Forgot your password?
typodupeerror
Android Cellphones Security

Ask Slashdot: Android Security Practices? 173

Posted by Soulskill
from the avoid-installing-malicious-ai dept.
Soft writes "Smartphone security recommendations seem to boil down to Windows-like practices: install an antivirus, run updates, and don't execute apps from untrusted sources. On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus. What rules should I adopt on my soon-to-be-bought Android device? Can I use it purely with open-source apps and still make the most of it? Are Android's fine-grained permissions (accessing the network, contacts...) reliable? Can apps be trusted not to scan your files and keyboard for passwords and emails? What precautions do security-conscious Slashdotters take to keep control of their phones?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Android Security Practices?

Comments Filter:
  • Install a firewall (Score:5, Informative)

    by girlintraining (1395911) on Friday May 20, 2011 @02:14PM (#36193940)
    Install a firewall. Not to keep the hackers out, mind you, but to keep your data *in*. There are way too many apps that try to phone home or do things they don't need to ('live' wallpapers come to mind). Disable their network access. If an application requires network access, bring it home, set it up on your home wifi network, and run a sniffer to find out where the data goes. You don't need to know what the data is per se. Then, try blocking as much of it as you can until the application stops working. You've now found the minimum amount of access that app needs to function.
    • by mlts (1038732) * on Friday May 20, 2011 @02:20PM (#36194016)

      More specifically, root your Android phone (no, it will not lessen security unless you are stupid and click "allow" on any app that pops up the su dialog unless you KNOW it needs the root permission.)

      Install DroidWall and allow it full su access. Then when you install a new app, make sure to allow it out, because by default, new apps are not allowed to phone anywhere. LVL is handled by another mechanism, so apps should know they are licensed even if you block them with DroidWall.

      After installing DroidWall, and selecting the apps you know that need to communicate, that will provide a decent measure of protection.

      • It should be noted that one of the reccommended ways for devs to employ LVL DRM is to offload the returned response to the dev's own trusted server. This would require internet access. This is done because LVL is trivial to break alone and trusting the client is always insecure.

        Anyways, not to sound too spammy or promotional, but for beginners to Android I've written a guide and app that they can use as a pocket reference for the permissions and something they can give to family/friends who might be le
    • by improfane (855034) * on Friday May 20, 2011 @02:20PM (#36194018) Journal

      On a phone? Are you serious? Honestly I never thought you'd ever need a firewall on a phone. If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones. I always thought that the Bitfrost security architecture from OLPC was a good idea. How come this style of capabilities is not in Android?

      Nokia 1661 and loving it baby. As far as I can tell, I can't put software on it!

      • by i.r.id10t (595143) on Friday May 20, 2011 @02:25PM (#36194064)

        The problem isn't that it is a phone, but rather, it is a computer with phone functionality. Would you tote around a laptop w/ no firewall or AV?

        • Re: (Score:3, Interesting)

          by improfane (855034) *

          I think you're missing my point. It's a phone. You shouldn't have to install security software on something as trivial as a phone. Something is wrong with the API and security assumptions of the device that it is insecure by default, without security software.

          Now that the cat is out of the bag, we can never put it back in. App companies have gotten used to the APIs that give them amazingly intimate personal and marketing information. Apple and Google (an advertising company) has a vested interest in allowin

          • by The Dawn Of Time (2115350) on Friday May 20, 2011 @02:41PM (#36194230)

            You're missing reality - it's not a phone, it's a computer with phone software. I know that's exactly what the post you replied to said, but apparently it went right over your head.

            • by Joce640k (829181)

              It's sold to people as a 'phone by 'phone companies...that makes it a 'phone to most people. However you slice it, having all those computing abilities is a bad thing for security.

          • "I don't think it's an issue of running untrusted executable code, the code IS trusted but it's capable of doing things the phone should never have exposed to the application. I'd like to see security enforced for every execution of an application, so when you close an application, it gives you a list of the data the application tried to access. Rather than trying to ask the user each time to accept or decline, it should be configured BEFORE execution."

