Android OS Security: Advantages and Disadvantages In the field of computing, few inventions, innovations or technological improvements, have been moving quite like wireless technology. With the advent of fourth generation cell phones and networks (4G), there have literally been leaps and bounds made in the realm of personal computing, productivity and data sharing. It is this increased connectivity both in our personal and business lives that introduce risks to intrusion, corruption or theft of data, or in the worst case, access to personal data that would lead to identity theft.
In the business realm, this translates to problems for firm infrastructure and exposure to proprietary leaks, loss of customer data, or damage to the reputation of the business entity. Therefore, it is important that adequate measures are taken to evaluate risks and take steps both personally and professionally to minimize those risks. We present several advantages and disadvantages of the Android OS platform with very high visibility right now in the wireless arena. Both for the flexibility and open architecture, this platform presents some unique challenges in terms of security.
The landscape of business is ever-changing, and with the introduction of mobile computing platforms, this amounts to changes that are orders-of-magnitude less than in previous eras of business. The inherent flexibility of mobile computing allows businesses to capitalize on market shifts quickly, translating into a competitive advantage or disadvantage in much less time than it takes to engineer, develop, and market products of any type. It is no less important then, for firms to understand and adopt this technology in a proper perspective considering the measure of risk.
We attempt to identify some of the risks inherent in one aspect of this technology: the Android OS platform, upon which a rapidly growing smart phone market is based. The Threat While previous iterations of phones were exposed to threats in eavesdropping, co-opting phone processes to retrieve personal information, and denial-of-service threats, current phone technologies seem to have evolved the threat into those resembling many traditional computing systems. Specifically, many of the threats detailed in assessments point to ulnerabilities in applications and the user’s interaction with them, or files that may be added to a phone operating system that surreptitiously undermine the security of the phone. There are also issues with some of these applications possibly gaining permissions to control phone functions that the user may be unaware of at runtime. And, finally threats to privacy through access to content of the phone or the location functions of the phone system (Shabtai 2010). So, quantified threats fall into categories that will be covered here: 1) Application threats; 2) Phone control; and, 3) Privacy concerns.
Application Threats The Android OS platform offers a wide variety of available applications from third-party sources that are open-source, free or otherwise user controlled. Even though this large market is one of the best selling points for being advantageous over the iPhone application market, they pose potential problems for individual users downloading these applications from the Android Market or installing these applications themselves. As Charlie Miller points out, Android’s application methodology relies on “crowd-sourcing” that permits any application then allows users to rate the application.
Through this method the user can download any application, and then if there is an issue, notification to Google will permit them to remove the application from the Market and then remotely remove the application from all of the devices affected (Aug 2011). This still leaves the vulnerability of the application prior to a problem being discovered, and leads to issues that allow the phone to be controlled by the application. Address Space Layout Randomization seeks to minimize this through randomization of the memory allocated for a particular application at runtime, and preventing the theft of other system resources.
However, even this technique does not prevent issues with the application after installation with the proper permissions (Bojinov, 2011, 129). Additionally, it seems that a large number of applications use multimedia, location, and/or private information suspiciously. In an example of this, 30 random applications from the Android Market were tested and half of these used information suspiciously (Enck, 2010). Considering this information, it is further troubling that research has indicated as many as one-third of applications seek permissions that are greater than are actually needed (Chin & Felt, et al, 2010). References Anagnostakis, K. Bos, H. , Homburg, P. , Portokalidis, G. (2010). “Paranoid Android: Versatile Protection for Smartphones”. Proceedings of the 26th Annual Computer Security Applications Conference. New York, NY: ACM. Baliga, A. , Bickford, J. , Ganapathy, V. , Iftode, L. , O’Hare, R. (2010) “Rootkits on Smart Phones: Attacks, Implications and Opportunities”. Proceedings of the Eleventh Workshop on Mobile Computing Systems and Applications. New York, NY: ACM. Bojinov, H. , Boneh, D. , Cannings, R. , Malchev, I. (2011). “Address Space Randomization for Mobile Devices”. Proceedings of the fourth ACM conference on Wireless Network Security.
New York, NY: ACM. Chin, E. , Felt, A. P. , Hanna, S. , Song, D. , Wagner, D. (2011). “Android Permissions Demystified”. Proceedings of the 18th ACM conference on Computer and communications security. New York, NY: ACM. Delac, G. , Silic, M. , Krolo, J. (27 May 2011) “Emerging Security Threats for Mobile Platforms”. Proceedings of the 34th International Convention. Pp. 1468-1473. Citation:http://ieeexplore. ieee. org/stamp/stamp. jsp? tp=&arnumber=5967292&isnumber=5967009. Enck, W. , Ongtang, M. , McDaniel, P. (Feb 2009) “Understanding Android Security”. Security & Privacy, IEEE, 7, 1, 50-57. Citation:http://ieeexplore. eee. org/stamp/stamp. jsp? tp=&arnumber=4768655&isnumber=4768640. Enck, W. , et. al. (2010) “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”. Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkeley, CA: USENIX. Jahanian, F. , Oberheide, J. (2010) “When Mobile is Harder Than Fixed (and Vice Versa): Demystifying Security Challenges in Mobile Environments”. Proceedings of the Eleventh Workshop on Mobile Computing Systems and Applications. New York, NY: ACM. Landman, M. (2010). “Managing Smart Phone Security Risks”. 010 Information Security Curriculum Development Conference. New York, NY: ACM. Miller, C. (Aug 2011) “Mobile Attacks and Defense”. Security & Privacy, IEEE, 9, 4, 68-70. Citation:http://ieeexplore. ieee. org/stamp/stamp. jsp? tp=&arnumber=5968091&isnumber=5968077. Shabtai, A. , et al. (April 2010) “Google Android: A Comprehensive Security Assessment”. Security & Privacy, IEEE, 8, 2, 35-44. Citation:http://ieeexplore. ieee. org/stamp/stamp. jsp? tp=&arnumber=5396322&isnumber=5439518. Not sure where you wanted to place all of this in the final paper. (Potentially add to Application Threats section) Source: http://techcrunch. om/2011/11/20/mcafee-nearly-all-new-mobile-malware-in-q3-targeted-at-android-phones-up-37-percent/ According to McAfee, which is a branch of Intel that specializes in computer security, malware targeted towards phones that run on the Android OS continue to be on the rise. Malware is a term that stands for “malicious software”, which is software created with the intention of gathering information and gaining unauthorized access to a computing device. After the release of the 2011 quarter 3 report, information was provided that explained how The Android OS was deemed the primary target for mobile malware.
Malware targeted at Android devices jumped to 37 percent since quarter 2, which makes 2011 the busiest in mobile and general malware history. Nearly all mobile malware in quarter 3 was targeted at Android, which follows a 76 percent rise in Android malware in quarter 2 of 2011. McAfee has predicted that these numbers will only go up as time goes on, unless some type of measure is taken. Similar to the reason that many viruses and malware are created more for Windows than Mac, McAfee says that malware creators are becoming highly successful due to the popularity and because of the security susceptibilities of Android devices.
Google’s leniency regarding the acceptance of new apps in the Android Market seems to be their biggest flaw. Apple usually thoroughly checks and tests new applications before approving their delivery into the Apple App Store, and Google does not. Because of this, Android is an easier platform to target, which may explain why the Android OS happened to be the only mobile operating system for all new mobile malware implementation in quarter 3. The most popular form of recorded malware attacks comes from text message
Trojans, which is malware that collect the personal information of people and steal money or any other useful asset. Another popular method used by malware creators is when the malware records phone conversations and forwards them to the attacker. (Android Defense. pdf and Managing Smartphone Risks. pdf) The way people use mobile phone devices compared to the way phones were used in the past has changed dramatically over the years. Not only is a phone just used for making calls, but is used as a primary internet browser, reference guide, music player, calendar, address book, and gaming device.
As the user gets more complex and uses one’s device to access their more secure information, such as banking transactions and credit card information, the hacking of such devices becomes very desirable to attackers. On top of stealing this valuable information, these attackers can also triangulate GPS information to locate and hack into the microphone to eavesdrop and spy without the consent of the mobile device owner. The diverse mixture of personal and business uses of mobile devices makes this task a lot harder to make a universal security measure that works for everybody.
Simple tasks such as disabling Wi-Fi and SMS text messages may be a huge security protection for business security, but would deem unacceptable and inconvenient to the average personal use advocate of the mobile device that uses these functions on a regular basis. As mentioned previously, various successful attacks involving malware and rootkits have already been swarming the Android OS, but other popular attacks such as phishing, social engineering and direct hacker attacks have been commonly used as well.
The interception of communications from smart phones has been described as “relatively easy”, and lost/stolen and improperly disposed phones have presented big risks to organizations hold confidential and secure data that is stored in and communicated with some type of smart phone. To summarize what has been stated, a majority of the danger and susceptibilities comes from human error, when unsuspecting users behave inappropriately by the mixing personal and business use with company property.
This human unawareness can cause major problems within an organization, and can be solved with various awareness security practices that can become very beneficial to an organization. The National Institute of Standards (NIST) had provided guidelines for mobile device security in 2008 and security experts and leaders have offered ideas and methods for getting a smart phone security program in place. However, due to lack of time and monetary resources, it has been found that a lack of mobile phone security specific plans and policies have been implemented.
