240 likes | 693 Views
Android Security: Investigating Google’s Mobile OS. Kadra Alvaro April,2010. Outline. Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future of the Android OS. Introduction: The Android Platform.
E N D
Android Security: Investigating Google’s Mobile OS Kadra Alvaro April,2010
Outline • Introduction: The Android Platform • Threats to Smartphones • Android-Specific Threats • How to Secure Your Android Device • The Future of the Android OS
Introduction: The Android Platform • The Android operating system was originally developed by Android Inc • A small company that was purchased by Google in July of 2005. • Android is both a platform and an operating system. • By using Java, Google hopes to make Android development more accessible and easierto participate in.
Threats to Smartphones • When smartphones first came out, the threats to them were minimal. • These days smartphones are one of the most prevalent handheld devices; • accessing their email, • their bank account, • the internet • texting and calling plans • All from one portable device.
Threats to Smartphones • The fact that most users don’t install security software on their phones. • Some of the more common threats to mobile devices • Bluetooth exploits, • SMS/MMS attacks (usually injection), • web browser, • malware (usually distributed by third-party sources in the form of Apps or other downloads),
SMS Vulnerabilities • SMS and MMS are vulnerable to a variety of attacks these days. • SMS is much more than just text or picture messaging; SMS is often used for voicemail notifications and visual voicemail. • SMS fuzzing and shellcode injection hit the iPhone soon after its debut, and has been known to attack Windows Mobile and Android phones as well.
SMS Vulnerabilities • Most of the exploits on phones are man-in-the-middle attacks, where software is injected between the modem and the telephony stack where it can eavesdrop on incoming and outgoing messages.
Malware • There has been an upsurgein malicious Apps since Apple’s App Store debuted. • They include games designed to surreptitiously record phone numbers and other private user data and steal ID numbers or bank info. • This could be one of the most prominent threats to Android phones because of the mostly unregulated Android App Market.
Web Browser Exploits • The web browser is one of the most complex components running on the relatively slimhandset operating systems. • The mobile web browser is constantlyevolving and being reinvented by different third-party vendors. • Most smartphone browsers arefilled with bugs and badly written code that can be exploited.
Bluetooth Vulnerabilities • Many phones come with default settings that will allow the phone to connect toa Bluetooth piece without any authorizationor encryption.
Android-Specific Threats • Its open-source nature makes it aprime target for hackers since every detail of its inner workings are laid bare to anyone withinternet access.
Third-Party Applications/Software • Perhaps the most prominent potential danger is Android’s free and open Application Market,which undergoes very little monitoring by Google, which strikes a sharp contrast with Apple’sinfamously fussy App Store regulations.
Apple’s App Store: The Iron Fist • Apple was the first company to create a popular online technology store that was capable ofdirectly interfacing with handheld Apple devices. • The iTunes store is one of the most widelyused music applications for organizing and purchasing media. • Apple knows that a troupe of vicious Applications roaming around their App Store would be verybad for business.
Apple’s App Store: The Iron Fist • Once they finish producing their App, they send it to Apple, whothen assigns a team of two employees to review the App. • Apple not acceptedApps contain • private API’s, • more than a few bugs, • violates the user’s privacy (such as stealing/logging his data), • help the user break any law • perform VoIP calls without AT&T’s permission are disqualified
Apple’s App Store: The Iron Fist • Any Apps that are designed to replace a core Apple program (such as a web browser, email manager, or a calendar App) are also not accepted. • Many users who are unsatisfied with Apps that play by Apple’s rules jailbreak their iPhones to download unapproved Apps, which leads many to unknowingly infect their phones with malicious programs.
The Android Market: Laissez Faire • Google’s security policy is altogether different from Apple’s in that it transfer responsibility onto the users and Google itself takes little part in patrolling the Market.
Malware in the Market • Unlike the closely regulated Apple App Store, the Android Market allows all kinds of malicious Apps to be posted, and users perusing the latest uploads need to be wary.
Malware in the Market • Security researchers Derek Brown and Daniel Tijerina tested the potential for damage by creating a simple weather App called WeatherFist that collects user data like GPS coordinates and phone numbers. • Twenty-four hours after the App was released, the researchers had 1,862 phones roped into a potential botnet.
How to Secure Your Android Device • Disable automatic Bluetooth sharing and keep it turned off when you’re not using it (it also saves battery). • It’s not a bad idea to keep your GPS turned off too.
How to Secure Your Android Device • Useful free App, called Mobile Defense, will also track down lost or stolen handsets. • After the device syncs with your account, the App promptly “uninstalls” itself, leaving no trace that the program was ever downloaded or installed. • As it is possible for a thief to uninstall the highly visible Antivirus software.
The Future of the Android OS • Android is running on quite a few phones, both new and old. • If Android devices continue to remain so scattered and unsupported, it could have a negative aspect on security for Android owners.
The Future of the Android OS • Google’s policy regarding Android seems to be very hands-off so far in the development of the young OS. • However, more than a few people think that more regulation from Google is necessary to keep users safe.