Wanted: Secure Android App Whitelisting

Android's security is broken. Here's how it could be strengthened.

Larry Seltzer, Contributor

February 25, 2012

3 Min Read

If you are an Android user, you've noticed that when you install an app you are presented with a list of permissions. The idea is that you can decide whether you trust the app to have these permissions. In fact, these screens are like Terms of Service agreements for software: They're important, but everybody just clicks OK and puts them out of mind.

Android asks too much of its users in terms of security. (Apple's iOS, on the other hand, asks too little, but that's another story.) Even if you think users should pay attention rather than just blindly clicking, Android permissions are too complicated. The end result is that a malicious app could request excessive permissions, and very few users would notice.

And the Android platform may not even be as secure as it should be. Researchers at North Carolina State University found vulnerabilities in preinstalled software in eight handsets from HTC, Motorola, Samsung, and Google that would allow significant eavesdropping and data theft.

Also, it turns out that for all versions of Android prior to 4.0 (Ice Cream Sandwich), the OS automatically assigns the permissions WRITE_EXTERNAL_STORAGE and READ_PHONE_STATE. WRITE_EXTERNAL_STORAGE is pretty clear and generally refers to the SD card. READ_PHONE_STATE is one of three values: IDLE, RINGING, and OFFHOOK. Are these a big deal? Give me some time and I'm sure I'll come up with a way to abuse the privilege.

The best solutions for situations such as these is a controversial topic, but I've long been a fan of whitelisting, under which users would be able to install only apps that are on a special pre-cleared list. Apple already does this with its App Store. Theoretically, there are problems with it, but in the real world it has proven to be a powerful technique. I think it's fair to say that if you install arbitrary apps from the App Store, you might get ripped off, but you aren't going to get "exploited" in the computer security sense.

There's at least one way for Android to implement this now. 3LM provides Android security and management solutions that fill in the many gaps in Google's implementations (Read about some here.). 3LM's big news, announced at RSA and Mobile World Congress, is its partnership with NQ Mobile to provide user-facing anti-malware protection. NQ Mobile is big in the Android anti-malware business, but primarily in Asia, where Android app stores other than the Google Android Market are popular.

Much more interesting from my point of view is the way 3LM extends the Android security system to give IT or a carrier better control. The company's software adds security hooks that protect APIs so that only whitelisted apps can use them. Alternatively, you can blacklist specific developer signatures and/or applications. They need to partner with OEMs to do this, though, because Android is at least secure enough not to permit end-user installation of software allowing this sort of capability.

The same security extensions allow 3LM to make Android anti-malware more powerful; under a stock Android installation, anti-malware is so unprivileged that it can do little more than alert the user that it's too late--they've already been compromised. 3LM allows such attacks to be prevented.

Personally, if I were managing an IT department that allowed Android phones, I'd want this capability, and I'd be strict with it: You want to install an app on a company phone? We have to approve it first. If it's not approved, you'll have to wait.

Some argue that this is a losing battle and the defensive lines need to be drawn further back, at the permission or API level. Either way, the 3LM approach has you covered. Just don't settle for out-of-the-box Android security.

About the Author(s)

Larry Seltzer


Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+:

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights