Ask Slashdot: Android Security Practices?

Soft writes "Smartphone security recommendations seem to boil down to Windows-like practices: install an antivirus, run updates, and don't execute apps from untrusted sources. On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus. What rules should I adopt on my soon-to-be-bought Android device? Can I use it purely with open-source apps and still make the most of it? Are Android's fine-grained permissions (accessing the network, contacts...) reliable? Can apps be trusted not to scan your files and keyboard for passwords and emails? What precautions do security-conscious Slashdotters take to keep control of their phones?"

Permissions aren't 'fine grained'

[c0d3g33k]

The problem with Android is that the permissions aren't in fact "fine grained" (though they might seem so to the 'TL;DR' generation). They are relatively course-grained with respect to what modern applications might require. Any non-trivial app will require permissions from the available pool that can be abused by malicious developers. The user has to fall back on trust when installing any non-trivial app.

Android needs something more like a sandbox environment for each application and a reasonable system where the user is asked for permission before accessing sensitive information.

Android permissions == FAIL, at least from a personal privacy and security perspective.

Re:Install a firewall

[improfane]

I think you're missing my point. It's a phone. You shouldn't have to install security software on something as trivial as a phone. Something is wrong with the API and security assumptions of the device that it is insecure by default, without security software.

Now that the cat is out of the bag, we can never put it back in. App companies have gotten used to the APIs that give them amazingly intimate personal and marketing information. Apple and Google (an advertising company) has a vested interest in allowing companies to phone home with all your personal data. Expect to have phones and tablets that are insecure by default. We aren't going back. It's just going to be a repeat of the PC industry.

It just sounds as ridiculous as installing security software on a walky talky or a landline telephone. The API should not be able to access data that the app store has not agreed to. It should be shipped with a list of capabilities it expects to use. It really sounds like that software on Android just runs and does whatever it pleases. We're reactive rather than proactive again...

I don't think it's an issue of running untrusted executable code, the code IS trusted but it's capable of doing things the phone should never have exposed to the application. I'd like to see security enforced for every execution of an application, so when you close an application, it gives you a list of the data the application tried to access. Rather than trying to ask the user each time to accept or decline, it should be configured BEFORE execution.

Re:Permissions aren't 'fine grained'

[nabsltd]

Why a stopwatch wants access to my calls and read/write on the SD card, I don't know,

Many apps that need access to "phone calls" are doing so to be good resource users, and to follow some Android UI conventions.

Knowing if you are talking on the phone or not allows the app to change its behavior to not bother you, use less CPU cycles, etc. And, this sort of thing is why there are so many complaints about the overly-broad permission groups on Android...you can't know the "in-call state" without being given permission to "phone calls".

Android Security Practices

[privateerlabs]

1. Use caution when installing software! Remember that the Android market place does not vouch for the security/integrity of the apps. To my knowledge, minimal analysis is performed on apps, but nothing that provides any real security guarantee to the mobile user. There is no guarantee that the app you are installing is not malicious in nature, or chuck full of software vulnerabilities. Many of the legitimate apps in the marketplace are rapidly developed by individuals with little or no secure coding background. Also I highly recommend you only install apps from publishers you trust and make sure you read the user comments. If the app has a few thousand reviews and rates at 4 stars this would often indicate added legitimacy.

2. When installing apps be cautious of the permissions requested. The READ_PHONE_STATE permission permits access to sensitive device specific values that would normally be an invasion of privacy to supply. The problem arises when developers use a function called GetDeviceId() to get a unique ID for the mobile device that is later used for user account correlation on third-party services. The correct way to do this is to use Settings.Secure.ANDROID_ID. Google has a blog describing this issue in depth:
http://ask.slashdot.org/story/11/05/20/188228/Ask-Slashdot-Android-Security-Practices [slashdot.org]
Be very cautious with apps that ask to read/write SMS messages, read/write contacts, and place calls. Malware frequently uses these to pilfer unsuspecting users.

3. Careful when jail breaking your phone. If you jailbreak your phone you are opening yourself up to more serious compromise. Ask yourself, if all you have to do is run "su" from a jail broken command shell, why can't a malicious app do the same and run as root? SuperUser.apk is a popular alternative to traditional dirty jail breaking. It attempts to guarantee that the user is active in the Android UI by prompting the user without a dialog asking if the privilege elevation should be allowed. Remember that you are allowing that particular app to escalate privilege from now on. If you allow "sh" to escalate to root then an app may be able to simply run the shell "sh" and then escalate from there.

4. Firewalls are an option and will add another layer to the phone security, especially when connected to Wi-Fi access. Currently there aren't many remote attacks to listening services on the Android phone, but I wouldn't be surprised if we start seeing them with more frequency as more hackers started riding the wave.

5. Disable services you are not currently using. For example; if you are not using Wi-Fi, then disable it until you need it. Same goes for Bluetooth.

6. Remove unused apps. Many apps expose themselves to compromise by examining incoming text messages, integrating with mime/file types, etc. Go through your installed app lists and remove anything you don't use.

7. Android security products are starting to appear on the market (shameless plug). Rather than blindly recommend ours I would rather recommend you search the Android Market for "security", "antivirus", "malware", and the similar criterion. Read the reviews and find something that will scan your apps prior to install.

-Riley Hassell
CEO,Founder | Privateer Labs
email: riley@privateerlabs.net
Website: http://www.privateerlabs.net/ [privateerlabs.net]