            You pretty much described the way the android works, w

            • by improfane (855034) * on Friday May 20, 2011 @03:23PM (#36194598) Journal

              That's the potential to access. Not the actual access. That won't scare users enough.

              The software should display the data that would have been accessed with the widgets that is appropriate to the device, say a contact card or a filename and then threaten the user.

              Are you sure you want to send this information to somewebsite.com over an unscrambled channel to someone in China?

              • a list of your contacts as displayed in your contact list
              • a recent email of your naked wife (with picture rendered)
              • a map with lines between your last plotted geolocations
              • the following picture captured from your webcam

              It should be displayed like numerous bits of scrap data on the screen with a picture of a pipe and the pipe attached to a shady looking figure next to the planet earth on the other side of a cloud. The implication should be obvious.

              Would that scare you?

              • by Applekid (993327)

                Well, fine then. Each app has a developer. Write to them and find out what they want to do with your phone.

                They don't write back? Don't install the app.
                They write back marketing fluff? Don't install the app.
                They write back something you suspect is a lie? Don't install the app.
                They write back something you suspect is true but you don't want them to have the permissions? Don't install the app.

                My app selection criteria revolves around what's important to me. Sounds like I just itemized your criteria. No no, my

          • The era of pocket cell PHONES is over, now is the rise of pocket computers. i realize you are trying to make point blah blah blah. I get the part about the providers slurping at the trough of personal data but bitching about having to install a firewall on a networked COMPUTER is silly.The reality is that to have expansive functionality, you need to make security compromises. This is true across the computing spectrum and security in general. Its easy as hell to lock down a computer, simply turn it off. Fo
          • by girlintraining (1395911) on Friday May 20, 2011 @03:51PM (#36194910)

            I think you're missing my point. It's a phone.

            They aren't missing it, they're ignoring it. What it is called isn't the issue, it's what it can do, and whether that is what the end-user wants (or not).

          • This. By default you are given generic information about the access an app will require before you install it. You must approve it in order to install it. You do not get any specific information about what the app will do with the info. Once you approve it you gain no further insight about what the access is used for or even when it's used.

            OP is missing the point with the firewall suggestion. It is not reasonable that someone should have to go to tjose lengths to secure a device, especially a modern dev

        • by spikenerd (642677)
          AV is like installing a house-fly chasing robot. It's big and often gets in the way, but it keeps the fly population in your house small. On proprietary platforms, AV is critical because you cannot close the windows through which they enter. On open platforms, it's a stupid idea. Just close the stupid hole! Why would anyone put up with AV? It's as annoying as what it protects you from, and the days when it was a good thing have passed.
      • by wiggles (30088)

        That's because it's no longer a phone. It's a palmtop computer with phone functionality.

      • If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones.

        Ah, the myth of perfect security. There is no system that connects to a network that is perfectly secure. We all want open phones that will run any software we want, and we expect the OS to be able to ward off any possible attempt to compromise it. Ain't gonna happen. That's why we need firewalls, as well as software that blocks processes based on either known signatures or behavior.

        Only a mathematician could believe in perfect security. Engineers, they know better.

        • by improfane (855034) *

          I wish I could accept how easily you accept the status quo. One that only benefits big companies that harvest personal information from the clueless masses. Perfect security is impossible, I agree.

          I don't want a phone that is continually monitoring my whereabouts by default or can connect to the network at the same time as accessing my data.

          Should a phone be able to access my phone book AND the network at the same time?
          Should a phone be able to access files on the phone AND the network at the same time? Wha

      • by poetmatt (793785)

        so basically you like the complete lack of control over what info we can pull from your N1661? Specifically where you are, who you've talked to, etc?

