Dealing with the Android security risk

BlackBerry still gets a sympathetic hearing in some quarters because it offers enterprise-grade security on its phones. Security is baked into BlackBerry DNA. Its phones, operating systems and services are the safest around.

That’s important because mobile devices, especially Android phones, are now the biggest online security risk. A recent Symantec Cybersecurity Report found 38 percent of mobile users saw cybercrime activity in the past year.

Sadly not everyone listens to the warnings. Security barely registers on the radar with most phone users who seem more interested in the latest fad app. Their managers are as clueless about the risks. Like World War Two generals, most of them are still fighting the last war. In business that means putting up Maginot line defences against PC malware infections. They seem unaware Blitzkrieg is coming.

Earlier this year I interviewed Trend Micro’s Tim Falinski for NZ Business magazine. Falinski says people know there are risks with laptops and desktops. He says they “are less aware of the threats when using tablets and phones. These days the weakest link is not your PC or notebook”.

He says it only took six months from the total number of malware and high risk smartphone apps to climb from one to two million. Falinski says while Android devices are especially vulnerable, no brand or operating system is immune.

This is a headache for companies that let employees bring their own devices to work. Android now accounts for about 80 percent of all smartphones. It remains largely a second class citizen in the corporate world. At the moment Apple’s iOS is more widely supported inside large organisations. However, pressures are building to include Android. For the OS to take off in the corporate world, Google and the companies making Android phones need to address fragmentation and security.

There’s nothing inherently unsafe about Android. It is based on Linux, which is arguably the safest operating system.

Android’s dirty secret doesn’t lie in viruses or malware arriving through email or as a nasty payload when users illegally download media files. Falkinski says the problem comes almost entirely from downloaded apps. He says: “In the PC world, you know you can trust a program from a company like Microsoft. Things are not the same with smartphone apps. Many come from companies you have never heard of”.

Falinski says you can reduce risk by restricting app purchases to the official Google Play app store. You should be safe if you stick with the official store, but there are no guarantees.

Although Apple’s iPhone isn’t immune, it is safer. That’s because it’s harder to get dodgy apps past Apple’s locked-down iTunes store. Harder, not impossible. And Apple users are less inclined to stray off the beaten track when finding apps.

There’s a point where privacy intersects with security. Apps often ask for permission to use information such as your location. People rarely look at this and ask why an app to do something needs to know where you are. Some are ridiculously intrusive — why does the NZ Herald Windows Phone insist on knowing the user’s location?

Being able to track your movements can be a different kind of security risk. Predators could use that information to stalk people.

Google is taking Android security more seriously in the latest version: Lollipop. There is a new kernel security module: SELinux. It limits app privileges making it harder for bad apps to take control. Encryption is built-in to Android, but is largely hidden. When Lollipop arrives it will be more prominent and users will be encouraged to switch it on.

The problem, as always with Android, is upgrades are haphazard compared with other smartphone operating systems. This has been tidied up, most hardware brands say their devices will move to Lollipop soon. Most Android phones introduced since early 2013 should be able to run Lollipop.

For an individual staying safe is largely a matter of common sense. That means not downloading dubious-looking apps, getting all software from reputable sources and using all your phone’s built-in security, such as screen locking and password protection features.

There’s a whole extra layer of concern for companies wanting employees to use their own hardware for work. That’s another opportunity for BlackBerry with some wise employers giving staff locked-down phones for work and letting them do what they want with their own devices.

9 thoughts on “Dealing with the Android security risk

  1. SElinux has been part of Android for a while now- at least Jelly Bean (4.3) and KitKat (4.4) have had it.
    Any security measure runs the risk of making the product less attractive. A very restrictive default security policy can give a false sense of security, while hampering legitimate use. The solution is education; perhaps Google should work harder to describe the risks users run when loading applications, rather than candy-coating them (calling it a Play store, for example).

