Android mobile phone security improves to counter the spread of malwareMon 21 May, 2012 // Briony Williams
There has been an explosive growth in malware for mobile phones running the Android operating system over the past twelve months. However, there has also been a recent improvement in Android security, as developers and manufacturers race to head off further such threats.
The Android operating system is increasingly found in the newest mobile phones. There are currently an estimated 300 million Android devices in use, and the number is growing. However, Android mobile devices have shown themselves to be particularly prone to infection by malware. This is only partly due to Android’s widespread nature: the main reason for its vulnerability is the Android security model, which has been less than ideal.
The main area for security weaknesses in Android is the general area of applications, or “apps”, which can be written by third parties and made available for download over the Internet with or without payment of a fee. In contrast to apps for the iPhone and iPad, where strict conditions are enforced on developers wishing to make apps available, in the case of Android it is much easier for developers to submit malicious apps to the Android Market. For example, the Android market permits developers to submit self-signed security certificates, which therefore have no external authentication. In addition, submitted apps are not vetted before being made available for download. Also, Google is slower to patch vulnerabilities than is Apple, and hence Android vulnerabilities tend to persist for longer. The overall result is that Android devices are now the target of choice for hackers who concentrate on mobile devices. The hackers’ preferred method is to induce users to download their disguised malicious apps, which then connect invisibly to a command-and-control server owned by the hacker, and send to it any sensitive details it discovers on the device (such as credit card or banking details). This information can be very lucrative for the hacker.
Last week, at the Information Security Decisions 2012 convention in New York, USA, delegates heard a keynote talk on the “Mobile Exploit Intelligence Project”, presented by Dan Guido, CEO of the security research firm Trail of Bits. Guido pointed out that hackers are using only a small number of publicly-known exploits to attack mobile devices, in particular Android devices. In the case of Android, the hackers have an ideal balance of cost and benefits: the cost is low (in terms of ease of attack, and the low probability of being caught), while the benefits are potentially high (in terms of the number of devices running Android, and the probability of finding lucrative data). The answer, according to Guido, was to increase the cost to hackers and thereby deter them. Google could do this by requiring proper code signing, as well as by requiring that apps remained unchanged between submission and downloading from the Android market (at present they can be edited by the developer).
The latest version of the Android operating system, version 4 (known as “Ice Cream Sandwich”) includes enhanced security functionality as a response to the growing Android security problems. It allows the user to encrypt the entire contents of the device using hardware encryption, and also makes use of “address space layout randomisation” (ASLR) to make it more difficult for hackers to exploit vulnerabilities such as buffer overflows. In addition, there are growing numbers of third-party anti-malware solutions for Android devices. Given the prevalence of “side-loading”, whereby users download apps from other websites unconnected to the Android Market (and which may not have even a minimal level of security checks), more users are making use of these third-party anti-malware solutions for Android devices. In particular, some large companies are beginning to require the use of such software by employees who use their own Android devices for business purposes.
In summary, therefore, while the prevalence of malware for Android devices is greatly expanding, the necessary counter-measures are now likewise increasing. It remains to be seen whether the counter-measures will prove sufficient, but to some extent the Android arms race is now in full swing.
“We have been pleased to work with commissum who have provided us with services to address our Security Assurance requirements. commissum met our demands, as an organisation operating within the Legal Services sector, with the highest level of integrity, commitment and excellent level of service. We would have no hesitation in recommending commissum.”
Mr Kenneth P, IT Manager, National Legal Services
"commissum recently provided us with services to assess a web application and supporting infrastructure. I was impressed with the consultants throughout the project, by their technical knowledge, flexibility, open communication and willingness to go that extra mile. Of particular benefit was the sound advice given both during and after the engagement. By identifying vulnerabilities promptly, accompanied with practical recommendations on how to address them. We were able to implement improvements quickly. Good value, a job well done.”
JM, Infosec Analyst, International Investment Bank
"We engaged with commissum for the first time this year and found them highly professional and a pleasure to do business with. We were particularly pleased with the report provided which was of excellent quality, with an appropriate level of detail and clarity in its recommendations. I would happily refer others to commissum.”
Mr Billy K, IT Director, National Law Firm
"We are extremely pleased with the work carried out by the commissum team. All of the commissum staff were a pleasure to work with and maintained a high level of professionalism at all times. They were able to provide us with sound advice and guidance to make sure that we got the best value for money from our test and provided excellent communication and recommendations before, during and after the tests. I would strongly recommend commissum to other companies that are looking for peace of mind in relation to their IT security and I can say that we will use commissum again for future testing.”
Chris S, IT Officer - UK Housing Association
"commissum understood exactly what we needed and delivered excellent service on time, and on budget. Why can't all companies be like them!"
Mr Duncan M, Information Security Manager - National Building Society
Get in touch with one of our security consultants today
- No obligation
- Expert advice
- Tailored solutions
"commissum was particularly responsive and the project was well managed under demanding conditions. I was very happy with the technical standard. Very good value for money as well”
Mr Kenneth Y, Head of IT Risk & Compliance, International Retail Bank
"I was very pleased with the work delivered by commissum from start to finish. The quality of reporting was excellent and the consultants very helpful with clear communication throughout the engagement. I would happily recommend commissum to others.”
Ms Louisa L, IT Manager, National Building Society
"commissum provided us with a high quality service. We found the project team helpful and flexible in responding to changes in requirement; the technical staff in particular were excellent. All commitments including deliverable timescales were met and I would have no hesitation in recommending commissum.”
Mr A Moretti, Executive Director for IT Security Risk Management, Global Investment Bank
"From the start the project went very smoothly despite the short notice. commissum maintained excellent communication throughout ........ their flexibility and responsiveness right up to the end of the project was of great value to us.”
Mr Keith H, Senior Business Manager - UK Local Government