        • by improfane (855034) *

          Do you really think your phone being an Android or an iPhone protects you? Any intelligency agency could pull whatever they could pull my phone from an Android or iPhone plus everything else. I don't doubt the remote code execution of phones.

          The recent phone "hacking" scandal [wikimedia.org] in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.

          I protect myself from myself by using a dumb phone. Not from others...

          • by jonbryce (703250)

            The phone hacking scandal employed default password vulnerability on people's voicemail boxes. That was server side. The default pin to access your voicemail is 0000 and most people don't change it. I disabled my voicemail many years ago.

      • by bryan1945 (301828)

        I have some Nokia xxxx phone. I can install software on it, but it's a real pain in the ass (I did it to turn off the Web, GPS and PTT buttons.). Like you said- it's a damn phone. Unlike most /.ers, I don't want a phone/computer/lawnmower. I want to call my wife, not trade stocks while watching a baseball game and playing Angry Birds on a phone.

    • by Jeremiah Cornelius (137) on Friday May 20, 2011 @02:26PM (#36194082) Homepage Journal

      Agreed. When "signed apps" are little different than trojans to steal your PII and report on your activities, the definition of security moves away from one of "penetration and exploitation" towards "scope of trust and violation".

      As to the original article.posting, with its naive POV regarding security? What does your posture do for you, when exploitation and abuse are built into signed apps - or signed apps consume and interpret code from untrusted, arbitrary sources? Flash, Acrobat and any AJAX capable browser are all wide-open to abuse, on any given 0-day.

    • by molnarcs (675885)
      I think firewall is a bit overkill. My advice would be to just use normally. I do. I DON'T install apps from shady sources, I just use the official Market. I have a few dozen apps installed, and I clicked through the permission screen mindlessly, yes. Why? Almost every app needs network access, after some time I got bored reading through the list of permission they require. BUT - the apps I install are well established apps with overwhelmingly positive reviews (based on a large number of reviewers). That's
      • by nschubach (922175)

        I think firewall is a bit overkill. My advice would be to just use normally. I do. I DON'T install apps from shady sources, I just use the official Market. I have a few dozen apps installed, and I clicked through the permission screen mindlessly, yes. Why? Almost every app needs network access, after some time I got bored reading through the list of permission they require. BUT - the apps I install are well established apps with overwhelmingly positive reviews (based on a large number of reviewers). That's basically it - just use common sense.

        The problem is, 99% (woo, fictional stats) of the people that voted that app a 5 star app did the same thing. Nobody pays attention to what they are giving access to. They only care what the app tells them it's doing. (I'm a background switcher and I need access to your contacts so I can display them on the background and full internet access for ads!). They do not care that it's sending their contact information to a central server of spammers.

    • Install a firewall. Not to keep the hackers out, mind you, but to keep your data *in*. There are way too many apps that try to phone home or do things they don't need to ('live' wallpapers come to mind).

      Bah! Screw that. Maybe I'm too idealist, but if I'm looking at an wallpaper (for example) and the security permissions require net access, SD card access, and access to your bookmarks, I just don't install it. There are two main reasons for this:

      First and foremost, the app is obviously shady, if not outright malicious. I don't want it on my device at all.
      Secondly, and no offense here, but you are trusting a firewall / antivirus program to protect you from stupidity. There is no replacement for some com

    • by godrik (1287354)

      I am a new android user. And I wondered about security as well.
      You said things like "Disable their network access" or "try blocking as much of it as you can until the application stops working". But is there any system level permission that can be set per app ? Anyway to say per app yes or no for the network ? or maybe allow access to some directories but not to other ones? A lot of applications are requesting GPS localisation, is it possible to configure fake coordinates?

  • by Anonymous Coward

    Only thing I can think of is to read details on the app, for example why would a notepad app need access to the internet or my contacts.
    Another thing is to install only apps from Google or "Good known sources".

    • by nschubach (922175)

      Well, the notepad app could say it needed the Internet access for ads and the contact information for the quick contact paste feature.

