Without a doubt, tablets will be a hot item this holiday season. Retailers from Best Buy, Wal-mart, Target, Kohl’s and Staples are hard at work offering can’t-miss deals this holiday for a host of “bargain” Android tablets. But how much of a deal are you really getting?
Bluebox Labs recently purchased over a dozen tablets featured in this year’s Black Friday extravaganzas (most under $100) and reviewed each of them for security. What they found was shocking and quite terrifying. Many of the devices shipped with vulnerabilities and security misconfigurations – a few even had security backdoors.
We know that the product quality and features on inexpensive tablets are less than more expensive tablets. But Android is Android, and the software running on these tablets should offer the same secure Android experience as other Android devices. Alas, the device vendor makes many decisions when constructing an Android tablet, and some of those decisions can drastically affect the overall security and long-term trustability of the device.
The amount of security variation in Android devices is so large that Bluebox Labs recently released the free Trustable by Bluebox Android application to discover and measure all of the security aspects of a device. The Trustable by Bluebox app produces an overall Trust Score, which provides an indication on how trustable the device is compared to other available Android devices. You can read all about how they compute a Trust Score here and give the Trustable by Bluebox app a try by downloading it from Google Play.
Santa or the Grinch: Android Tablet Security
Click through for a security review of the latest “bargain” Android tablets, provided by Bluebox Labs.
HTC Nexus 9
The most expensive of the lot at $399, Bluebox Labs found that the recently released HTC Nexus 9 from Google had no known security vulnerabilities or security misconfigurations. It also included the latest Android security updates and received a perfect 10.0 Trust Score.
Trustworthiness: Trustable
Vulnerabilities: No Known
Samsung Galaxy Tab 3 Lite
Multiple stores are offering the Samsung Galaxy Tab 3 Lite this year for around $99. The Tab 3 Lite was found to have no known vulnerabilities and no security misconfigurations, even though it has a slightly older version of Android.
Trustworthiness: Trustable
Vulnerabilities: No Known
DigiLand
Best Buy is advertising a DigiLand 7″ Android tablet for $49.99, reportedly running Android 4.4.0. But when Bluebox Labs looked under the hood, they started seeing discrepancies with some parts of the system indicating it’s Android 4.4.2. This raises questions about whether what the device reports is real or not. They also found the device was signed by the AOSP (Android Open Source Project) test key, which is not supposed to be used for signing the firmware of commercial devices because it allows an attacker to easily create a Trojan system update. The USB debugging connection to the device (ADB) was also running with root privileges, which means the device effectively comes rooted out of the box. It is also vulnerable to the Futex Android vulnerability.
The DigiLand tablet had so many discrepancies and never-encountered-before security issues that the current Trustable by Bluebox app couldn’t accurately score the device.
Nextbook
The Nextbook 7.85” Android tablet, running Android 4.4.2, is available from Walmart for $49.00. The device was pretty standard, including the two security vulnerabilities it comes with. Overall, it was one of the “best of the worst” tablets in the lineup.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex
RCA Mercury 7″
Target is advertising an RCA Mercury 7” Android tablet running Android 4.4.2 for $39.99. Other than having two known vulnerabilities out of the box, the device was otherwise straightforward in terms of security expectations.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex
Mach Speed Xtreme Play
Kmart is advertising the Mach Speed Xtreme 7” Android tablet for $39.99. Bluebox purchased the same tablet from Kmart, running Android 4.4.2. The device is vulnerable to two known Android security bugs, and by default disables the security configuration setting that protects the tablet from installing apps from malicious third-party sources.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex
Pioneer 7″
The Pioneer 7” was showcased as the “Value of the Day” on the Walmart homepage for $49.99. It’s running Android 4.2.2, and comes with two known security vulnerabilities.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Master Key
Ematic
The Ematic brand has popped up in the past, so Bluebox got an Ematic 7” tablet running Android 4.2.2 for $49.99. This device includes three known Android security vulnerabilities.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex , Master Key
Mach Speed Jlab Pro
Staples was advertising the Mach Speed JLab Pro-7 7” Android tablet as an online Black Friday sneak peek for $39.99, so Bluebox Labs bought one. This Android 4.4.2 device comes with developer mode and USB debugging enabled by default. But even more oddly, it seems there were customizations made to the installed Android software to remove some security features that would otherwise be there normally. Specifically, they noticed that the ADB service on the device did not require them to authorize the ADB connection on the device…a capability that was introduced in Android 4.2.2 and present ever since. Normally, this security feature prevents someone with physical access to the device from stealing data via the USB connection, but since this security feature has apparently been removed, the device is at risk.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex
RCA 9″
Wondering if bigger was better, next was an RCA 9” tablet, also from Walmart for $69. This device came with Android 4.2.2, and the customary three security vulnerabilities appropriate for that Android version.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex , Master Key
Craig 7″
Fred’s Super Dollar has a Craig 7” Android 4.4 tablet advertised for $49.99. Bluebox Labs isn’t sure of the exact model Fred’s will be selling, but they did find and review a reasonably comparable Craig 7” CMP765-HD tablet on Amazon also running Android 4.2.2 (even though it was advertised as having Android 4.4). The device is subject to three known Android security vulnerabilities.
Trustworthiness: Semi-Trustable
Vulnerabilities: Fake ID, Futex , Master Key
Worryfree Zeepad
The Worryfree Gadgets Zeepad 7DRK 7” tablet is offered by Walmart for $47.32. Bluebox Labs had hoped the tablet would live up to its namesake, but alas it has two major Android security vulnerabilities. It has USB debugging turned on by default, comes with a security backdoor pre-installed (also known as being “pre-rooted,” it includes “su” installed by the factory, meaning an attacker is given unfettered access to the system without having to run an exploit to gain this access), and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources. That’s enough to leave Bluebox Labs worried.
Trustworthiness: Suspicious
Vulnerabilities: Fake ID, Futex
Polaroid
Walgreens is offering Polaroid Android tablet models, particularly the A7 7” model for $49.99. Bluebox was unable to confirm the exact model Walgreens will be selling, but they did find the similar Polaroid PMID720 7” Android tablet model on Amazon. This tablet shipped with Android 4.1.1. It is vulnerable to four known Android security bugs, comes rooted out of the box, and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources. It had one of the lowest Trust Scores of all tested tablets.
Trustworthiness: Suspicious
Vulnerabilities: Fake ID, Futex, Master Key, Heartbleed
Zeki
Kohl’s is advertising a Zeki 7” Android tablet for $49.99. Bluebox labs was able to buy the same model from Amazon. With a well-deserved Trust Score of 2.1, this was the worst tablet encountered out of the entire lineup. This Android 4.1.1 device is vulnerable to four major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed, is signed by the AOSP test key, and doesn’t include Google Play – thus it requires the use of third-party app markets, which do not benefit from Google’s extra app security screening process.
Trustworthiness: Suspicious
Vulnerabilities: Fake ID, Futex, Master Key, Heartbleed
In addition to findings from Trustable, Bluebox Labs also ran a few popular antivirus/malware scanners on the tablets. A few tablets came loaded with known Adware/Riskware. They also encountered a version of Angry Birds that came loaded on one tablet that was resigned by the device vendor. This means the vendor could have modified Angry Birds to collect more information than the authors originally intended to. This also precludes the version of Angry Birds on the tablet from ever receiving updates from the original developer, as the signing keys are different.
You Get What You Pay For
These results may be surprising to non-Android enthusiasts, but to be honest, Bluebox Labs routinely encounters these ongoing types of security problems with lower-budget Android device vendors. The same situation occurs with inexpensive Android phones bought from eBay and other international marketplaces, etc.