More

    Android Tablet Security Analysis for the 2014 Holidays

    BlueboxTabletSecurityReviewKey

    Without a doubt, tablets will be a hot item this holiday season. Retailers from Best Buy, Wal-mart, Target, Kohl’s and Staples are hard at work offering can’t-miss deals this holiday for a host of “bargain” Android tablets. But how much of a deal are you really getting?

    Bluebox Labs recently purchased over a dozen tablets featured in this year’s Black Friday extravaganzas (most under $100) and reviewed each of them for security. What they found was shocking and quite terrifying. Many of the devices shipped with vulnerabilities and security misconfigurations – a few even had security backdoors.

    We know that the product quality and features on inexpensive tablets are less than more expensive tablets. But Android is Android, and the software running on these tablets should offer the same secure Android experience as other Android devices. Alas, the device vendor makes many decisions when constructing an Android tablet, and some of those decisions can drastically affect the overall security and long-term trustability of the device.

    The amount of security variation in Android devices is so large that Bluebox Labs recently released the free Trustable by Bluebox Android application to discover and measure all of the security aspects of a device. The Trustable by Bluebox app produces an overall Trust Score, which provides an indication on how trustable the device is compared to other available Android devices. You can read all about how they compute a Trust Score here and give the Trustable by Bluebox app a try by downloading it from Google Play.

    Android Tablet Security Analysis for the 2014 Holidays - slide 1

    Santa or the Grinch: Android Tablet Security

    Click through for a security review of the latest “bargain” Android tablets, provided by Bluebox Labs.

    Android Tablet Security Analysis for the 2014 Holidays - slide 2

    HTC Nexus 9

    The most expensive of the lot at $399, Bluebox Labs found that the recently released HTC Nexus 9 from Google had no known security vulnerabilities or security misconfigurations. It also included the latest Android security updates and received a perfect 10.0 Trust Score.

    Trustworthiness: Trustable

    Vulnerabilities: No Known

    Android Tablet Security Analysis for the 2014 Holidays - slide 3

    Samsung Galaxy Tab 3 Lite

    Multiple stores are offering the Samsung Galaxy Tab 3 Lite this year for around $99. The Tab 3 Lite was found to have no known vulnerabilities and no security misconfigurations, even though it has a slightly older version of Android.

    Trustworthiness: Trustable

    Vulnerabilities: No Known

    Android Tablet Security Analysis for the 2014 Holidays - slide 4

    DigiLand

    Best Buy is advertising a DigiLand 7″ Android tablet for $49.99, reportedly running Android 4.4.0. But when Bluebox Labs looked under the hood, they started seeing discrepancies with some parts of the system indicating it’s Android 4.4.2. This raises questions about whether what the device reports is real or not. They also found the device was signed by the AOSP (Android Open Source Project) test key, which is not supposed to be used for signing the firmware of commercial devices because it allows an attacker to easily create a Trojan system update. The USB debugging connection to the device (ADB) was also running with root privileges, which means the device effectively comes rooted out of the box. It is also vulnerable to the Futex Android vulnerability.

    The DigiLand tablet had so many discrepancies and never-encountered-before security issues that the current Trustable by Bluebox app couldn’t accurately score the device.

    Android Tablet Security Analysis for the 2014 Holidays - slide 5

    Nextbook

    The Nextbook 7.85” Android tablet, running Android 4.4.2, is available from Walmart for $49.00. The device was pretty standard, including the two security vulnerabilities it comes with. Overall, it was one of the “best of the worst” tablets in the lineup.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex

    Android Tablet Security Analysis for the 2014 Holidays - slide 6

    RCA Mercury 7″

    Target is advertising an RCA Mercury 7” Android tablet running Android 4.4.2 for $39.99. Other than having two known vulnerabilities out of the box, the device was otherwise straightforward in terms of security expectations.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex

    Android Tablet Security Analysis for the 2014 Holidays - slide 7

    Mach Speed Xtreme Play

    Kmart is advertising the Mach Speed Xtreme 7” Android tablet for $39.99.  Bluebox purchased the same tablet from Kmart, running Android 4.4.2. The device is vulnerable to two known Android security bugs, and by default disables the security configuration setting that protects the tablet from installing apps from malicious third-party sources.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex

    Android Tablet Security Analysis for the 2014 Holidays - slide 8

    Pioneer 7″

    The Pioneer 7” was showcased as the “Value of the Day” on the Walmart homepage for $49.99. It’s running Android 4.2.2, and comes with two known security vulnerabilities.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Master Key

    Android Tablet Security Analysis for the 2014 Holidays - slide 9

    Ematic

    The Ematic brand has popped up in the past, so Bluebox got an Ematic 7” tablet running Android 4.2.2 for $49.99. This device includes three known Android security vulnerabilities.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex , Master Key

