Look Out: Your Android Is Leaking
Google's Android mobile platform has taken some security hits lately but the fixes are out there.
The headlines in mid-May had to frighten just about every Android user: “Androids Leaking Personal Data,” the stories shrieked, and the reports -- based on research out of the University of Ulm in Germany -- pinpointed the problem as residing in the so-called ClientLogin tool, an authentication protocol that allows various Google apps (Calendar, Contacts, Picasa) to communicate with the phone hardware.
The problem: ClientLogin sent authentication tokens (basically user name and password) in clear text and, documented the Ulm researchers, it proved to be easy-peasy for just about anybody on a public WiFi network to snatch tokens of Android users on the network.
And that could give those hackers access into personal accounts and, possibly, also into enterprise networks.
The good news is almost immediately upon learning of the leak, Google’s Android team devised a patch and worked with carriers to push it out, said Android developer Shane Conder. The bad news is there are plenty of other security vulnerabilities with Android phones, said Android developer Lauren Darcey.
A core problem, she elaborated, “is developer laziness.” For instance, many Android apps routinely request data and service access permissions they do not in fact need and, worse, some apps may transmit private user data in clear text (typically username and password) that theoretically could be intercepted by alert criminals.
“We’ve seen these types of vulnerabilities across all platforms," said Khoi Nguyen, group product manager, mobile security group, Symantec. "There is nothing unique to Android.”
Nguyen also suggested that an enterprises urge users to closely inspect the permissions requested by any app during installation and to say yes only if the requests make sense. Android, to its credit, highlights exactly what access the app requests. It’s admittedly not easy to know what the app needs but, if in doubt, said Nguyen, just decline the permission.
That’s a start towards enhanced Android security but the plain fact is that Android security risks will only increase. This is because criminal organizations increasingly are targeting smartphones, said Gareth Maclachlan, COO of Dublin, Ireland-based security firm AdaptiveMobile.
Maclachlan’s contention is that attacks on mobile devices are spiking, as criminals realize “there is money to be made in mobile.” Android increasingly is a favorite target not so much because it has greater vulnerability ("[It] is dangerous to say one platform is more vulnerable than another,” said Maclachlan) but because it is gaining new users as a brisk clip. There now are around 400,000 Android activations per day, said Android creator Andy Rubin and Google SVP. That number (which includes both phones and tablets) is up from 300,000/day in December.
This fierce growth is why eyes remain fixed on Android.
Maclachlan said a particular area of criminal activity impacting Android is proliferation of malware apps via unregulated third-party apps stores. This is something that just cannot occur in Apple’s tightly controlled world where all apps are downloaded only via the company’s storefront. Not so with Android where apps can be distributed from anywhere.
A criminal wrinkle that is gaining popularity is to take a popular paid app, insert malware, then upload it for distribution -- often for free -- via third party sites that do not screen their apps. When bargain hunters find that $9.99 app now available for free, they can’t resist it. The cure is for enterprise to require apps be downloaded only from name brand sites such as Google Market and Amazon’s Apps Store.
Are all these worries stifling enterprise adoption of Android? That’s not what Raffi Tchakmakjian VP of Product Management at Montreal, Canada-based mobile device management company Trellia is seeing: “I don’t see enterprise being fearful of adopting Android,” he said.
He added that companies are insisting on common sense protections such as management tools that allow for remote wipes and kills of lost or stolen Android phones. Some companies also are insisting that their users’ phones have all available patch, OS and apps updates, or “they are denying access by the device to the corporate network,” said Tchakmakjian.
Other steps enterprises are taking to insure the safety of Android phones include:
- Urging users avoid public WiFi networks entirely. The risks are real and there is no impenetrable inoculation.
- Requiring installation of smartphone antivirus apps. (Right now, maybe 20 to 30 percent of smartphone users have antivirus apps installed, said Symantec's Nguyen.)
- Requiring that users encrypt the data on the smartphone and also password protect the device.
That last step may be particularly critical, suggests Symantec’s Nguyen, because one of the biggest security problems facing all smartphones (Androids included) is loss and theft.
But the bottom line, said the experts, is that by taking a handful of simple steps, Android can be made just as enterprise ready as any other smartphone platform.
Robert McGarvey - As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation's leading publications―from Reader's Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain's New York, and Fortune Magazine.