android security model is inadequate, and it needs a firewall

I have an Android phone, and while it’s good that Android does have some sandboxing, permissions and security against rogue apps, I’m not very happy with the security model and how it appears to be abused in the Android Market.

1. Almost every one of the top 20 free games on Android ‘requires’ internet access. Whether it needs this for global high score tables, to show me advertising, to spy on me, or to download additional malware, I do not know.

2. There is no way to deny internet access to a specific app that supposedly ‘needs’ it. Well, there is one way: you must get root on your phone (voids the warranty). Then install iptables, then install ‘droid wall’. This is far beyond the ability of normal users, and it is pushing the limits of what I can be bothered to do myself. A per-app firewall should be shipped with Android. Please vote for this by signing in and clicking the star at the bottom of that page.

3. A large proportion of the most popular free games request other permissions that are not in any way related to their function, and could severely compromise privacy and security if they were abused. One example is the exact gps location. Perhaps this is needed for google analytics or similar to track usage of the app, but this permission might easily be abused.

4. Every app has read access to the whole SD card, where photos go (on my phone at least). This worrisome fact is not emphasized, and most users would not be aware. Combined with the almost universal internet access, an app has all the permissions needed to steal private documents, steal personal photos and videos, index media, and report or send content to anyone on the internet. It is trivial for any competent coder to write such an app, he does not need to be a skilled cracker. I could write such an app in just a few pages of simple code.

5. Any app that requests the old Android 1.4 API is also given full write/delete access to the SD card, and the user is not alerted to this when installing the app. (This was done for compatibility reasons, because full access used to be allowed by default). Any such app has the capability to erase the SD card, although the user was not told it had write access to the SD card. Combined with internet access, an app could turn my phone and SD storage into a p2p drone node for illegal content.

6. I’m aware that my N900 Maemo phone has a much weaker security model than Android in many ways. However since the vast majority of apps on Maemo are free/libre open source software based on Debian, I am not very much concerned that they might contain malware. Does any software in Debian do any sort of spying or unauthorized ‘phone home’ whatsoever? I don’t recall any instance of deliberate malware, spyware or adware in Debian, Ubuntu or Maemo.

7. The Android market is altogether different from Debian, it feels more like the windows ‘freeware’ market, where random popular stuff may very likely contain spyware, and many apps ‘phone home’ without the user’s permission. It possible for a skilled cracker to write a program that will gain root on your device and completely break its security. The Android market provides little protection against the deployment of such a program.

8. There is a large market for stolen celebrity / amateur nude photos and video clips. An android app with only the ‘internet access’ permission could identify and steal such media from a person’s SD card, and the user would never know that it had even sent data to the internet. I guess that every second person who is in a sexual relationship and has a digital camera has taken such risque or sexual photos or videos. I don’t find it acceptable that any Android app with internet access could steal and publish private media without the user’s permission or knowledge. An intelligent attacker might write or buy an excellent game, hide malware in it, delay activation for 6 months, then collect huge quantities of media and valuable documents from perhaps 10 million users around the world. Such a collection which would have a huge market value.

9. Android’s security model is good for developers but not for users. The name ‘Android’ suggests an intelligent living device that can do whatever it likes. In fact, in spite of the security model, the majority of Android apps have excessive freedom to do whatever they like. The security model is much weaker than the Java or flash applet security model for example, while most Android apps such as games do not need capabilities beyond displaying graphics, playing sounds and reading input devices (not gps!).

10. So, may I suggest that the next time you want install an Android app that requests internet access, even if it’s very popular, don’t install it until you feel you can really trust the developer – and anyone he might sell the app to in future. Instead, go and nag google into implementing a decent firewall (and a better security model).

Please correct me if you think I have made some error here. Comments will be approved if they are polite.

This entry was posted in Uncategorized. Bookmark the permalink.

16 Responses to android security model is inadequate, and it needs a firewall

  1. brendanscott says:

    try free otfe

    http://www.freeotfe.org/

    On the assumption that your spam filter will filter this out I’m including a paragraph to make it seem like I’m a human being (really, I am).

    • sswam says:

      Disk encryption would probably not help protect from spyware, as the apps would still have read access to the mounted filesystem. encfs (fuse) on linux does usually grant read access only to a single user, however I suppose this would make it next to useless on android where every app runs with a different uid – no apps would be able to access the data.

  2. johnflan says:

    full read access combined with no firewall is worrying

  3. Pingback: Tweets that mention android security model is inadequate, and it needs a firewall | Sam's Hacktastic Blog -- Topsy.com

  4. Wayne says:

    Windows phone 7 or iPhone for the win. This is another reason why…

    • sswam says:

      I don’t know much about either platform, but the iphone at least has does its own security / privacy problems. I would be surprised if windows phone were any more secure than Android or the iphone. The iphone SDK also has major licensing problems for developers, see http://sam.ai.ki/apple.html

      • Luca says:

        That is outdated. 3.3.1 is no more.

