Android Holes Allow Secret Installation of Apps

CheerfulMacFanboy writes with a link to Heise Online which says "'Security researchers have demonstrated two vulnerabilities that allow attackers to install apps on Android and its vendor-specific implementations without a user's permission. During normal installation, users are at least asked to confirm whether an application is to have certain access rights. Bypassing this confirmation request reportedly allows spyware or even diallers to be installed on a smartphone.' One vulnerability was identified when a security specialist analysed HTC devices and found that the integrated web browser has the right to install further packages (used to automatically update its Flash Lite plug-in). Attackers can exploit this if they have found another browser hole. 'Android specialist Jon Oberheide demonstrated another hole which involved misusing the Account Manager to generate an authentication token for the Android Market and obtaining permission to install further apps from there. However, this initially requires a specially crafted app to be installed on the smartphone. Nothing could be easier: Oberheide released the allegedly harmless "Angry Birds Bonus Levels" app into the Android Market and, upon installation, this app downloaded and installed three further apps ("Fake Toll Fraud," "Fake Contact Stealer," and "Fake Location Tracker") without requesting the user's permission.'"

Makes popcorn

And sits down to watch the fanboy battle begin. Go go go

Re:Makes popcorn

[MobileTatsu-NJG]

I dare the posters on this site to go this entire thread without mentioning Apple.

Re:Makes popcorn

[WrongSizeGlass]

Android has a security vulnerability? A security hole in the browser lets a malicious website infect the phone? Isn't this very similar to a problem my iPhone had just a few months ago? Yeah, it's a different method of infection and the levels of access aren't the same (I believe the iPhone could be totally rooted by this) but the fact remains that these devices aren't 100% secure.

Is this type of thing news? Only in the sense that it serves as a reminder to those who will listen that you have to be careful about what you do with your phone/computer/etc.

Re:Makes popcorn

[TheRaven64]

Isn't this very similar to a problem my iPhone had just a few months ago?

Nope, it's entirely different. This is a security hole, while the iPhone had a jailbreak opportunity.

Android is open...

[Schuthrax]

So that means anyone can compile and install his or her own fixes? So this sounds like a non-issue to me.

Adobe @#^@#$ us over again

A security hole so @#^%&@ adobe can update its garbage flash player every thirty seconds because of security issues.

Yes, and people really should read the source

[Brannon]

before they install their apps.

Time to move to a repository system?

[mlts]

As mentioned before on /., Maybe Google should consider moving to a repository system. By default, Android devices should have a repository where apps are vetted, Apple App Store style. Of course, have the ability for a user to easily turn on the second repository (which would be the current Google App Store) for items not found on the "blessed"/default repo.

This has worked for OSS projects for over a decade. It should work quite well for Android.

Re:Time to move to a repository system?

[Rich0]

Uh, that's exactly how it works right now - only market apps can get onto the phone, unless the user enables the installation of non-market apps. The problem here is that Google left a back-door open. No amount of security design will help if the vendor leaves a back-door open. The iPhone in theory doesn't run anything not signed by Apple, but since lots of users are walking around with jailbroken iPhones they didn't get it right either.

Google just needs to stop leaving back-doors open in their OS. Apps should be installed via the standard interface, and the existing market auto-update feature should be used for deploying updates.

Note also that having multiple repository tiers probably won't help much. The less-vetted tier will undoubtedly have more software in it, so 99.999% of all phones will have it enabled. Thus, virtually all phones will still be vulnerable to malicious apps.

The solution is just to fix the leaks in the sandbox, and not to deliberately engineer them in. As long as the user has to approve all app installs, and apps disclose their permissions, things like this should stay under control.

Oh, on the topic of permissions - Android really needs to let users toggle individual permissions at the time of application install. Right now your only choices are install or don't-install. It would be REALLY nice if I could toggle that "auto-load on start" permission for the 95% of the apps on the phone that I don't want running all the time no matter what the authors think. Right now the only thing I can do is edit the apk manifest, which is a BIG pain and blocks updates.

Re:Time to move to a repository system?

[Rich0]

I still think a better solution is to make it impossible to write malicious software in the first place.

Apps should not generally open arbitrary network sockets. Apps should generally not be able to use gobs of bandwidth. Apps should generally not be able to call 911/etc.

Maybe an in-between solution is for Google to vet apps that request more sensitive permissions. So, if your app just displays on-screen, makes connections back to the distributor's website with modest bandwidth use, and maybe plays some music, then no pre-approval is required. If your phone accesses the phone book, the dialer, or sends arbitrary network traffic, then it requires pre-approval. That will of course make app authors think twice about whether those things are necessary.

Perhaps another step is to make it so that by default the app asks for the more sensitive permissions but the user has to confirm them individually and if they just hit the OK button the software gets installed with safer permissions. This would of course require software authors to design their apps so that they work fine with or without GPS location, or phonebook access, or the dialer, or without services, etc.

Re:Time to move to a repository system?

Where in the article summary implicates Google as the responsible party? Read again.

VENDOR SPECIFIC IMPLEMENTATIONS have this security hole. HTC specifically added a permission to update internal plug-ins.

What of old versions

[giorgist]

See now that Android is becoming a big target = installed base
Old phones are rarely updated.
New phones and evices are still coming out with 1.6
Old 1.6 phones are still alive

All vulnerabilities will persist.

So an auto logging in banking app is there for the taking

Re:What of old versions

[Rich0]

Well, it remains to be seen if they backport fixes to 1.6, but I agree completely that this is a potential weakness of the platform. Vendors are WAY too quick to abandon old phones. If it isn't still in stores, they don't care about it.

