Search This Blog

Saturday, March 19, 2011

Fortifying Android Market Application Security: 11 Ways to Do It


Google faced one of its more serious attacks when developers laced 58 applications in the Android Market with malicious code. The programs, which Google quickly removed March 1, were intended to grab codes that identify mobile devices and determine the OS version running on a device. Google not only notified police of the attacks and suspended the developer accounts responsible for the suspicious "DroidDream" malware, but took the unusual step of engaging its kill switch. That is, the search engine remotely removed the offending applications from users' devices. It’s only the second time Google has taken such a step. As an open-source platform where Google lets developers write code with great freedom and flexibility, Android is an ideal target for malicious developers and hackers attempting to dupe people or simply mess around with the Android Market applications. Security experts weighed in with their thoughts on the matter. For this slide show, eWEEK talked to some of those experts, including software developers from security firms and analysts, to learn how Google can improve security in its Android Market for mobile phone and tablet users.

Sophos Backs Raising the Bar for Developers

Vanja Svajcer, one of the principal malware researchers at Sophos Labs, said Google should make it more difficult for people to become approved developers who can publish programs on the Android Market. Google currently charges $25 for developers to publish applications in the Market. "If it was $100 or $500, that would be more comparable to Apple, and may put off some of the mischief makers who are trying to introduce malware to the Android market," Svajcer told eWEEK.

Improve Security Assessments

Sophos' Svajcer also said Google should institute a better security-assessment process for applications published to the Android Market. This would include a reputation score for every application publisher as well as the ability to track requested permission changes for every application and to scan applications with antivirus products. "A big mistake, in my opinion, is the existence of alternative unofficial Android markets. This means that even if Google manages to keep its official Market clean, the problem will not go away. This is especially true of China, where most users are downloading from these unofficial markets.

Veracode Favors App Scanning

Veracode CTO Chris Wysopal said Google must verify code before it is available for customer download. "The halo effect of the app store distribution channel combined with the fact that many apps are from developers no one has ever heard of and the failure of the reputation model of policing means that validating app security before making them publicly available is the only way to lessen instances of malware. Signature-based scanning that PC software sites such as perform is a must. Additionally, due to the intense security risk posed by spyware on mobile devices, malicious behavior scanning should also be performed."

Fix Kernel-Level Flaws

It's not just the applications. Wysopal said Android kernel flaws need to be fixed promptly and pushed out to all devices. Of course, users should only download applications from companies they know or applications that have been around for a while, paying attention to download count and the history of the application developer.

Better App-Testing Protocols

Gartner Research security analyst John Pescatore said, "The major thing Google needs badly to do is leapfrog Apple and make the Android Market have better security testing than Apple does for the Apple App Store. Google has been trying to attack the iPhone's lead in the exact opposite direction, by saying ‘Droid Does’ and having an Android Market that is totally wide open. This recent malware event is a direct result of that. Meanwhile, Google has also tried to misdirect attention to the shortcomings of the wide-open Android Market by pointing to sandboxing and other security features in the Droid OS that do absolutely nothing about many types of malware."

End ‘Wild West’ Approach to App Acceptance

Pescatore said Google's "wild, wild west" approach to Android is a losing strategy. "I have never once heard a Gartner client say ‘the iPhone app store is too restrictive’ or ‘there isn't an app for that.’ The reverse is true: I think a big part of the iPhone's success is that there are enough apps and the ones that are there are not dangerous."

BitDefender Backs Sandboxing

While Pescatore downplayed Google's "sand boxing" of applications, Catalin Cosoi, head of online threats at BitDefender, said Google did a great job when it developed Android and its sandboxing system because it makes it difficult for an application to interact with the other applications installed on the user's phone. However, free applications that require a lot of permissions and are able to steal information from a user's phone are quite easy to develop, without using complicated hacking techniques or advanced development skills. Google, Cosoi said, must double-check some of the applications that are submitted to the Android Market.

Build Android Security Apps

But beyond the obvious solutions of double-checking applications, there is a need for security vendors to create security applications for Android. "However, because of the sandboxing system, a security app will have the same privileges as a regular app, so it will just be able to notify the user that something is wrong, but the user will have to take the removal actions," Cosoi cautioned. These would be installed on users' Samsung Galaxy devices, Droid gadgets and other Android handsets.

Create Remote App Installation Alerts

Tim Armstrong, malware researcher for Kaspersky Lab, said Google needs to build a mechanism to alert users that an application from the store is being installed on their phones. "The current model which requires no approval on the device is inherently flawed. If an attacker can figure out a way to push an application, either through some remote flaw, replay attack or hacking into Google accounts, there is nothing to stop them from installing whatever they want without user consent," Armstrong added.

Check App Permission Requests

Echoing what others said before him, Armstrong said a review of submitted applications could also help. Checking applications for particular permission requests could go a long way toward ferreting out the bad guys. This could include things like a high, medium and low risk category.

Improve Patching to Resolve Android Fragmentation

As for the phones themselves, Armstrong noted that one of the major problems in Android security is applying security patches across different versions of Android. Because of this confusing platform fragmentation, there needs to be a more modular patching system. For example, platform fragmentation set the stage for DroidDream, which used two root exploits that could have already been patched in updates. They're both fixed in later versions such as 2.2.2. But at present, more than 40 percent of the devices in use are not running this version of the OS. An improved patching system would have aided greatly in protecting customers with older devices, he added.


No comments: