Security for your Andriod Device{2}

by Penny C

"Android icon with Trojan Alert"

Obtained from

A lot of us have made the choice to upgrade our phones to “smart-phones” and most of those smart phones run Android OS.  As we all know Android is an open-source OS and is vulnerable to attacks, just like our computers are.  Attacks could be in the form of sending and receiving SMS/MMS, extract private information from the phones or make the phone unusable.  Now for those of us who have unlimited text messaging plan, the cost incurred from those SMS/MMS is not much of an issue but the phone has been compromised.   Per article, the attacks occur through cellular networks, Bluetooth, the Internet (WiFi, 3G), USB and other connections.   Smart-phones have not been around as long as computers but malware for smart phones took 2 years to get to the level that the computers took 20 years.   The astounding speed is due to the experience gained through writing malware for computers, according the authors.  So smart-phone security is becoming a fore-front battle.

Android uses Linux kernel for drivers, memory management, process management and networking.  Android native library uses C/C++, Java interface and Dalvik virtual machine.  These three combinations together protect the phone: permission-based to access files, which limits what applications can do.  The article assessed those built in security of Android and a few of the features are listed below.

POSIX users: Prevents one app from distributing another.

File access: Android, based on Linux kernel, handles and enforces the file access.  System and application files have different access permission.  System or root “user” can access system files and application “user” can only access application files.  Linux has a host of other security which includes power state change, drivers, and etc.,

Memory management: This does not allow privilege promotion.

Type Safety: Prevents buffer overflow and ” stack smashing” which causes system to crash.

Application permissions: Applications have limited ability to perform unauthorized behavior.  This feature makes the application being installed declare its permission at installation.  I am sure those who use the Android phones know this.  At the beginning of each application installation, a permission screen is displayed and it tells the user what that application access. (this is not good enough protection).

Dalvik Virtual Machine: This allows each application to run its own virtual machine so each application is isolated from others and this also prevents remote access control.

Some of the items on the list may make sense or not at all depends on the reader’s experience with Android OS components.  The authors tested a HTC G1 smart phone and stated that an Android device in its ‘normal’ state is pretty good guard against attacks.  The attacker has to be able somehow change the hardware for the attacker to access the core components or the kernel.    Only way to get access to the OS is to find a hole in one of the kernel modules or core libraries which allows root access.  Attackers cannot use Internet to break into the OS either because services that are installed do not search for incoming connections.  Attackers can’t really use Bluetooth port either because the phones have to be set to broadcast the Bluetooth signal and it will only broadcast for 10 minutes.

Here are a few weakness of Android.  As noted earlier, the permission request for resource usage during application installation is not good enough to protect the phone because the permission is ALL or NOTHING.   User would end up giving permission to malicious application.   Web browser is also identified as a weakness where attack may use to exploit the phone.  The authors claimed that attackers can force down codes through web browser and there is a history of such attacks.  Authors also noted that SD card content is also open to attacks.

The authors suggested a few security software which claimed to have capability to provide secure web browsing, VPN clients, malware protection, etc… Suggested software includes Savant Technology, DroidHunter, and CheckPoint.

I personally haven’t had any attacks on my phones, but I use “lookout”.  That’s a security application and it scans the phone for malware.  It also scans the application for malware at application installation stage and lets user know that application is ‘clean’.  In addition, Lookout will lock your phone is your report the phone missing to Lookout via your computer Internet.  Lookout will also let the user ‘locate’ the phone.

I thought I’d post this article because most of us can’t live without our phones.  We take pictures with them.  We post to Facebook from the phone.  “Check in” to places from the phone.  Our contacts are all stored.  There are a lot of information about us on our phone and phones are as vulnerable as our computers if not more.  Computers have been hacked into so much that we pay more attention to security of our computers but virtually ignore the security issues on our phones.

Shabtai, A.; Fledel, Y.; Kanonov, U.; Elovici, Y.; Dolev, S.; Glezer, C.;(2010). Google Android: a Comprehensive Security Assessment . IEEE, 8(2), 35-44.