Mobile // Mobile Devices
Commentary
2/25/2012
09:26 AM
Larry Seltzer
Larry Seltzer
Commentary
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Wanted: Secure Android App Whitelisting

Android's security is broken. Here's how it could be strengthened.

If you are an Android user, you've noticed that when you install an app you are presented with a list of permissions. The idea is that you can decide whether you trust the app to have these permissions. In fact, these screens are like Terms of Service agreements for software: They're important, but everybody just clicks OK and puts them out of mind.

Android asks too much of its users in terms of security. (Apple's iOS, on the other hand, asks too little, but that's another story.) Even if you think users should pay attention rather than just blindly clicking, Android permissions are too complicated. The end result is that a malicious app could request excessive permissions, and very few users would notice.

And the Android platform may not even be as secure as it should be. Researchers at North Carolina State University found vulnerabilities in preinstalled software in eight handsets from HTC, Motorola, Samsung, and Google that would allow significant eavesdropping and data theft.

Also, it turns out that for all versions of Android prior to 4.0 (Ice Cream Sandwich), the OS automatically assigns the permissions WRITE_EXTERNAL_STORAGE and READ_PHONE_STATE. WRITE_EXTERNAL_STORAGE is pretty clear and generally refers to the SD card. READ_PHONE_STATE is one of three values: IDLE, RINGING, and OFFHOOK. Are these a big deal? Give me some time and I'm sure I'll come up with a way to abuse the privilege.

The best solutions for situations such as these is a controversial topic, but I've long been a fan of whitelisting, under which users would be able to install only apps that are on a special pre-cleared list. Apple already does this with its App Store. Theoretically, there are problems with it, but in the real world it has proven to be a powerful technique. I think it's fair to say that if you install arbitrary apps from the App Store, you might get ripped off, but you aren't going to get "exploited" in the computer security sense.

There's at least one way for Android to implement this now. 3LM provides Android security and management solutions that fill in the many gaps in Google's implementations (Read about some here.). 3LM's big news, announced at RSA and Mobile World Congress, is its partnership with NQ Mobile to provide user-facing anti-malware protection. NQ Mobile is big in the Android anti-malware business, but primarily in Asia, where Android app stores other than the Google Android Market are popular.

Much more interesting from my point of view is the way 3LM extends the Android security system to give IT or a carrier better control. The company's software adds security hooks that protect APIs so that only whitelisted apps can use them. Alternatively, you can blacklist specific developer signatures and/or applications. They need to partner with OEMs to do this, though, because Android is at least secure enough not to permit end-user installation of software allowing this sort of capability.

The same security extensions allow 3LM to make Android anti-malware more powerful; under a stock Android installation, anti-malware is so unprivileged that it can do little more than alert the user that it's too late--they've already been compromised. 3LM allows such attacks to be prevented.

Personally, if I were managing an IT department that allowed Android phones, I'd want this capability, and I'd be strict with it: You want to install an app on a company phone? We have to approve it first. If it's not approved, you'll have to wait.

Some argue that this is a losing battle and the defensive lines need to be drawn further back, at the permission or API level. Either way, the 3LM approach has you covered. Just don't settle for out-of-the-box Android security.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.