This eWeek story describes a fairly complex man-in-the-middle attack that attempts to steal identification information from Android phones. The story does a good job of explaining what is going on. The overall takeaway, however, is that from a security perspective, Android could become the new "old" Microsoft unless it steps up.
Microsoft, of course, was known for the insecurity of the Windows operating system until it recognized the threat to its core business and dedicated impressive amounts of resources toward confronting the challenges. The status of Google's Android is similar, though not precisely the same.
The major dissimilarity is that Windows was by far the dominant OS in the desktop world. Android, conversely, is just one of several players. On the similarities list, however, is the fact that Android is finding use as sort of a commodity OS. As such, it apparently is becoming a huge target for hackers. Indeed, in the time since Microsoft's security crisis, the emphasis of crackers has moved more fully toward monetization. This means that they are better organized and use more sophisticated tools. Organized crime and hostile foreign governments are often behind the nefarious initiatives. These are not pony-tailed kids operating from their parents' basement.
Where Google must not be like Microsoft is in waiting. In essence, we all know the movie script this time around. There is no excuse for denial. Google must proactively address security concerns and keep the mobile world - at least the part of it under its control - from degenerating into the mess that the desktop world once was.
The company took a healthy step in the right direction early last month by better securing its application store. It introduced Google Bouncer, a scanning technique that looks for malware on apps in Google Play, the new name of the Android Market.
Perhaps, however, there is a hint of denial in this passage from the eWeek story, which presents the view of Carlos Castillo, a McAfee researcher:
However, Castillo notes that only Android users who have selected the option in the Android settings that allows installing apps from unknown sources are vulnerable to this attack. He said that legitimate banking applications would be available from the Android Market, now renamed Google Play. He said that Google checks the apps there for malware, and gets rid of them using Google Bouncer.
It's difficult to tell whether it is or not, but the bottom line is that it should be extremely difficult for users to access apps whose provenance is not known.
In any case, it's a dangerous Google Play world out there. North Carolina State University recently did some research that shows as much:
Researchers from North Carolina State University have found that including ads in mobile applications (apps) poses privacy and security risks. In a recent study of 100,000 apps in the official Google Play market, researchers noticed that more than half contained so-called ad libraries. And 297 of the apps included aggressive ad libraries that were enabled to download and run code from remote servers-which raises significant privacy and security concerns.
The bottom line is that Android is on thin ice. It is everywhere and poorly protected, at least at the app level. Indeed, the news items of the past few weeks - which include man-in-the-middle attacks, the introduction of Bouncer and the dire findings of NC State - only are at the app level. An entirely distinct layer of vulnerabilities exist inside the operating system itself.