    Like

  2. ” A recent Symantec Cybersecurity Report found 38 percent of mobile users saw cybercrime activity in the past year” – this is hardly surprising news, considering the source. Symantec and Trend Micro have a vested interest in trying to make this ‘news’, since they’re in the business of combatting ‘threats’. Create FUD, sell more product!

    “… it only took six months from the total number of malware and high risk smartphone apps to climb from one to two million” – considering the number of Android devices in the market, that’s next to nothing. I bet there are more phones out there being used with broken screens than have malware installed!

    Like

    • You’re right to be suspicious of reports from security companies. Whipping up fear has long been a lucrative business model.

      I see a difference between the general “get more security because the world is scary” message and more targeted “X is a specific problem” messages. If security vendors say they see a disproportionate number of problems with one product, one OS or one app, that’s generally because there are risks.

      Like

  3. Pingback: BlackBerry’s hip square phone on TV3 Firstline | Bill Bennett

  4. Its seems to me that the timing of this article when malware on iOS has been in the news is suspect. How about covering it as a combined mobile security discussion rather than just focussing on Android?

    Like

    • It is just an accident of timing. I interviewed Trend Micro’s Tim Falinski about a month before this was published, the wait was because a similar, but different story, was published in the print edition of NZ Business.

      Meanwhile this story was posted days before news broke of the iOS Masque Attack flaw.

      Sure there’s a scope for a wide ranging discussion of mobile security. The story doesn’t say only Android is risky. In fact it says Google is acting to make Android safer. But the observation of someone working in the security business is that Android gets a bigger share of breaches than other smartphone OSes. Whether than is down to inherent flaws in Android (probably not), being a higher profile target (possibly) or being used by people who are more careless (who knows?) isn’t covered here.

      Like

      • Perhaps the reason “Android gets a bigger share of breaches than other smartphone OSes” is the same reason that Microsoft OS are targetted: they are simply the biggest target.

        Didn’t the article above state “Android now accounts for about 80 percent of all smartphones”? :)

        Liked by 1 person

  5. @John. That’s true. Mind you I should have said Android gets a proportionately bigger share of breaches.

    And the odd thing about that is you’d think that targeting Apple users would be more lucrative – as app developers will tell you, they are where the money can be found. :-)

    Like

    • I know that was a joke, but of course malware developers don’t care about your willingness to pay for apps. They much more care about whether they can use your phone for spamming, or whether they can steal your banking logins or whatever. This likely depends much more purely on the number of devices than anything else. The user is one factor, so it’s possible iOS users may be more likely to not notice something is up, but ultimately it’s probably not a big one.

      Probably the primary reason why Android is targetted is because it’s a far more open platform. You mentioned sticking with the Play store, AFAIK most evidence does concur most malware comes from outside the Play/Apple store (which is not to suggest there isn’t any). It’s fairly trivial on most Android phones to enable third party/sideloading apps, you don’t need root. (Root of course is fairly easy on some devices, particularly anything associated with Google.) Not so easy on iOS which generally isn’t so easy if not jail broken. (You can use the iOS Developer Enterprise Program to some extent.)

      Of course we get to the heart of the issue here. Whether on Android or iOS, most people are not sideloading apps because they want something Google/Apple don’t allow, or they don’t want Apple/Google to know what they’re running, or the store won’t let it for their device and they can’t be bothered hacking it but it works (only really on Android), or the developers refuse to release on the store or the licence doesn’t allow it or they’re a developer testing their app, whatever. Sure there are some, but it’s fairly unlikely they are even close to the majority. No, although malware “illegally downloaded media files” may not be so common (but I’m guessing they are increasing), malware from other copyright violating downloads are very likely the biggest source. People want the latest paid Angry Birds or whatever and don’t want to pay. (Also for DLCs and I’m sure hacks including for games where the stuff is fairly protected server side.)

      There is another advantage with targetting Android, the openess of Android means you can do more even without root. Sure the user will need to agree to all those permissions (and Android doesn’t even allow people to choose, not that many would), but most just say yes even if their Angry Birds seems to want every single permission in the world.

      Like

Comments are closed.