Android's biggest security flaw is its users, report finds

Apple's iPhone more secure but also closed

Google's Android has solved many of the security weaknesses that beset Windows but at the expense of handing a dangerous level of decision-making to users, a Symantec study has argued.

A Window into Mobile Device Security compares Android's security architecture to that of its major rival, Apple's iOS, which runs the iPhone and iPad, and finds the latter to be superior, at least for now.

Android's relative openness, fragmentation of different versions, weaker app vetting, and immature use of encryption all mark it down compared to iOS, but Symantec's authors still worry that its whole security model might start to cause it major problems over time.

The problem for Android - and to some extent all mobile operating systems - is the power it hands to applications and the way users interact with them, which leaves it wide open to social engineering attacks.

Most of this is already well-documented and some of it is unavoidable. For instance, although each Android app is securely isolated using minimal privileges from every other running, a rogue program can still ask for access to any subsystem, including those for SD card storage, GPS, telephone and Wi-Fi interfaces and a user's email inbox.

The danger is that those permissions are granted by click-happy end users who have no way of assessing the implications of hitting the 'yes' button.

"At first glance, Android's permission system seems to be extremely robust, enabling software vendors to limit an application to the minimal set of device resources required for operation," writes report author and Symantec vice president, Carey Nachenberg.

"The problem with this approach is that ultimately it relies upon the user to make all policy decisions and decide whether an app's requested combination of permissions is safe or not," he adds.

"So far, we've seen only a handful of different malware apps released for Android, but it's already clear that many are able to cause damage without having to "crack" or bypass Android's permission system."

None of this is exactly helped by the relative ease with which fraudsters can reverse engineer Android's Java-based apps and distribute them using third-party websites over which Google has no control. The first generation of Android app attacks have also shown that apps can easily impersonate legitimate programs in order to bypass Google's digital app signing.

The report does not look at the emerging Windows Phone platform but it is possible that Microsoft's smartphone OS might enjoy a late-mover advantage in terms of security compared to Android.

The report predicts that security companies will inevitably push the traditional antivirus security model on Android users but will struggle to contain the social engineering attacks that simply manipulate users into installing bad apps by other means. One technology that might gain traction is cloud-based reputation scanning.

Nachenberg cautions businesses against allowing employees to simply import a potential mobile "back door' without proper security controls.

In the first half of 2011, Android has been hit by several small waves of malware which have left Google scrambling to remove problem apps from its Marketplace. In April, software giant CA even found a fake antivirus app targeting Android users.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile &ampPersonal TechtelecommunicationGooglesymantecsecuritywirelessMobile OSesAndroidmobile

More about AppleCA TechnologiesGoogleMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts