Cheap Android tablets riddled with security flaws, test finds

Android version guarantees nothing

Cheap clone Android tablets of the sort that crowd the shelves of many bricks-and-mortar US stores are often riddled with dangerous but hidden security flaws, a test by Bluebox Security has found.

The firm's motivation for carrying out the test of a dozen popular tablets was to advertise the capabilities of its own Trustable assessment tool, but what it found suggests there is still plenty to worry about.

The problem, of course, is that tablet reviews rarely mention security beyond what comes with Android itself because it's hard to know what's going on at a low level. And yet there are many places where it can fall down badly without the user or buyer realising.

The first and unexpected finding was that having a more recent version of Android isn't necessarily a reliable indication of how secure a tablet is. Sure enough, the top-scoring tablet was the brand new HTC Nexus 9 running Android 5.0 but yet the second-best performer was Samsung's $100 Galaxy Tab 3 Lite, which scored a creditable 8.6 out of a maximum of ten despite running the aging 4.2.2.

This not only beat the other five tablets running the same version by some distance, but five others running later versions such as 4.4.2. The DigiLand sold by Best Buy was apparently running 4.4.0 but was so poor that it was given no score at all.

Caveat emptor: within the bulk of tablets, the Android version is only a vague indicator of security - the brand and underlying engineering competence is more important.

The full field of tablets is represented in this table (apologies for the size) with their scores and sellers such as Walmart, Staples, Kmart, Fred's, Walgreens, Kohl's, BestBuy and Target. Some of these tablets are unbelievably cheap. For instance the Kmart and Staples' tablets will set consumers back a ludicrous $40 (£30) while several others can be bought for $50. What can people possibly expect for such small sums?

DigiLand's poor device suggests not a lot. Its makers had opened it up to potential Trojan attack by signing firmware with an Android Open Source Project (AOSP) test key, while the USB debugging port was running with root privileges. It was also vulnerable to one significant flaw - the Futex vulnerability - although it's fair to point out that it is not alone in that.

Many others manifested similar engineering weaknesses with a common issue that third-party app downloads were enabled by default. Allowing third-party app stores automatically lowers security protection not least because it makes it possible for dodgy apps that get on to the device to call secondary downloads.

Perhaps worst of all, some came with pre-loaded apps that security programs defined as potentially intrusive for their collection of data.

"Be aware that not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices," said Bluebox's researchers.

"We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices - if you do, you will be putting your data at risk."

Android smartphone and tablet users can test their own devices against Bluebox by downloading the free app from Google Play. If you happen to own one of the devices mentioned above, prepare to be shocked.

Join the CSO newsletter!

Error: Please check your email address.

Tags Bluebox Securityconsumer electronicshtcsecuritysmartphonesAndroidmobileBest Buymobile applicationsAndroid OS

More about Best BuyFredFred'sGalaxyGoogleHTCSamsungStaples

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts