|
|
01-23-2010
Registered User
26,240,
27
Android Insecurity
Late last year, a nefarious banking app was discovered on the Android phone marketplace. This, I'm afraid, is just the beginning.
Doing some Android phone development recently, I have gotten somehands-on experience with how an application is deployed to the AndroidMarketplace. One big difference between the Google and Apple mobilesoftware stores is that Apple vets and approves each app before it ismade available for public download. With Android, anyone who pays the$25 registration can upload an application to the marketplace.
To upload an application, it first must be signed with your own digitalsignature. This signature need not be certified--you can create oneyourself and it is just as valid as one issued by Verisign. Signingyour application is the only security requirement that must be metbefore uploading to the marketplace. The information your submit tocreate your Android developer account is also not reviewed orverified.
If your application is free, then anyone with a compatible Androidphone can begin downloading and using it. If the application needs toconnect to the internet, then during the installation the user isnotified "This application has access to the following: Networkcommunication, full Internet access," to which the user clicks OK toproceed with the install.
There are no alerts about the digital signature coming from untrustedor unknown source. All applications are implicitly trusted. MyAndroid phone has 800 Mhz processor with 256MB RAM, a worth addition toany botnet.
The current protections for mobile applications remind me of web sitesin the mid to late 90s when e-commerce was just starting to get off theground and viruses and botnets weren't daily news (and desktop PCsdidn't have the same power that we now carry in our pocket.) Peoplejust trusted anything they clicked, and bad guys realized this andquickly developed ways to exploit this blind trust. Now that cybercrime has become much more savvy and organized, they working feverishlyto exploit this new mobile vector.
I know mobile apps still have that wow factor, but we have to learnfrom the past and treat all Internet enabled devices as attractivetargets for attack today. These mobile OSes need to have the sameprotections we apply to desktop PCs. We should not continue blindlyassuming that the focus of attack is the desktop PC and not mobiledevices, even though they all have similar hardware specs and areconnected to the same Internet. Otherwise, this is security byobscurity, which does little else but to give us a false sense ofsecurity.
More...
Doing some Android phone development recently, I have gotten somehands-on experience with how an application is deployed to the AndroidMarketplace. One big difference between the Google and Apple mobilesoftware stores is that Apple vets and approves each app before it ismade available for public download. With Android, anyone who pays the$25 registration can upload an application to the marketplace.
To upload an application, it first must be signed with your own digitalsignature. This signature need not be certified--you can create oneyourself and it is just as valid as one issued by Verisign. Signingyour application is the only security requirement that must be metbefore uploading to the marketplace. The information your submit tocreate your Android developer account is also not reviewed orverified.
If your application is free, then anyone with a compatible Androidphone can begin downloading and using it. If the application needs toconnect to the internet, then during the installation the user isnotified "This application has access to the following: Networkcommunication, full Internet access," to which the user clicks OK toproceed with the install.
There are no alerts about the digital signature coming from untrustedor unknown source. All applications are implicitly trusted. MyAndroid phone has 800 Mhz processor with 256MB RAM, a worth addition toany botnet.
The current protections for mobile applications remind me of web sitesin the mid to late 90s when e-commerce was just starting to get off theground and viruses and botnets weren't daily news (and desktop PCsdidn't have the same power that we now carry in our pocket.) Peoplejust trusted anything they clicked, and bad guys realized this andquickly developed ways to exploit this blind trust. Now that cybercrime has become much more savvy and organized, they working feverishlyto exploit this new mobile vector.
I know mobile apps still have that wow factor, but we have to learnfrom the past and treat all Internet enabled devices as attractivetargets for attack today. These mobile OSes need to have the sameprotections we apply to desktop PCs. We should not continue blindlyassuming that the focus of attack is the desktop PC and not mobiledevices, even though they all have similar hardware specs and areconnected to the same Internet. Otherwise, this is security byobscurity, which does little else but to give us a false sense ofsecurity.
More...