To protect access to mobile devices and their data, controls including authentication procedures and the use of intrusion detection, firewalls, context-aware access control, remote device management, digital certificates, sandboxing, and encryption of stored data must be implemented. The weakest part of mobile devices comes from the amount of ease wireless transmission has for attackers to intercept. Encryption of transmissions and appropriate connectivity restrictions can help secure communications over a Wireless Wide Area Network (WWAN), Wireless Local Area Network (WLAN) and a Bluetooth Personal Area Networks (PAN).
In addition for a WWAN and a WLAN, the use of a Virtual Private Network (VPN) is essential. In the next few years, it is expected the businesses will have almost fully incorporated mobile devices in their business practices, and due to the greater costs of Apple phones that run on the IOS, Android OS phones have a majority of the business market. Because of the new technology, attackers still have not come close to incorporating as many damaging attacks on mobile devices compared to PCs, but the number is increasing in dramatic fashion.
Even with this knowledge, the amount of work going towards this much needed security is severely behind where it should be, and due to the diverse amount of operation systems that phones can come on, it makes it much harder to make standardized security software that has been quite successful in the PC world. Another problem is that mobile smartphones lack many of the security capabilities of PCs. For instance, some smart phones cannot read a Secure Sockets Layer (SSL) certificate or even attach a certificate from an organization’s own certificate authority, and firewall capabilities and centralized management are just now being implemented.
With human error being the primary reason for the failure of mobile device security, the problem only becomes harder to fix. For the Android OS to become secure, just like any computing device, it must recognize three main characteristics of security, including application delivery, trust levels and system isolation. Application delivery is defined as “the capability of the smart phone platform to validate the reliability of an application’s source”. Knowing where an application or downloaded file came from is vitally important in thwarting and preventing infection from malware.
Some vendors, such as those on the Apple App Store, provide for encoded signatures on applications and some also restrict applications to a single device. If any form of bad practice is detected, Apple will immediately rid of and block any form of the application. With the weaknesses of the Android market, however, have no restrictions on the source of an application. Trust levels can be defined as “controlling the actions of an application”. The main way that applications and files can attack a system is allowing them to access your sensitive information without your knowledge.
When a file or application is downloaded, it may have embedded privileges that someone is unknowingly allowing that give access to personal information, passwords, and data. Android OS does provide a straightforward easy to use control that presents an application or file profile for the user to select which capabilities to permit. However, most untrained and uninformed users don’t know about this and the attackers take full advantage of this. The last characteristic is system isolation, which can be described as the ability to keep applications from affecting each other or the supporting platform.
Also known as sandboxing, this function prevents vulnerability in one application or file from being used to damage the system or another application or file. A big security advantage that Android OS has over the iPhone IOS is that it runs every application under a different user identifier, providing effective sandboxing and keeping the operations of one application separate from the system and other applications. Thwarting Attacks There are many measures that can be taken to thwart the attacks of malware and any other harm that may jeopardize the security of the Android OS or any other mobile device.
I have already previously discussed the importance of controlling user behavior and the attempt to reduce the amount of human error when using a mobile device, but other controlled methods can also be implemented when making a mobile device more secure. Controlling access is a vital part to preventing unauthorized personnel from hacking, stealing, and manipulating one’s information that is stored or transferred over a mobile device. Authentication is defined as the way to “make sure that only authorized individuals are granted access to a system or device. The three techniques are employed: what you know, who you are, and what you have. What you know refers to usernames, PINs, passwords, etc. Who you are is may be represented by biological things like finger prints, iris scans, etc. What you have may be represented by something that you portably and externally possess, such as a smartcard or token. The two-factor method is usually a good method for authentication, which incorporates two of the three things mentioned above.
Authentication on smart phones is customarily done using a personal identification number, or more commonly on an Android OS and new to the market, a pattern design that you must scan your finger across. Authentication protection is one of the more simple ways of preventing someone from accessing your files and is most effective when your mobile device is physically lost. Intrusion detection is another method that can be useful in controlling access. An Intrusion Detection System, or IDS, can be defined as the detection of unfamiliar or suspicious activity on the mobile device, such as harmful code implementation or spying.
Intrusion Detection Systems are best used for safeguarding against identity theft and fraud with banking accounts and for detection of spying on one’s passwords or accounts. IDSs for smart phones are offered by a number of vendors, and Andromaly and DroidHunter are two that are available for Android OS phones. Firewalls, just as on PCs, Firewalls can prevent unauthorized access to smart phones as well as prevent confidential information from being communicated over network interfaces.
In a similar fashion as PC firewalls, so even transmission of confidential information can be stopped even is the malicious software has already been installed on the device. Firewalls can also stop malware. Firewalls can prevent some types of malware from entering the mobile device, but cannot stop them through entering through text messaging. Android OS also comes with software to implement firewall security. Finally, one can prevent attackers by using Context-ware access control, or CAAC, which allow users