Android security at your hands

I have written posts about this before, but this never goes out of season.

Debate

The debate amongst geeks (you and me) is often wether Android, iPhone, Blackberry or some other *phone is the most secure. In the wrong hands – it does'nt really matter. iPhone and Android, as an example, does'nt differ that much from each other when talking about system security. But, if we talk "concept" security, Android is not there yet. Introducing the "Bouncer" (http://googlemobile.blogspot.com/2012/02/android-and-security.html), we would expect malicious Android apps to be cleaned out from Android Market.

The weakest link

The weakest link however, is You. The user. Ever since the first man made machine, car, computer, or wathever – if something really got messed up, there's a good chance that the helping hands of a human being made it happen. It have always been that way. It reminds me of a recent research wether men or women were the worst drivers. One man answered: "Women are worst! Everytime I've been in a car crash, there was woman driving the other car". No one's perfect. Off topic..sorry..

So besides installing antivirus on your Android, consider these tips

  • Do you really need that app? Very often, an app is just a nicer packaging of a feature thats already shipped with the phone.
  • Do you use the apps you have installed? Uninstall the ones you dont use.
  • Who's behind the app? Android Market is full of aspiring programmers, and most often they do a really good job and deserves attention. But sometimes it's better to stick with known companies. Beware! Spend a few minutes on research – sometimes that developer is not really the one you expected it to be. A good way to introduce malware is to take the shape of a known developer, with similar logo and similar name.
  • Take a relly good look at permissions! These are presented right before you click "Accept & Download". Most malware or badware slips through at this point, as most users dont really care. See next chapter on this.

Permissions

Ok, what do you want from your app? Of course you have a certain need, otherwise you would'nt install it. Here's where you need to pay attention. A "Sticky note" app may not need to have write permissions to your SD card, or read account credentials, or read your phonebook contacts.

A "Flashlight" app may not need to make calls or send messages.

A "Notepad" app may not need to know your exact location.

The list goes on. You need to know what you expect from that app, and then you know what you expect the app to carry out. If the app is capable of way more than it is supposed to do, this is a warning. It may not be malicious intention behind it, but chances are that you will never know. Be on the safe side, and by being a little critical you will help the programmer community doing better apps.

Looking at Android Market, both in feature descriptions and user comments, "less" permissions get more and more important. This is good!

I give you two screenshots of an RSS Widget. You give me your opinion wether this is too much permissions or not..

Android app screenshot 1

Android app screenshot 2

Tagged with: , , , ,
Posted in Infosec, Main blog

Leave a Reply