And you still use Android?

Via a Tweet from Ry we have still more info on the security issues with Android (emphasis in the original):

The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access.

Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.

I’ve known there were lots of security issues with Android but this is much bigger than I imagined. If you were concerned about various three letter agencies sucking up data about you (or even your snail mail) then you should be even more concerned that just about anyone that is technologically competent can take complete control of your Android phone.

A little over two years ago I purchased a Android phone with thought of developing apps for it. I never got around to it and after releasing Field Ballistics for Windows Phone I gave it further consideration. I decided not do pursue Android as an alternate platform. I’m glad I made that decision. Would you want everyone and their brother looking at the map on your phone showing your location and the location of your next target? At Boomershoot that would be an invitation to have “your” target poached.

7 thoughts on “And you still use Android?

  1. Interesting. I don’t currently have a smartphone of any kind, but Android is one of the two options I’m considering. I’ll have to dig into this. If it’s accurate, it’s disturbing, partly as a cryptographic blunder (akin to the “cryptography” in “WEP”) and partly if indeed it’s that old and still unfixed.
    That said, given the track record of the maker, I would not consider a Windows phone. For other designers these sort of security issues are unexpected especially if not fixed promptly; for Microsoft they are everyday fare.

  2. You are kind of screwed no matter what. You can’t really trust Windows Phone given that MS has ties to the NSA as outlined in Prism stuff and the infamous NSA Key release back in the day. You can’t trust Apple because they are also in the program, and Google is also in the program. So even so they are open source they might have some incentives to not patch every hole found to keep it accessible to agencies. I think it is safe to say regardless of which phone you are on you are screwed. Maybe Firefox OS will end up being the most trusted one, but then you have the issue of no phone choices on it and no apps.

    • The “NSA Key” in Windows wasn’t what most people thought it was.

      To the best of my knowledge (and I helped write the O/S) Windows Phone does not have any deliberate security holes. I wouldn’t trust SkyDrive with sensitive information but you don’t have to enable that.

      To the best of my knowledge Windows Phone 8 doesn’t have any hacks that can give someone else even partial control of it. And only some Windows 7.x phones have partial hacks that allow you to install noncertified apps on it. That is not true of the Android or iPhone.

      Of course that doesn’t mean it’s secure. It just means it’s not known to be insecure like the plausible alternatives are.

      • You definitely would have a better understanding of Windows Phone OS than myself. I am just thinking of it from a relationship standpoint of who they are working with. For the same reason I don’t really trust Bitlocker under Windows to not have a backdoor in it, Truecrypt seems like it would be a lot safer.

  3. I’ll trust a MS product when I trust the Skinheads Nations to welcome Jewish people into their organization. I trust Google barely more than MS, but that’s only because it’s theoretically open source. I say theoretically because the source that’s available is not necessarily the object that gets installed to the phones. Apple I wouldn’t touch with someone else’s 10 foot pole.

    Also, unless I’m missing something, someone would have to convince you to install a modified .APK for this to be an issue. Am I wrong?

  4. I think you are correct as long as you use a broad definition of the word “convince.” Free <insert name of popular non-free app> will be more than sufficient convincing for a lot of people.

  5. Pingback: SayUncle » Making the switch

Comments are closed.