    • by rickb928 (945187)

      AKNotepad syncs to catch.com. It's a feature. So it uses Internet access.

      And it's in the Market.

      There is no substitute for you actually knowing what the app does, and evaluating the permissions to see if they are appropriate, in your view, to what the app states is its feature set.

      You were saying?

  • by Kenja (541830) on Friday May 20, 2011 @02:16PM (#36193974)
    A smart phone is a computer like any other and should be treated as such. Trust mobile apps as much as you would trust desktop applications. Do not install unknown software from unfamiliar sources and in general be as vigilant as you are with your Windows, Linux, OS X system. If you are paranoid enough, there are firewall and app activity scanners out there. But perhaps you dont trust them either. In which case, write your own apps. Its not hard for even the inexperienced with the app-builder tools.
  • by c0d3g33k (102699) on Friday May 20, 2011 @02:25PM (#36194066)

    The problem with Android is that the permissions aren't in fact "fine grained" (though they might seem so to the 'TL;DR' generation). They are relatively course-grained with respect to what modern applications might require. Any non-trivial app will require permissions from the available pool that can be abused by malicious developers. The user has to fall back on trust when installing any non-trivial app.

    Android needs something more like a sandbox environment for each application and a reasonable system where the user is asked for permission before accessing sensitive information.

    Android permissions == FAIL, at least from a personal privacy and security perspective.

    • Re: (Score:3, Informative)

      Every app requires full permissions, for no useful reason. Why a stopwatch wants access to my calls and read/write on the SD card, I don't know, and the choices are to either accept it or don't use the app. This is seriously broken. I don't even look in the Android Market anymore because it's just too much risk to install anything. It's actually worse than Windows, where at least I know where the software is coming from.
      • by Reapman (740286) on Friday May 20, 2011 @02:53PM (#36194340)

        EVERY App? I doubt this, in fact as an App Developer I know this isn't true. Adding permissions to your app is something you opt in - if a developer is so lazy he opts in every single perimssion then I wouldn't trust that app.

        I've decided against installing apps that require permissions I don't want, and have quite a few apps that I've trusted onto my phone.

        Google is providing you the ability to, at least, get an idea as to what your getting into. Something like the iPhone doesn't give this, and I'm not sure if Blackberry does or not. Could it be improved? VERY. Is it better then nothing? VERY.

        How is this broken? Because an App Developer has some crazy permissions? I'd call that working - you know what it's asking for and you choose not to install it. How is it better then Windows? Do you know if your Windows Stop Watch app is talking to your Contacts stored in Outlook or Thunderbird?

        • by c0d3g33k (102699)

          Any non-trivial app requires permissions to one or more of the following:

          - Your location (coarse or fine grained)
          - Full network capabilities
          - Call status
          - Your personal contacts
          - Account information

          And the big kahuna:

          - Your SD card

          Putatively for storage of application data, settings etc. But as far as I know, there is no mechanism to prevent an app from accessing ANY other information on the SD card once granted access. And just about every app requires read/write access to the SD card. Let the data-mini

          • by Zumbs (1241138)

            - Your SD card

            Putatively for storage of application data, settings etc.

            There are other options for storing application settings and data that does not require access to SD cards. Internal Storage [android.com] is one. Unless the app needs to save a lot of data, there is no reason to require access to the SD card.

        • by hedwards (940851)

          One of the problems is that some ad software that free apps use seems to need to spy on people in order to work. You can opt not to install that software but the marketplace lacks transparency when it comes to what the app is actually doing with that permission. And I'm not aware of any way of keeping an eye on apps to make sure that they aren't doing anything nefarious with the permissions. Trust but verify ought to be the way with apps that you've decided to trust.

          Additionally, some functionality like pla

          • by rickb928 (945187)

            "One of the problems is that ALL ad software that free apps use "

            There, let's get it right, ok? So far, ALL ad methods I've seen need to talk to their overlords to serve up what they think I will respond to. they act in futility, but I'm not going to tell them that.

