Pentagon Decision Moves Android Security Forward

The Pentagon’s decision to endorse a hardened version of Android for use inside the DoD is a smart move forward, experts said. A wholesale blessing of the Android platform isn’t possible given the various flavors of the OS. Meanwhile, attackers continue to probe deeper at kernel and OS flaws.

Android’s security gets its share of grief, but perhaps it’s been a bit misguided. Like many other popular open source technologies, there are a number of different flavors of the mobile platform, each with its security properties and nuances.

That’s why the Pentagon’s decision to endorse the use of Android inside the Department of Defense merits a second look. This wasn’t a wholesale blessing of Android as a platform, but a specific accreditation of one hardened version of the OS. And for now, that’s the way it’s got to be.

Android’s security woes aren’t necessarily tied to a shoddy OS or an exposed kernel; there have been few documented exploits of either. Instead, hackers find it much more economical to chip away at the application ecosystem around it. It’s trivial to write a malicious app, sneak it past the sleeping guard at the gate of the Google Play store or some third-party site serving Android apps, to then own a bunch of devices.

What’s difficult and expensive is writing exploits for known vulnerabilities at the core of the platform. Exploit writers have a difficult time circumventing Apple’s top-to-bottom control over iOS. Apple not only keeps its source code closed, but also lords over hardware manufacturing and shipping. You don’t have the angst Android suffers with its handset makers and wireless carriers force-feeding users their apps, or holding back on features and security updates. And never mind the walled garden that is the Apple App Store, which requires all apps developed for iOS be signed by Apple and that developers actually prove they are who they say they are. This is very much unlike Google Play where a credit card gets you in the door for keeps.

That’s the plight of the consumer Android user whose personal and payment information is at risk to the exploits of identity and credit card thieves. Enterprises whose intellectual property is the soul of the business have been flailing in the wind because of BYOD, finding it near impossible to meet the demands of a mobile workforce, yet keep data safe. That’s a different realm where the network access afforded by a mobile device could result in a company’s secret sauce walking out the door. The DoD’s approach is one that more organizations could soon emulate given that surely some hacker somewhere is already poking holes in the Android OS rather than building another untrustworthy app.

“I’d argue that mobile operating system and platform security is a major concern for security-sensitive organizations, more so than the application ecosystem,” said Duo Security CTO Jon Oberheide. “Many malicious applications out there, or at least the ones that folks like the DoD are concerned with, target the mobile platform itself and exploit latent vulnerabilities that allow an attacker full control over the device.”

Recently, Azimuth Security researcher Dan Rosenberg was able to exploit a vulnerability in the Trust Zone running on a number of Motorola Android devices that allowed him to jailbreak the device. The outcome was relatively benign, but he proved it that a kernel-level exploit could be pulled off and others surely were watching.

Trust Zones are a security technology integrated into ARM processors that allows a device to run security-related technology in a separate kernel isolated by the processor from whatever else is running on the phone, Rosenberg explained.

“Trust Zones have been black box technologies in the past and not a lot of research has been done on the various implementations and whether they are robust,” Rosenberg told Threatpost. “So a lot of people treated it as a one size fits all solution because no one looked at it. Finding vulnerabilities in the Trust Zone could have significant ramifications for the security of devices if the platform is relying on Trust Zones to do security tasks.”

One such device that will implement Trust Zone is the Samsung KNOX-based Android phone endorsed by the DoD. KNOX borrows from the desktop security world heavily with its use of virtualized partitions, or containers, to separate business data from personal data on the same device. The Qubes operating system developed by Joanna Rutkowska operates on a similar, yet stricter concept, separating the operating system into separate domains. Each domain has its own security policy and access controls.

“KNOX seems like one of the first Android solutions that takes multipronged approach to securing the  platform, segmenting data and implementing hardening measures to secure the OS and kernel, which is frequently missing from security solutions,” Rosenberg said. “Many rely on the OS as a trusted base, but the reality is, if you’re able to exploit the OS, you can subvert the protections sitting on top of it. This is one thing they’re doing well, but only time will prove if the implementation is robust.”

Android malware numbers, again mostly via applications, continue to climb. Duo Security’s X-Ray mobile vulnerability assessment application was introduced last summer. In September, a first run-through of the application against Android devices showed that more than 50 percent had unpatched vulnerabilities.

“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far,” Oberheide wrote in a blogpost at the time. “We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.”

Indeed, the carriers and handset makers have come under fire for failing to provide timely security updates for Android, contributing to the skyrocketing numbers of malicious apps and exposed vulnerabilities. In February, the U.S. Federal Trade Commission came down hard on handset makers HTC, and in April, the American Civil Liberties Union asked the FTC to investigate the four leading wireless carriers’ lack of Android security updates for consumers.

KNOX seems to be a positive step forward, but even the experts are cautious.

“Knox adds a good deal of security functionality beyond the core Android platform, but like any security technology, isn’t perfect,” Oberheide said, noting Rosenberg’s Trust Zone hack. “I expect many more to surface as that attack surface attracts more attention.”

Suggested articles