By most measures, Google’s Android operating system for mobile devices has been a raging success. Since it was introduced in late 2007, Android has climbed (quickly), replacing Research in Motion’s Blackberry as the top-ranked mobile phone operating system in the U.S. when measured by market share.
But growing user adoption has brought the attention of security researchers and malicious hackers, as well – and what they’ve found gives security professionals reason for concern. In its quest to dominate the market for mobile device platforms and applications, Google may unwittingly be making some of the same mistakes that rival Microsoft made when it tied up the desktop operating system market almost two decades ago: neglecting security in the name of features and functionality.
Security concerns aren’t unique to Google and Android. At this year’s Black Hat and DEFCON security conferences in Las Vegas, security researchers demonstrated a number of vulnerabilities in the GSM infrastructure used by next generation smart phones and popular mobile platforms, including Apple’s iPhone as well as Google’s Android. An explosion of new devices, platforms and applications, coupled with rapid adoption, has pushed security issues to the background – at least for now.
“I feel like its 1998 all over again. Back Orifice has just arrived and we’re trying to figure out what to do with it,” said Chris Wysopal, CTO of application security testing firm Veracode, referring to the infamous remote administration software that highlighted the security failings of Microsoft’s Windows 98 operating system.
Security experts warn that Android’s rapid adoption by mobile carriers, open platform and the competitive push to build a robust application ecosystem are the ingredients for a security melt down.
Christian Papathanasiou and Nick Percoco, head of the SpiderLabs research group at managed security services firm Trustwave said that he was curious about how difficult it would be to design a rootkit program that could be made to run on Google’s Android operating system. The results of his inquiry, an application called “Mindtrick,” is a loadable kernel module (LKM) rootkit that has almost unchecked control over compromised devices – allowing hackers to remotely connect to hacked Android phones, intercepting voice calls, and view or exporting GPS coordinates, contacts and SMS messages. The presentation echoed themes raised earlier in the year at the RSA Conference, where security researchers from TippingPoint demonstrated their ability to use a legitimate seeming Android application to secretly communicate out to a botnet type network, phoning in GPS coordinates and exporting sensitive data from compromised phones.
Asked about the Mindtrick application, a Google representative, speaking on condition of anonymity, responded, via e-mail, to say that the Android OS contains a number of features to prevent the installation of malware, including an application sandbox environment that limits access to the underlying OS, protection against stack and heap overflows and a remote application kill capability. “Installing a kernel mode application or rootkit requires a pre-existing security flaw, which Nick Percoco did not demonstrate at DEFCON,” the spokesperson wrote. “As you’d expect (Google) works hard to avoid these types of flaws that could permit such an installation.”
Asked whether Android’s open source operating system made compromise easier, Percoco said that access to Android’s open source operating system allowed him to overcome one technical hurdle in getting his rogue application to load on the Android operating system – a variant of Linux. However, though he chose to focus on Android, Apple’s iPhone could have as easily been a target, even though its operating system source code isn’t open to viewing by developers.
“I think, when you compare Apple and Android, it’s not as much about security as control,” Percoco said in an interview with Threatpost. “Apple likes to control what people can do with their devices. (Google’s) Android doesn’t.” Neither company has applied much scrutiny to the applications that run on their devices, he said, citing the recent blow up over Handy Light, an iPhone flashlight application that was approved for sale on Apple’s AppStore, despite a hidden feature that would allow iPhone users to offer tethered Internet connections – an offering that runs afoul of iPhone partner AT&T. “A tethering application versus a backdoor application, what’s the difference?” Percoco asked.
Wysopal agrees. “The key (with Handy Light) is that you have hidden functionality that uses particular APIs that Apple says you can’t use. If they’re not stopping that, it suggests that there’s not a lot of serious vetting of these applications.”
But Google’s wide open approach to Android and application development puts it in a slightly different category than Apple, and harkens back to the OS wars of the 1990s when another Apple competitor, Microsoft, similarly sought platform dominance by providing powerful tools and removing roadblocks for developers.”Google is playing that game where they want as many applications written as possible so they can ‘win’ the app game,” said Wysopal. “Its just like Microsoft, who wanted Windows to become ubiquitous by having good development tools and courting people all over.”
Wysopal said that more caution is advisable now, as it was in the early days of Windows. “I’d say ‘let’s slow this down and weed out the bad stuff that may be getting through.” But he’s not hopeful that competing vendors will heed that warning. Consumers – the target audience for devices like iPhone and Android – aren’t likely to show any more concern about mobile device security than they have for the security of their PCs, especially when weighed against the draw of new applications.
That’s almost certainly bad news for enterprises and other organizations that already have to contend with the new devices connecting to their networks, potentially creating a malware bridge that circumvents other network protections. However, pressure could mount if auditors start to scrutinize mobile security in determining compliance with industry and federal or state data privacy regulations, or if a reportable breach is linked to mobile malware, Wysopal, of Veracode, said.
In the long term, Google and Apple might consider introducing a variation on security features in Research In Motion’s Blackberry smart phones, including the ability to limit what applications can be installed on a device, or from what locations, he said. Google said that it has been gradually introducing security features to Android at the behest of enterprises. They include remote wipe capabilities that will erase data from lost or stolen devices, features to require strong passwords and a limit on the number of password attempts that are allowed before the device locks. The company said it is continuing to develop those capabilities, but isn’t ready to announce any new security features.