            • by hedwards (940851)

              That's not true, there are degrees, some need to do that to serve ads, others don't. Some require tracking the individual by GPS and other means and others don't.

      • by nabsltd (1313397) on Friday May 20, 2011 @03:21PM (#36194574)

        Why a stopwatch wants access to my calls and read/write on the SD card, I don't know,

        Many apps that need access to "phone calls" are doing so to be good resource users, and to follow some Android UI conventions.

        Knowing if you are talking on the phone or not allows the app to change its behavior to not bother you, use less CPU cycles, etc. And, this sort of thing is why there are so many complaints about the overly-broad permission groups on Android...you can't know the "in-call state" without being given permission to "phone calls".

        • by AmbushBug (71207)

          ...you can't know the "in-call state" without being given permission to "phone calls".

          I don't think this is true. The permissions for phone state are called "Read phone state and identity" and they don't allow you make phone calls, as far as I know. That said, the internet access permission is too coarse - its basically all or nothing. It would be nice if apps had to list the domains they are going to connect to or something...

        • by Zumbs (1241138)
          Whenever the focus of an activity is changed, an event is called that can be used by the application to change its behavior. If an application use multiple activities, all you have to do is to keep track of which of the activities of the application have focus, and set the behavior of the application correspondingly. For a lot of applications this is enough to play nice, and there is no explicit need to get access to call state.
      • by rickb928 (945187)

        stopwatch might want access to phone state so it can choose how to alert you to an alarm, a common feature in stopwatches. Or just to decide how to give you the 'tick tock' - speaker, earpiece, or phone audio... It might want to play nice and not beep all over your call in progress, or scare your callers.

        Read/write to SD to save results of timings? Some people like saving the results of timing their software load times, or epic 5k run.

        Perhaps you need to write your own stopwatch.apk that just.does.stopwat

      • Every app requires full permissions, for no useful reason. Why a stopwatch wants access to my calls and read/write on the SD card, I don't know, and the choices are to either accept it or don't use the app. This is seriously broken. I don't even look in the Android Market anymore because it's just too much risk to install anything. It's actually worse than Windows, where at least I know where the software is coming from.

        Are you serious? Any monkey could write a shareware clock application, that harvests whatever data and then sends it wherever, and your PC OS wouldn't do anything to notify you.

        Pandora was recently rejected by me, because it wanted to use my contact list. You do have a choice besides being owned.

        Which stopwatch application anyway?

    • Well not only that but you can never be fine grained enough for the user to understand.

      If your app saves data to the cloud then it needs the ability to "Copy files to remote servers".

      That's either a trojan or the app operating correctly. No way to tell without per-file transaction confirmations. "I'm about to move a temp.dat to the cloud. Ok?" And even then. "Wait, what's in temp.dat?" And so on and so forth.

      The only difference between a malicious network aware application and a good one is what data

      • by improfane (855034) *

        I think getting the users to understand and not just accept mindlessly (like Windows UAC and Facebook Applications) is the hardest part. It's a social problem. The permission message must be clear and almost threatening. It should show the data that is being displayed. I replied to someone else about this with the same view [slashdot.org] as you :-).

  • by Rary (566291) on Friday May 20, 2011 @02:26PM (#36194080)

    At the very least, install Lookout [mylookout.com].

  • I have one relatively cheap Android smartphone (HTC Slide), which I pretty much install a minimum of useful apps upon.

    My second device is a Viewsonic G-Tablet (running TnT-Lite v4), which is a cheap (~$320 these days) but high-spec device. I use it for "playing" with apps and flash sites (some of them shady). Its main purpose is to let me to play with high-end apps and games while keeping me from doing anything too dangerous with my phone :-P

    Custom OS updates come out for the latter quite often, so I'm us

  • "When there's no limit to what Droid gets, there's no limit to what Droid does^H^H^H^H can do to you."
  • by mlts (1038732) * on Friday May 20, 2011 @02:43PM (#36194244)

    Take these for what they are worth, but here are my security practices:

    1: Install DroidWall and use that to lock down everything except the apps you do want going out.