    Android Tablet Security Analysis for the 2014 Holidays - slide 10

    Mach Speed Jlab Pro

    Staples was advertising the Mach Speed JLab Pro-7 7” Android tablet as an online Black Friday sneak peek for $39.99, so Bluebox Labs bought one. This Android 4.4.2 device comes with developer mode and USB debugging enabled by default. But even more oddly, it seems there were customizations made to the installed Android software to remove some security features that would otherwise be there normally.  Specifically, they noticed that the ADB service on the device did not require them to authorize the ADB connection on the device…a capability that was introduced in Android 4.2.2 and present ever since. Normally, this security feature prevents someone with physical access to the device from stealing data via the USB connection, but since this security feature has apparently been removed, the device is at risk.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex

    Android Tablet Security Analysis for the 2014 Holidays - slide 11

    RCA 9″

    Wondering if bigger was better, next was an RCA 9” tablet, also from Walmart for $69. This device came with Android 4.2.2, and the customary three security vulnerabilities appropriate for that Android version.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex , Master Key

    Android Tablet Security Analysis for the 2014 Holidays - slide 12

    Craig 7″

    Fred’s Super Dollar has a Craig 7” Android 4.4 tablet advertised for $49.99. Bluebox Labs isn’t sure of the exact model Fred’s will be selling, but they did find and review a reasonably comparable Craig 7” CMP765-HD tablet on Amazon also running Android 4.2.2 (even though it was advertised as having Android 4.4). The device is subject to three known Android security vulnerabilities.

    Trustworthiness: Semi-Trustable

    Vulnerabilities: Fake ID, Futex , Master Key

    Android Tablet Security Analysis for the 2014 Holidays - slide 13

    Worryfree Zeepad

    The Worryfree Gadgets Zeepad 7DRK 7” tablet is offered by Walmart for $47.32. Bluebox Labs had hoped the tablet would live up to its namesake, but alas it has two major Android security vulnerabilities. It has USB debugging turned on by default, comes with a security backdoor pre-installed (also known as being “pre-rooted,” it includes “su” installed by the factory, meaning an attacker is given unfettered access to the system without having to run an exploit to gain this access), and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources. That’s enough to leave Bluebox Labs worried.

    Trustworthiness: Suspicious

    Vulnerabilities: Fake ID, Futex

    Android Tablet Security Analysis for the 2014 Holidays - slide 14

    Polaroid

    Walgreens is offering Polaroid Android tablet models, particularly the A7 7” model for $49.99. Bluebox was unable to confirm the exact model Walgreens will be selling, but they did find the similar Polaroid PMID720 7” Android tablet model on Amazon. This tablet shipped with Android 4.1.1.  It is vulnerable to four known Android security bugs, comes rooted out of the box, and disables by default the security configuration setting that protects the tablet from installing apps from malicious third-party sources.  It had one of the lowest Trust Scores of all tested tablets.

    Trustworthiness: Suspicious

    Vulnerabilities: Fake ID, Futex, Master Key, Heartbleed

    Android Tablet Security Analysis for the 2014 Holidays - slide 15

    Zeki

    Kohl’s is advertising a Zeki 7” Android tablet for $49.99. Bluebox labs was able to buy the same model from Amazon. With a well-deserved Trust Score of 2.1, this was the worst tablet encountered out of the entire lineup. This Android 4.1.1 device is vulnerable to four major Android security vulnerabilities, has USB debugging turned on by default, comes with a security backdoor pre-installed, is signed by the AOSP test key, and doesn’t include Google Play – thus it requires the use of third-party app markets, which do not benefit from Google’s extra app security screening process.

    Trustworthiness: Suspicious

    Vulnerabilities: Fake ID, Futex, Master Key, Heartbleed

    Android Tablet Security Analysis for the 2014 Holidays - slide 16

    In addition to findings from Trustable, Bluebox Labs also ran a few popular antivirus/malware scanners on the tablets.  A few tablets came loaded with known Adware/Riskware. They also encountered a version of Angry Birds that came loaded on one tablet that was resigned by the device vendor. This means the vendor could have modified Angry Birds to collect more information than the authors originally intended to. This also precludes the version of Angry Birds on the tablet from ever receiving updates from the original developer, as the signing keys are different.

    You Get What You Pay For

    These results may be surprising to non-Android enthusiasts, but to be honest, Bluebox Labs routinely encounters these ongoing types of security problems with lower-budget Android device vendors.  The same situation occurs with inexpensive Android phones bought from eBay and other international marketplaces, etc.

    Latest Articles