I have an Android phone, and while it’s good that Android does have some sandboxing, permissions and security against rogue apps, I’m not very happy with the security model and how it appears to be abused in the Android Market.
1. Almost every one of the top 20 free games on Android ‘requires’ internet access. Whether it needs this for global high score tables, to show me advertising, to spy on me, or to download additional malware, I do not know.
2. There is no way to deny internet access to a specific app that supposedly ‘needs’ it. Well, there is one way: you must get root on your phone (voids the warranty). Then install iptables, then install ‘droid wall’. This is far beyond the ability of normal users, and it is pushing the limits of what I can be bothered to do myself. A per-app firewall should be shipped with Android. Please vote for this by signing in and clicking the star at the bottom of that page.
3. A large proportion of the most popular free games request other permissions that are not in any way related to their function, and could severely compromise privacy and security if they were abused. One example is the exact gps location. Perhaps this is needed for google analytics or similar to track usage of the app, but this permission might easily be abused.
4. Every app has read access to the whole SD card, where photos go (on my phone at least). This worrisome fact is not emphasized, and most users would not be aware. Combined with the almost universal internet access, an app has all the permissions needed to steal private documents, steal personal photos and videos, index media, and report or send content to anyone on the internet. It is trivial for any competent coder to write such an app, he does not need to be a skilled cracker. I could write such an app in just a few pages of simple code.
5. Any app that requests the old Android 1.4 API is also given full write/delete access to the SD card, and the user is not alerted to this when installing the app. (This was done for compatibility reasons, because full access used to be allowed by default). Any such app has the capability to erase the SD card, although the user was not told it had write access to the SD card. Combined with internet access, an app could turn my phone and SD storage into a p2p drone node for illegal content.
6. I’m aware that my N900 Maemo phone has a much weaker security model than Android in many ways. However since the vast majority of apps on Maemo are free/libre open source software based on Debian, I am not very much concerned that they might contain malware. Does any software in Debian do any sort of spying or unauthorized ‘phone home’ whatsoever? I don’t recall any instance of deliberate malware, spyware or adware in Debian, Ubuntu or Maemo.
7. The Android market is altogether different from Debian, it feels more like the windows ‘freeware’ market, where random popular stuff may very likely contain spyware, and many apps ‘phone home’ without the user’s permission. It possible for a skilled cracker to write a program that will gain root on your device and completely break its security. The Android market provides little protection against the deployment of such a program.
8. There is a large market for stolen celebrity / amateur nude photos and video clips. An android app with only the ‘internet access’ permission could identify and steal such media from a person’s SD card, and the user would never know that it had even sent data to the internet. I guess that every second person who is in a sexual relationship and has a digital camera has taken such risque or sexual photos or videos. I don’t find it acceptable that any Android app with internet access could steal and publish private media without the user’s permission or knowledge. An intelligent attacker might write or buy an excellent game, hide malware in it, delay activation for 6 months, then collect huge quantities of media and valuable documents from perhaps 10 million users around the world. Such a collection which would have a huge market value.
9. Android’s security model is good for developers but not for users. The name ‘Android’ suggests an intelligent living device that can do whatever it likes. In fact, in spite of the security model, the majority of Android apps have excessive freedom to do whatever they like. The security model is much weaker than the Java or flash applet security model for example, while most Android apps such as games do not need capabilities beyond displaying graphics, playing sounds and reading input devices (not gps!).
10. So, may I suggest that the next time you want install an Android app that requests internet access, even if it’s very popular, don’t install it until you feel you can really trust the developer – and anyone he might sell the app to in future. Instead, go and nag google into implementing a decent firewall (and a better security model).
Please correct me if you think I have made some error here. Comments will be approved if they are polite.