% of 48,000 apps in Android Marketplace allow a third-party application access to sensitive or private information.
• 5% apps can place calls to any number without user interaction.
• 2% apps can send text messages without user interaction.
• 29 apps require the exact same permissions as applications that are known to be spyware.
• 383 apps have the ability to read and use the authentication credentials from another app or service.

One could argue that Android does show all the required permissions to users at time of app installation, thus users should be able to recognize malicious apps. However, one could counter argue if the users really read the application permissions at install time? Even if they do, when do they do it? I haven’t come across any user studies addressing this questions yet, but my gut feel says, majority of the users probably don’t check all permissions of all apps, and I believe, that ratio of users will go significantly down for the case of app updates. Who has the time to keep track of all permissions for all updates of all apps?!? I don’t!

Moreover, how can a user know if the app really needs access to his phone-records without trying the app in the first place! Moreover, the way Android marketplace security model is put in place, it will almost always be true that a decent number of users will be trapped into a scam (if the app is malicious) before the malicious behavior of the application is recognized and appropriately dealt with.

Application authority disclosure on smartphone platforms is still an open question that in my personal opinion needs revolutionary ideas! However, one thing is certain that users surely don’t like paragraph and outline styled permission disclosure, as found out by this user study. Instead, designs with images could surely prove as game-changer.

Attachement: Android Security Presentation