How secure is Android?
Mobile device usage continues to climb and companies like Google and Facebook are working hard to cash in on the potential revenues available from mobile users. But they aren’t the only ones trying to make money from mobiles. Cyber criminals, organized crime gangs and malware authors are also trying to get a slice of the pie. As an Android user, it is important to step back a moment and look at the security implications of using a mobile device, and more specifically of using an Android based mobile device.
Before looking at all the sophisticated ways hackers can try and steal data off your mobile phone, it is worth remembering that the easiest way for someone to profit from your mobile device is to steal it, either to resell it or to make use of the data on the phone. To stop prying eyes, Android has a couple of features that can help. The first is the unlock screen when the device is woken from sleep. The standard unlock screen is just the slider which basically stops the screen from being activated in your pocket. But Android also allows you to set an unlock pattern, PIN or password. Unless the intruder knows the pattern, PIN or password they can’t get access to your device. This is especially useful to keep little kids out of your phone or stop mischievous friends from sending emails or posting onto Facebook when you aren’t looking!
However, there is another problem. If a thief gets hold of your phone and somehow manages to access the internal flash memory, then all your data is still there and ready for the taking. The good news, is that in Android 3.0 you have the option to encrypt all the data on the internal memory of the phone. This is especially important for business and government users!
TIP #1 – Keep your mobile device physically safe: Don’t leave it lying around on a restaurant table while you go to the restroom. Don’t leave it in your car in clear view of every would-be thief.
Every app that you install on your device needs to specifically ask you for permission to perform certain tasks. This is done when you install the app. What this means in practical terms is that apps have limited abilities. Unless an app has asked for permission to send an SMS, for example, it can’t. Many apps which contain malware ask for permission to send SMS messages. The app is asking as it wants to send a text message to a premium rate number. Android has these permissions built-in but it is up to the user to notice what permissions an app wants and grant them if the app can be trusted.
TIP #2 – Actually read what permissions an app wants.
As well as limiting the abilities of apps, Android also controls how an app accesses the device’s hardware. There is no direct hardware access allowed in Android; all access is through the different software layers which make up the Android OS. This means that rogue apps can’t go around re-programming the microphone on your phone or bypassing the app permissions by talking directly to the video camera, etc.
The Application Sandbox
Android has another layer of protection in that it doesn’t give one app access to the resource of another app. This is known as the ‘sandbox’ where every app gets to play in its own sandbox and can’t use another app’s toys! Android does this by giving each app a unique user id (a UID) and by running that app as a separate process with that UID. Only processes with the same UIDs can share resources which, as each ID is uniquely assigned, means that no other apps have permission.
This means that if an app tries to do something it shouldn’t, like read the data from another app, or dial the phone (which is a separate application) then Android protects against this because the app doesn’t have the right privileges.
But… these are Google’s own words on this, “like all security features, the Application Sandbox is not unbreakable. However, to break out of the Application Sandbox in a properly configured device, one must compromise the security of the the Linux kernel.” This conveniently brings us to rooting.
In the world of Linux (and UNIX) ‘root’ is the supreme user level which has the rights to perform any task. It is similar to the Administrator user on a Windows PC. By default, only the Linux kernel and a small number of core utilities run as this superuser. But by ‘rooting’ your device (which means the root user level is available to all apps) then many of the security mechanisms described above are made null and void. This is because an app with root permission can modify any other part of the Android OS including the operating system itself, the kernel, and other apps.
TIP #3 – Rooting your device increases the security exposure to malicious applications and potential application flaws.
Even the popular CyanogenMod custom firmware project, which thrives on devices being rooted, recently said that using an Android device in a default root access mode is unwarranted and a security risk. CyanogenMod 9 will ship with root access restricted by default.
It is an unfortunate reality, but reality none the less, that Android has a malware problem. But, if all the security mechanisms mentioned above exist in the OS, how can Android have a malware problem? The answer is three fold:
First, for an app to be malicious it doesn’t need to have access to the deeper levels of the OS. If an unsuspecting user installs a malicious app which sends premium rate SMS messages and the user granted those privileges to the app when it’s installed, then the malware has successfully been installed without breaking any of the security. The reason for this is because Android allows users to install apps from anywhere on the Internet and not just the Google Play store. These other third party sources don’t guarantee that the apps aren’t malicious. In fact, Google doesn’t even guarantee that with their app store and from time to time bad apps sneak in unawares.
Secondly, some malware actually comes with root exploits built-in. This means that when the app is installed it actually roots the device (without the user knowing) and by-passes all the system security.
Thirdly, there is malware that just loves rooted phones. If the malware gets installed on a non-rooted phone it does nothing, but when installed on a rooted phone it unleashes all of its nastiness.
TIP #4 – Don’t install apps from untrusted third party apps stores.
TIP #5 – Use an anti-virus app for an extra layer of protection.
At the OS level Android is robust and fairly secure. But the app distribution model and the number of root exploits that exist means that nothing is guaranteed. However with common sense you have a good chance of staying safe.