    2: Use TouchDown or a discrete app for secure Exchange email. This allows you to keep contacts separate from the rest of the device, and the app can keep the contacts encrypted. If it is work E-mail, it is good to keep it separated anyway.

    3: Consider a PIN protecting app for #2 above, as well as your terminal, settings, and su app.

    4: Use Titanium Backup with the encryption feature and store on Dropbox. If you look at TB, you will find that the way it does encryption using RSA keys is pretty well designed, so storing backups of apps on DB can be done securely.

    5: Get a utility (I use WaveSecure out of habit, but there are others) that will lock the phone if the SIM card is changed, airplane mode is put on, and even allow one to remotely wipe the device and SD card. I'd like a utility that would give the ability to wipe the device and SD card if the phone has not seen Net access in "x" amount of time, similar to what BlackberryOS provides.

    6: Look at reviews before buying apps.

    7: Look at what the app asks for security permissions. If a notepad app wants access to your contacts, phone, SMS, or perhaps even pops up the su dialog, get rid of it ASAP.

    8: If you use nandroid, consider some type of file encryption. This sucks when restoring a ROM image, but there are ways around that (decrypting the image while the SD card is mounted via USB, using a temporary ROM image with no data for decrypting, etc.)

    9: Use AdBlock with Dolphin Browser. Ad rotation services are a noted source of malware.

    10: Use known ROMs. The ROM ecosystem has been astoundingly clean for now, but it is only a matter of time before blackhats start adding their own "functionality" and putting ROMs on xda-developers and other sites.

    11: Consider PIN protecting your SIM card. This way, when you do a remote erase, the thief might have a clean phone, but won't have free access to bandwidth, SMS, or calling capabilities.

    12: Consider a "stuffbak" sticker. If the phone is found, at least there is a small chance it might get back to you, as opposed to 0 chance without it.

    13: Keep backups. This way, if you do lose your phone, you can get another Android phone, fire up Titanium Backup, log onto DropBox, type in your decryption key, and restore your apps with their saved data.

    14: Bug Google for them to put volume encryption (LUKS) into Android, so it can be used on the SD cards.

    • by c0d3g33k (102699)

      All good advice, except I don't think Dropbox is an absolute requirement, since you can store the same data on a personal computer or thumbdrive. Unless you live in an area where random search-and-seizures occur with regularity. But then your screwed in many other ways, so your phone security is trivial in comparison.

      If there's anything that demands more suspicion than the mobile ecosystem, it's the cloud. Keep your most sensitive personal information away from there. Seriously.

      • by mlts (1038732) *

        If you have good front end encryption [1] with a solid implementation, it shouldn't matter if you store your files on a public FTP server. DB has been discussed about security, but this is mitigated almost completely by proper encryption.

        Of course, this doesn't prevent big names from either using a (theoretical weakness) in the algorithm, or resort to rubber hose decryption, but if done right with encryption, and a suitably long passphrase (TC states 20+ characters), storing data on the cloud can be made r

    • by rickb928 (945187)

      "7: Look at what the app asks for security permissions. If a notepad app wants access to your contacts, phone, SMS, or perhaps even pops up the su dialog, get rid of it ASAP."

      So, I gather you will avoid AKNotepad, even though it declared the requested permision for an actual feature?

    • In regards to #7, what is the SU dialog? My app got a few comments about requesting SU or trying to get root access, but it doesn't. Nor do the permissions allow anything like that. I'm really interested to know what exactly they are talking about, so I can track down the source of the problem. I suspect that it only applies to rooted devices, but I'd like to verify.
      • by mlts (1038732) *

        It only applies to rooted devices. The su mechanism consists of two items:

        The binary, natively compiled from ARM.

