Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Methods For Bypassing Google's Bouncer Android Security

Posted by samzenpus on from the protect-ya-neck dept.

Trailrunner7 writes "Google's Android platform has become the most popular mobile operating system both among consumers and malware writers, and the company earlier this year introduced the Bouncer system to look for malicious apps in the Google Play market. Bouncer, which checks for malicious apps and known malware, is a good first step, but as new work from researchers Jon Oberheide and Charlie Miller shows, it can be bypassed quite easily and in ways that will be difficult for Google to address in the long term. Oberheide and Miller, both well-known for their work on mobile security, went into their research without much detailed knowledge of how the Bouncer system works. Google has said little publicly about its capabilities, preferring not to give attackers any insights into the system's inner workings. So Oberheide and Miller looked at it as a challenge, an exercise to see how much they could deduce about Bouncer from the outside, and, as it turns out, the inside."

3 of 79 comments (clear)

  1. I was wondering how well Bouncer was working... by mlts · · Score: 5, Insightful

    While browsing the Google Play store, I have started to notice a number of apps that have 1000+ good reviews, all rather pithy like "Amazing", or "!!!".

    You then tap "Download" to look at the permissions, and the app asks for everything under the sun, even though the app might be a game or a utility that does one thing, and has zero need to be able to read and write contacts.

    Of course, for users who know what they are doing, stuff like this is as close to a Trojan as one can get, or at best some basic game coupled with a malware payload. However, for novice users who just want to use a phone and who think permissions are something to obtain from their teacher so they can go use the bathroom, the phrase, "babe in the woods" comes to mind.

    I hate lobbing brickbats at Google since I like the Android ecosystem and Android phones. Android even has a stronger security model than iOS. However, Apple does one thing which precludes the need for that much security in iOS, and that is to be an active and stern gatekeeper. iOS devs don't get their app stomped, then one hour later turn up again with the same app under a different name.

    Google needs to get on the ball and make two tiers of their Play Store. The first (default) tier would be like Amazon, where all apps are not just sent past a rudimentary scanner, but are actively vetted. This includes not just the original version of the app, but any updates, so malware can't be slipped in.

    To boot, a higher fee is charged to play in this game, partially to offset the cost of the enhanced filtering, and partially to discourage people from making accounts and trying to palm off the same malware-ridden app under different names.

    In the top tier, Google would need have some very stringent policies. For example, if an app gets rejected by account "A", submitting the exact same app under account "B" with slight changes mean that account "B" gets suspended for the first offense, and closed down for good after the second.

    Of course, Google can keep their second tier (which would be the same as Google Play now), but maybe put up some sort of warning for a user that once they exit the vetted tier, they are essentially on their own, so do what is needed at their own risk. This tier is one step up from just downloading an app via a website and sideloading it, but it is better than no security.

    Google needs to do something here, because the malicious apps are causing issues, not just in China, but here in the US. Already, Android's reputation is being tarnished by something that is not the OS's or hardware maker's fault, and Google needs to step up to the plate and do the role of active gatekeeper unless they want to see customers abandon the platform for ones with a better gate guardian, even though it means people buying far locked down devices.

    Bouncer just isn't going to cut it.

  2. Re:Not just bouncer, but any security scan by Jeng · · Score: 5, Interesting

    The problem is that they are so vague about why the permission is needed. When presented with a list of things the app has permission to do, it should also list why the app needs this and what specifically the app is going to do with those permissions.

    As an example I pulled up a free flashlight app, it needs the following permissions.

    Storage: modify/delete sd card contents.
    System Tools: prevent phone from sleeping
    Your Location: Coarse (network-based) location, fine (GPS) location
    Phone Calls: Read phone state and identity
    Network Communication: Full internet access
    Hardware Controls: Take Pictures and videos

    Since this is an app that turns on the flash on your phone as well as any other available lights so it does not need really any of the permissions it asks for, and you have no idea what it is going to use those permission for.

    In this case since it is just a flashlight app it is very easy to tell it is asking for permission for things it should not be doing, but what do you do when the app you want asks for permission for things it would technically need, but you have no idea if it is going beyond what is needed for functionality vs more nefarious operations?

    --
    Don't know something? Look it up. Still don't know? Then ask.
  3. Re:Not just bouncer, but any security scan by omglolbah · · Score: 5, Insightful

    Preventing phone from sleeping is to avoid the phone going dark in 10-30 seconds.

    Phone calls is to gracefully terminate on a call so you are not holding up a beacon to the side of your head.

    hardware controls (take pictures, videos) is for access to the actual flash ahrdware which is part of the camera 'permission'.

    The issue is way too coarse permission groups in order to make it "easy" to handle.