Ask Slashdot: Android Security Practices?

Soft writes "Smartphone security recommendations seem to boil down to Windows-like practices: install an antivirus, run updates, and don't execute apps from untrusted sources. On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus. What rules should I adopt on my soon-to-be-bought Android device? Can I use it purely with open-source apps and still make the most of it? Are Android's fine-grained permissions (accessing the network, contacts...) reliable? Can apps be trusted not to scan your files and keyboard for passwords and emails? What precautions do security-conscious Slashdotters take to keep control of their phones?"

Install a firewall

[girlintraining]

Install a firewall. Not to keep the hackers out, mind you, but to keep your data *in*. There are way too many apps that try to phone home or do things they don't need to ('live' wallpapers come to mind). Disable their network access. If an application requires network access, bring it home, set it up on your home wifi network, and run a sniffer to find out where the data goes. You don't need to know what the data is per se. Then, try blocking as much of it as you can until the application stops working. You've now found the minimum amount of access that app needs to function.

Re:Install a firewall

[mlts]

More specifically, root your Android phone (no, it will not lessen security unless you are stupid and click "allow" on any app that pops up the su dialog unless you KNOW it needs the root permission.)

Install DroidWall and allow it full su access. Then when you install a new app, make sure to allow it out, because by default, new apps are not allowed to phone anywhere. LVL is handled by another mechanism, so apps should know they are licensed even if you block them with DroidWall.

After installing DroidWall, and selecting the apps you know that need to communicate, that will provide a decent measure of protection.

Re:Install a firewall

[improfane]

On a phone? Are you serious? Honestly I never thought you'd ever need a firewall on a phone. If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones. I always thought that the Bitfrost security architecture from OLPC was a good idea. How come this style of capabilities is not in Android?

Nokia 1661 and loving it baby. As far as I can tell, I can't put software on it!

Re:Install a firewall

[i.r.id10t]

The problem isn't that it is a phone, but rather, it is a computer with phone functionality. Would you tote around a laptop w/ no firewall or AV?

Re:Install a firewall

[Jeremiah+Cornelius]

Agreed. When "signed apps" are little different than trojans to steal your PII and report on your activities, the definition of security moves away from one of "penetration and exploitation" towards "scope of trust and violation".

As to the original article.posting, with its naive POV regarding security? What does your posture do for you, when exploitation and abuse are built into signed apps - or signed apps consume and interpret code from untrusted, arbitrary sources? Flash, Acrobat and any AJAX capable browser are all wide-open to abuse, on any given 0-day.

Re:Install a firewall

[The+Dawn+Of+Time]

You're missing reality - it's not a phone, it's a computer with phone software. I know that's exactly what the post you replied to said, but apparently it went right over your head.

Re:Install a firewall

[improfane]

That's the potential to access. Not the actual access. That won't scare users enough.

The software should display the data that would have been accessed with the widgets that is appropriate to the device, say a contact card or a filename and then threaten the user.

Are you sure you want to send this information to somewebsite.com over an unscrambled channel to someone in China?

• a list of your contacts as displayed in your contact list
• a recent email of your naked wife (with picture rendered)
• a map with lines between your last plotted geolocations
• the following picture captured from your webcam

It should be displayed like numerous bits of scrap data on the screen with a picture of a pipe and the pipe attached to a shady looking figure next to the planet earth on the other side of a cloud. The implication should be obvious.

Would that scare you?

Re:Install a firewall

[girlintraining]

I think you're missing my point. It's a phone.

They aren't missing it, they're ignoring it. What it is called isn't the issue, it's what it can do, and whether that is what the end-user wants (or not).

A smart phone is just a computer.

[Kenja]

A smart phone is a computer like any other and should be treated as such. Trust mobile apps as much as you would trust desktop applications. Do not install unknown software from unfamiliar sources and in general be as vigilant as you are with your Windows, Linux, OS X system. If you are paranoid enough, there are firewall and app activity scanners out there. But perhaps you dont trust them either. In which case, write your own apps. Its not hard for even the inexperienced with the app-builder tools.

Permissions aren't 'fine grained'

[c0d3g33k]

The problem with Android is that the permissions aren't in fact "fine grained" (though they might seem so to the 'TL;DR' generation). They are relatively course-grained with respect to what modern applications might require. Any non-trivial app will require permissions from the available pool that can be abused by malicious developers. The user has to fall back on trust when installing any non-trivial app.

Android needs something more like a sandbox environment for each application and a reasonable system where the user is asked for permission before accessing sensitive information.

Android permissions == FAIL, at least from a personal privacy and security perspective.

Re:Permissions aren't 'fine grained'

[ShavedOrangutan]

Every app requires full permissions, for no useful reason. Why a stopwatch wants access to my calls and read/write on the SD card, I don't know, and the choices are to either accept it or don't use the app. This is seriously broken. I don't even look in the Android Market anymore because it's just too much risk to install anything. It's actually worse than Windows, where at least I know where the software is coming from.

Re:Permissions aren't 'fine grained'

[Reapman]

EVERY App? I doubt this, in fact as an App Developer I know this isn't true. Adding permissions to your app is something you opt in - if a developer is so lazy he opts in every single perimssion then I wouldn't trust that app.

I've decided against installing apps that require permissions I don't want, and have quite a few apps that I've trusted onto my phone.

Google is providing you the ability to, at least, get an idea as to what your getting into. Something like the iPhone doesn't give this, and I'm not sure if Blackberry does or not. Could it be improved? VERY. Is it better then nothing? VERY.