        The app, which is a Dalvik VM.

        When a program invokes the su binary, it checks to see if the app is allowed or denied access without prompting, if denied, just denies it, moves on. If neither denied or allowed is listed, it prompts the user to allow or deny the app, as well as save the decision. If the user allows it, or if the app is listed as being allowed without prompting, the program gets

  • We need to put standard GNU/Linux on our pads and phones. Not some OS only kludge with Linux OS but proprietary app space. Down with stores! Up with free repositories! Google can not use patents to block this because Google is member of OIN! And if Google left OIN it would be hit by the proprietary vampires!

    What kind of weird environment is it when you can not run native apps on your own hardware? Only some bad imitation of Java applets!

    If Google tried trivialization, they would find manufactures alread

  • Seriously, anti-virus for your mobile? I think I will go with iphone once I'm done with my Android phone even if I have to pay out the ass I'm not running fucking anti-virus on my phone.
    • by prgrmr (568806)
      if you download mp3's to your phone (via amazon, google, or anything else) you'll want an anti-virus scan of them. If you share wallpaper, ring tones, photos, or anything else with anyone else, you'll want to scan that stuff to. If you connect your phone to your desktop, laptop, tablet, or anything else--whether that other device and an anti-virus program on it or not--you'll want to know that your phone is clean. And don't assume that an iphone is the answer. If may not be the target of a virus (yet) bu
      • Any electronic device that connects to a network in theory is but Android does seem to be becoming the dregs of mobile phones pretty quickly.
  • Use common sense:

    1. Don't root unless you REALLY need to.
    2. If you are rooted, don't give root rights to an application unless you know what it is supposed to do AND you trust it to do just that.
    3. Install a firewall.
    4. Don't install applications from vendors you don't trust, or know little about.
    5. Read the reviews of an application. See what people complain about.
    6. Don't install applications which ask for rights that make little sense in context (a calculator which asks for access to the network and cont

    • by nschubach (922175)

      Use common sense:

      5. Read the reviews of an application. See what people complain about.
      6. Don't install applications which ask for rights that make little sense in context (a calculator which asks for access to the network and contacts for example).
      7. If unsure about some permissions, check the developer's website to see if there is a good explanation. If not, contact the developer directly and ask.
      8. If you suddenly find an app for free which you thought it was pay-only, check to see if it is cloned. If so, don't install it as it might be tampered.
      9. Check if the developer of an application matches who you know it should be. If not don't install it as it might be tampered.

      I can see 5, and 6... that makes sense for most people. But the rest of these make having an app store pointless. If you need to go outside the phone environment to find out why someone asked for a particular permission.

  • Soft wrote: "On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus."

    Seriously, what good are programs you can check and compile yourself?! If the program with 25,000 lines of contain a piece of "virus", how would you know?!

  • install an antivirus, run updates, and don't execute apps from untrusted sources.

    That pretty much takes care of a majority of your issues. Read other user reviews. If you feel the Android Marketplace is too laxed, try the Amazon marketplace. And if you decide to root your phone, pay attention to which apps you are giving root permission to. I mean, you are a Linux user after all, you should understand simple security.

    Oh, and I suggest that if you are going to buy an Android phone, check and see if its supported by CM7 - http://www.cyanogenmod.com/ [cyanogenmod.com] Talk about a lifesaver - my Android ph

  • by privateerlabs (2183826) on Friday May 20, 2011 @04:27PM (#36195392)

    1. Use caution when installing software! Remember that the Android market place does not vouch for the security/integrity of the apps. To my knowledge, minimal analysis is performed on apps, but nothing that provides any real security guarantee to the mobile user. There is no guarantee that the app you are installing is not malicious in nature, or chuck full of software vulnerabilities. Many of the legitimate apps in the marketplace are rapidly developed by individuals with little or no secure coding background. Also I highly recommend you only install apps from publishers you trust and make sure you read the user comments. If the app has a few thousand reviews and rates at 4 stars this would often indicate added legitimacy.