        Some info on iOS:

        1) you can’t download and execute code from web
        2) you can use only official API
        3) your code is screened by Apple before your app hits the store
        4) 1 + 2 + 3 should work as an upfront spyware / malware / virus detection
        5) you shouldn’t phone home just to track user activity
        6) one app can’t access data produced by any other app (still can access photos, contact, using the official API)
        7) a standard warning alerts you that an app want to geolocate you, making a call or send an SMS
        8) Geolocation can be blocked for any app or just some apps

        As any system, it can be gamed. Users are actually confident about downloading random apps from random publishers, so its somehow working.

        I have shipped a dozen of apps in the last 2 years, some has been successful; but you can’t find a smartphone in my pocket.

      • sswam says:

        @Luca, for me rather than screening code, I would prefer if the system keeps each an app in a tight ‘sandbox’ (or jail cell), with access to exactly what it needs and nothing else. Then I don’t have to care if it contains any virus – the virus can’t do anything. Browsers sort of try to do this with Javascript. I also need to see exactly what the configured permissions are. The app author should not be allowed to specify the permissions. This should be done by the OS vendor, the community, or the user.

        An app does not need to read my filesystem, in order to work with random files. I can find the file in a browser program, then give it to the app. The browsers sort of do this with file uploads. Acorn RISC OS did it better (although there was no security).

        There should be no ‘one click vulnerability’, where an app can request permission to screw you over, and you could accidentally grant it.

        There would be no need for anti-virus programs, app stores, or security audits of app code, if the system security model is right.

        I doubt Apple goes over every app with a microscope to check for malware. Meanwhile, the limitations cripple what can be done on iOS, such that an iOS device is not really a general purpose computer (unlike N900 or Pandora for example)

        Perhaps a Plan 9 phone could do what I would like! But that system is also not designed for the level of security I desire.

        Not every system can be “gamed”. I can write an interpreter that does useful stuff, but cannot damage, exploit, or even DOS my system. Experts should be able to create VMs that execute machine code, but that code cannot break out (if the processor works correctly). It might be easier if we had simpler processors.

        *nix SHOULD be secure from local exploits, but even openbsd and Plan 9 have had local root exploit/s. I can only find reference to one Plan 9 exploit! It’s a well designed system, with good quality code (I suppose), but it has very few users.

  5. Andreas says:

    Some very good points!

    I’d like to add that Google should add optional permissions. A game that needs internet access for highscores should still be playable without internet connection. It only cannot share highscores with other users. Currently, something like this is not possible. It’s “eat or die” mentality.

    Beyond that, there is no need for a firewall. An app that has access to Internet can transmit whatever data it wants. It just has to use encryption and/or steganography.

    I would like to see an app store that entirely consists of open source software, like Debian for example. That way, everyone could reassure themselves that downloaded apps do not contain any malware.

  6. Miles Wolbe says:

    There is no way to deny internet access to a specific app that supposedly ‘needs’ it. Well, there is one way: you must get root on your phone (voids the warranty). Then install iptables, then install ‘droid wall’.

    Note that as of Droid Wall v1.4.0 iptables is included.

  7. John says:

    The security model in Symbian is much more stricter, and the APIs in use are poiliced more thoroughly than on any other platform.

    J.

  8. Rajiv says:

    Now, the only way of throwing out rogue apps from the Android Market is for Google to do review every single app, a la Apple and the App Store. Unless Google does that you cannot expect decent enough security on the Android Market. Though not sure if Google would do that though as it is against their “open” principles.

  9. Jamie Wallace says:

    There’s a smartphone OS that does all these things — Blackberry. It is being bypassed and losing market share. Plus, every app I installed would ask for permissions, but I would accept their defaults almost every time.

    OS makers have come out and said they are not putting in these features because the market is not asking for them.

  10. Dirk says:

    Hi!

    Thanks for the post!

    I just installed Droid Wall and it seems to work as advertised.

    I’d also like to have something similar for guarding the positioning information an app can get. I would like to whitelist certain applications who get accurate GPS and celltower positionig information. Others should get only obfuscated or no positioning information at all.

    Regards,
    Dirk

  11. Pingback: Links October 2010 | etbe - Russell Coker

  12. highlander says:

    I was looking how to install iptables in my galaxy 551 when I found your blog. I’m worried about it. We are very easy. google can find our location, pick our photos, read our emails, copy our documents. Where we going to end? Still worse, 99% of the people does not care about it! But i don’t know if we can do something about it, anything that you try to do google will undo, thats for sure. Any ways if somebody knows how install iptables(not from google hehe) on android let me know.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s