How is this broken? Because an App Developer has some crazy permissions? I'd call that working - you know what it's asking for and you choose not to install it. How is it better then Windows? Do you know if your Windows Stop Watch app is talking to your Contacts stored in Outlook or Thunderbird?

Re:Permissions aren't 'fine grained'

[nabsltd]

Why a stopwatch wants access to my calls and read/write on the SD card, I don't know,

Many apps that need access to "phone calls" are doing so to be good resource users, and to follow some Android UI conventions.

Knowing if you are talking on the phone or not allows the app to change its behavior to not bother you, use less CPU cycles, etc. And, this sort of thing is why there are so many complaints about the overly-broad permission groups on Android...you can't know the "in-call state" without being given permission to "phone calls".

Take these for what they are worth...

[mlts]

Take these for what they are worth, but here are my security practices:

1: Install DroidWall and use that to lock down everything except the apps you do want going out.

2: Use TouchDown or a discrete app for secure Exchange email. This allows you to keep contacts separate from the rest of the device, and the app can keep the contacts encrypted. If it is work E-mail, it is good to keep it separated anyway.

3: Consider a PIN protecting app for #2 above, as well as your terminal, settings, and su app.

4: Use Titanium Backup with the encryption feature and store on Dropbox. If you look at TB, you will find that the way it does encryption using RSA keys is pretty well designed, so storing backups of apps on DB can be done securely.

5: Get a utility (I use WaveSecure out of habit, but there are others) that will lock the phone if the SIM card is changed, airplane mode is put on, and even allow one to remotely wipe the device and SD card. I'd like a utility that would give the ability to wipe the device and SD card if the phone has not seen Net access in "x" amount of time, similar to what BlackberryOS provides.

6: Look at reviews before buying apps.

7: Look at what the app asks for security permissions. If a notepad app wants access to your contacts, phone, SMS, or perhaps even pops up the su dialog, get rid of it ASAP.

8: If you use nandroid, consider some type of file encryption. This sucks when restoring a ROM image, but there are ways around that (decrypting the image while the SD card is mounted via USB, using a temporary ROM image with no data for decrypting, etc.)

9: Use AdBlock with Dolphin Browser. Ad rotation services are a noted source of malware.

10: Use known ROMs. The ROM ecosystem has been astoundingly clean for now, but it is only a matter of time before blackhats start adding their own "functionality" and putting ROMs on xda-developers and other sites.

11: Consider PIN protecting your SIM card. This way, when you do a remote erase, the thief might have a clean phone, but won't have free access to bandwidth, SMS, or calling capabilities.

12: Consider a "stuffbak" sticker. If the phone is found, at least there is a small chance it might get back to you, as opposed to 0 chance without it.

13: Keep backups. This way, if you do lose your phone, you can get another Android phone, fire up Titanium Backup, log onto DropBox, type in your decryption key, and restore your apps with their saved data.

14: Bug Google for them to put volume encryption (LUKS) into Android, so it can be used on the SD cards.

Android Security Practices

[privateerlabs]

1. Use caution when installing software! Remember that the Android market place does not vouch for the security/integrity of the apps. To my knowledge, minimal analysis is performed on apps, but nothing that provides any real security guarantee to the mobile user. There is no guarantee that the app you are installing is not malicious in nature, or chuck full of software vulnerabilities. Many of the legitimate apps in the marketplace are rapidly developed by individuals with little or no secure coding background. Also I highly recommend you only install apps from publishers you trust and make sure you read the user comments. If the app has a few thousand reviews and rates at 4 stars this would often indicate added legitimacy.

2. When installing apps be cautious of the permissions requested. The READ_PHONE_STATE permission permits access to sensitive device specific values that would normally be an invasion of privacy to supply. The problem arises when developers use a function called GetDeviceId() to get a unique ID for the mobile device that is later used for user account correlation on third-party services. The correct way to do this is to use Settings.Secure.ANDROID_ID. Google has a blog describing this issue in depth:
http://ask.slashdot.org/story/11/05/20/188228/Ask-Slashdot-Android-Security-Practices
Be very cautious with apps that ask to read/write SMS messages, read/write contacts, and place calls. Malware frequently uses these to pilfer unsuspecting users.

3. Careful when jail breaking your phone. If you jailbreak your phone you are opening yourself up to more serious compromise. Ask yourself, if all you have to do is run "su" from a jail broken command shell, why can't a malicious app do the same and run as root? SuperUser.apk is a popular alternative to traditional dirty jail breaking. It attempts to guarantee that the user is active in the Android UI by prompting the user without a dialog asking if the privilege elevation should be allowed. Remember that you are allowing that particular app to escalate privilege from now on. If you allow "sh" to escalate to root then an app may be able to simply run the shell "sh" and then escalate from there.

4. Firewalls are an option and will add another layer to the phone security, especially when connected to Wi-Fi access. Currently there aren't many remote attacks to listening services on the Android phone, but I wouldn't be surprised if we start seeing them with more frequency as more hackers started riding the wave.

5. Disable services you are not currently using. For example; if you are not using Wi-Fi, then disable it until you need it. Same goes for Bluetooth.

6. Remove unused apps. Many apps expose themselves to compromise by examining incoming text messages, integrating with mime/file types, etc. Go through your installed app lists and remove anything you don't use.

7. Android security products are starting to appear on the market (shameless plug). Rather than blindly recommend ours I would rather recommend you search the Android Market for "security", "antivirus", "malware", and the similar criterion. Read the reviews and find something that will scan your apps prior to install.

-Riley Hassell
CEO,Founder | Privateer Labs
email: riley@privateerlabs.net
Website: http://www.privateerlabs.net/