    2. When installing apps be cautious of the permissions requested. The READ_PHONE_STATE permission permits access to sensitive device specific values that would normally be an invasion of privacy to supply. The problem arises when developers use a function called GetDeviceId() to get a unique ID for the mobile device that is later used for user account correlation on third-party services. The correct way to do this is to use Settings.Secure.ANDROID_ID. Google has a blog describing this issue in depth:
    http://ask.slashdot.org/story/11/05/20/188228/Ask-Slashdot-Android-Security-Practices [slashdot.org]
    Be very cautious with apps that ask to read/write SMS messages, read/write contacts, and place calls. Malware frequently uses these to pilfer unsuspecting users.

    3. Careful when jail breaking your phone. If you jailbreak your phone you are opening yourself up to more serious compromise. Ask yourself, if all you have to do is run "su" from a jail broken command shell, why can't a malicious app do the same and run as root? SuperUser.apk is a popular alternative to traditional dirty jail breaking. It attempts to guarantee that the user is active in the Android UI by prompting the user without a dialog asking if the privilege elevation should be allowed. Remember that you are allowing that particular app to escalate privilege from now on. If you allow "sh" to escalate to root then an app may be able to simply run the shell "sh" and then escalate from there.

    4. Firewalls are an option and will add another layer to the phone security, especially when connected to Wi-Fi access. Currently there aren't many remote attacks to listening services on the Android phone, but I wouldn't be surprised if we start seeing them with more frequency as more hackers started riding the wave.

    5. Disable services you are not currently using. For example; if you are not using Wi-Fi, then disable it until you need it. Same goes for Bluetooth.

    6. Remove unused apps. Many apps expose themselves to compromise by examining incoming text messages, integrating with mime/file types, etc. Go through your installed app lists and remove anything you don't use.

    7. Android security products are starting to appear on the market (shameless plug). Rather than blindly recommend ours I would rather recommend you search the Android Market for "security", "antivirus", "malware", and the similar criterion. Read the reviews and find something that will scan your apps prior to install.

    -Riley Hassell
    CEO,Founder | Privateer Labs
    email: riley@privateerlabs.net
    Website: http://www.privateerlabs.net/ [privateerlabs.net]

  • Seriously. The android SDK is free, Eclipse is free. There's no monetary risk involved to experiement and see if you like doing it.

    I screwed around with it for a month off-and-on doing all the tutorial programs on developer.android.com and by the time I was done, it made a lot more sense. I made extensive use of stackoverflow.com too. Good resource there.

    If developing isn't for you, there are indeed open source style apps out there. A little bit of googling can find out if they are legit, or if the sou

  • seek out and kill Sarah Connor

  • This may be betraying my ignorance, but I thought that the basic security model behind android held that one app couldn't see another app's code or private data. The sdcard is general storage, so all apps with sdcard permissions can see everything on the card, but mostly what is stored on the sdcard is not security critical anyway. Another caveat is that if you've rooted your phone then you're adult enough to look after yourself.

    So, how is a virus scanner supposed to work? It will never be able to see an

  • Maemo.

    ...but no, seriously, using as open-source of an OS as possible is the way I go, and having plenty of data (about what programs are running, about the networking data, etc).Knowing what your system is doing is the first and most important line of defence (contrast it against all those people whose Windows boxes are "running so slow...guess it's time to upgrade", we've all met those folks).

    That being said, if you're on a far less free-as-in-speech OS (you freedom-hater!), you can indeed still try
    • Arghhhh I wrote "too" instead of "to" at the end there. Proof that no matter how secure your phone may be, it's never going to be secure against typos.

"Look! There! Evil!.. pure and simple, total evil from the Eighth Dimension!" -- Buckaroo Banzai

Working...