In fact, probably the best way for us poor G1 owners to get some official updates for our phones is to start releasing viruses designed to take down the cell network. THAT would get some updates out quick! :) (Disclaimer - I'm not advocating that anybody actually do this of course!)

Re:What of old versions

[Rich0]

True, but while CM has been a great solution for a while the focus of that distro has moved on to newer phone models. While CM 6.0 runs on the G1 it is VERY slow, and doesn't support apps/data on SD ext3, and official Froyo apps on SD doesn't work well for many apps.

6.1 seems to be a lot better, but I think it is only a matter of time before the G1 stops getting much attention, which then leaves a lot of more experimental mods floating around. CM was nice because it focused more on usability/stability and was less of a POC build.

It is like the 1990s all over again - developers tend to be enthusiasts who buy the latest and greatest, so they always build stuff that doesn't run well on older PCs. We've gotten away from this in the last 10 years since modern PCs (except in the area of graphics) have not really been improving much as they are no longer CPU-bound, and most developers don't own SSDs yet.

Phones, however, are on a very Moore's-law like curve which means that when you donate to your favorite phone modder you're giving him a change to get a newer fancier phone and stop supporting yours. :) Granted, that doesn't mean that the solution isn't to reward them for what they've done for us.

The Downside of Smart Phones

There are a lot of upsides to phones that can install aps, browse the web, and so on and so forth. This article is an example of one of the downsides, though. With computer-type capabilities, you get computer type problems. The old wired phones, and probably even most "dumb" cell phones pretty much were only vulnerable to people who had physical access to them altering their behavior. Now phones can theoretically get viruses and dial out on their own and so on and so forth.

I'm not advocating that people discontinue buying smart phones, but it's always good to pause for a second and think about the things we give up to move forward, as it were.

Re:Telco backdoors

[gmhowell]

If I'm not mistaken, all mobile phones have backdoors for telco's to use, for silently pushing firmware updates and bricking phones, etc.

I might be mistaken, but I'm pretty sure that's what my cousin told me, who works with setting up mobile infrastructure.

No kidding? Well, my best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious.

Re:Telco backdoors

[fostware]

Abe Froman can afford to give you mod points.

Re:I can't find that app in the App Store

[FatdogHaiku]

Man I found it but Fake Location Tracker doesnt seem to work :(

You must first be in a fake location...duh!

General purose computing device

[bm_luethke]

Until smart phone manufacturers realize that they are making general purpose computing devices we will see this. To some there is a "war" going on between Apple and Android but that really misses the issue - in this respect trying to figure out which is the "better" on is like trying to figure out if Frosted Flakes or Fruit Loops is the better breakfast cereal - it is personal preference and there are most likely "better" solutions out there (and as a disclaimer I am an Android user - Droid One).

Until one side truly figures this out I'll stick with Android if for nothing else than I can get the functionality I want. With Apple I have to buy into their idea on how their devices fit into my life and I, well, do not. If Apple truly had this superior model than I would go for it, but as far as I can see I get the worst of both worlds - lack of specialized apps (as those are often, for unknown reasons, rejected from their app store and there are one or two I would like) along with just as many vulnerabilities (and those usually require you store that info on the phone - which until/unless they secure them I do not). So I currently see Apple as having those issues yet none of the "rewards" of going with them.

There are a handfull of people I know I would still recommend the iPhone too, but unless they already know the iPhone platform over the Android and are still asking others about it that is rare. Sadly it isn't because Android is truly better, but because if all else is equal then the flexibility of the Android system is superior and pretty much everything else is equal. Apple has remained where they are for a *long* time because they haven't figured this out too - though I also have to say they have not died because they ignore it too (their model of revenue find this irrelevant, which means they will not "win" but really can not "loose").

Re:General purose computing device

[khchung]

Until smart phone manufacturers realize that they are making general purpose computing devices we will see this.

I say just the opposite. Until the Android crowd realize that a lot of people do not want a general purpose computing devices on their phone, they will be talking past all iPhone users.

I work with computers for a living, I know very well the high cost of ownership for owning a general purpose computing devices. I do not want that for my phone. I deliberately stayed away from "smartphones" until Apple got smart enough and produce one that obviously is not intended to be a PC on a phone.

All your reasons for calling Android "superior" is exactly the reasons that I found it inferior. I want a limited device that only do what I want and no more. The "no more" part is important to me, as it keeps the cost of ownership low. This seems to a point that the Android crowds never understand.

Maybe you find it intellectually simulating to find which security hole is patched in which Android version, and fun to track down exactly which Android version can be hacked to be installed on your phone (since your phone supplier probably won't give you a fix until a year later).

For me, I just want iTunes to periodically check if my phone has the latest patch and tell me about any updates, so I can install it by clicking "Yes".

Re:General purose computing device

[bigstrat2003]

Your logic fails. First, the main aspect of the iPhone that you could claim is an advantage over Android, the harsh policing of the app store, is irrelevant for security. Google can, and has, taken down apps that were insecure. The Android Market can be just as monitored as the iOS app store is. The real advantage is not anything to do with the market, it is the fact that you can install apps that are not from there. I'm sure you'll say "but I don't need that", but that's not true. You don't need it yet. I'm sure you'll feel differently if you ever have the bad luck to start to heavily use an app that Steve Jobs decides offends him in some way, and subsequently gets removed from the app store.

Second, if your reason for having an iPhone includes "I can just wait for iTunes to tell me when there's a new version", that's ridiculous. You can be ignorant of security flaws on Android, as well. Trust me, there's no one that makes you go read up on them on /. (although apparently you would do so anyway, since you read this article). You can just wait for the phone to tell you that there's a new update for the OS available, and install it. Just like the iPhone! Of course, just like the iPhone, if there's a security bug you won't know about it and can be exploited, but if that's really what you want you can get it.