Android Leaking Private Info
Research at Black Hat shows that Android apps aren't as secure as they should be.
As the numbers of people are using Android smartphone continue to increase, security researchers are turning their attention to the mobile platform.
One such researcher is Neil Daswani of Dasient. Daswani and his team scanned over 10,000 Android apps using behavioral analysis tools. The analysis was designed to identify if the apps posed any security risks. Dasawni is presenting his finding during a research talk at the Black Hat conference this week.
Daswani noted that out of the 10,000 apps, his team found that over 800 were leaking some kind of private information.
"We found that a lots of apps use third party libraries to achieve some of their functionality," Daswani told InternetNews.com. "When those libraries make not so good decisions about how to send information back to a server, the entire app is possibly at risk."
The Dasient research follows the disclosure in May from Google that they had a flaw in their ClientLogin tool that authenticates users to Google's service. One of the reasons for the security issue was a lack of proper SSL encryption and other safeguards to protect the data.
"They are non-SSL in all cases and when they send out certain information, while they attempt to obscure the data, they didn't do good enough of a job," Daswani said.
One of the types of information that Dasient found leaking from Android apps were IMEI numbers. IMEI are unique 15 digit numbers that identify a specific cell phone on a network. In the hands of an attacker an IMEI could potentially be used as part of an identity theft or phishing attempt. According to Daswani, eight percent of the scanned apps leaked an IMEI number with 93 percent of those apps not using any kind of encryption to protect the number.
Additionally Daswani found that there were 12 applications in his scanned app group that were sending potentially unauthorized and unwanted SMS messages.
"While sending email spam is bad, at least the user doesn't get charged per message for them," Daswani said.
With regards to permissions, Daswani noted that Android has a permission model where apps should be asking the user what permissions the app requires. The user needs to click 'Allow' for the app to the have those permissions. In some cases, users click to accept without understanding the implications.
It's is also possible according to Daswani that there are a number of potential circumventions where an app can act without having permission. The root cause of potential Android insecurity is the fact that functionality and features have come before security considerations in the race to gain market share.
"I do think that going forward the app stores, the carriers, and other players in the ecosystem will have to have some kind of counter measures," Daswani said. "For example, when you load an app to app store, perhaps it should be scanned for risk before it gets publicly listed."