Google Must Deal with Android Security Problems Quickly

Carl Weinschenk
Slide Show

Top Five Android Malware Families

Report identifies five Android malware families, as well as a new Android root-level vulnerability.

It's been considered a certainty for some time that the rise of smartphones and tablets and the parallel increase in the value of data that they store and process is making the mobile world an attractive target for crackers.

More recently, that common knowledge has been narrowed down a bit, and the precise entry point for the criminals has become apparent. Google's Android is thought by experts to be especially vulnerable and the key to the bad guys getting a solid footing in the mobile world. Once that operating system is fully compromised, cyber criminals will try to expand the beach head by more fully attacking Apple's iOS, BlackBerry and other platforms.

The key reason is that Android's open nature makes it inherently easier to infect. Just a couple of weeks ago, for instance, researchers at North Carolina State University described an exploit that can cause Android to skip the step in which it asks the user approval for certain actions. For instance, this hack can "allow" the device to send out information or even record calls without the user's real agreement. It is important to note that these permissions often are given without much thought by users anyway. But the hack extends that vulnerability considerably.


The bottom line is that Android security is a touchy subject. eWeek's Don Reisinger's recent look at 10 smartphone and tablet security lessons made the point both implicitly and explicitly. On the implicit side, most of the 10 mentioned Android as a current problem. More explicitly, the first of the 10 lessons was entitled "Android is a nightmare." Later in the piece Reisinger wrote:

Android is quickly becoming the top destination for cyber-criminals for two main reasons: It's popular and there aren't enough checks in place to safeguard the operating system. In fact, adding an application to the Android Market is as simple as signing up as a developer and making it available. Before Google has a chance to remove a bad app, tens of thousands of devices could be infected. It's a serious problem.

With such questions in the air, the use of the OS by the government may seem worrisome. But it indeed is happening. That doesn't sit well with Bob Gourley, a former chief technologist at the Defense Intelligence Agency (DIA) and now the CTO of consultancy Crucial Point. He points out what is good about Android - his list is long - but raises caveats as big as the defense budget:

There are some very serious security issues with this platform. They are so serious the government should think twice before rushing to Android as a most favored mobile platform. In fact, a case can be built that it should be excluded from government use unless guidelines are followed in order to mitigate the issues.

The rest of his post is dedicated to describing what is wrong with Android and what has to be done to make it secure enough to comfortably handle governmental tasks. The frightening thing is that, just like in business, the IT department and security people don't have total control over what is going on. The bottom line is that the security vulnerabilities of Android must be confronted and rectified, even if businesses and the government don't intend to use Android for sensitive matters. In other words, its use simply is beyond the control of the organization, and security must be designed in that context.

The harsh assessment of Android security isn't unanimous. The problem is, however, a key defender works on Android. Google has a tremendous amount of work to do on both Android security itself and the public's perception of how safe it is to use. It's an ongoing story, but if those questions aren't addressed quickly, they will become too ingrained to change.



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.