Android security

[Arcanez]

they there,

I am a complete noob when it comes to mobile phones and security. Never the less I got myself a new smart phone which is based on the android OS and I wonder if there's anything to do security-wise before surfing the internet or doing something else. I know there are some security suites out there for mobile phones like Gdata, Symantec or Kaspersky but are these really necessary? Any help is appreciated.

thanks!

[Hungry Man]

No those mobile sweets are not necessary and they do almost nothing. Android sandboxes all applications and there are severe limitations on them - this prevents malware from being able to do serious damage and it prevents AVs from being useful in any way.

Android's fairly secure in terms of exploit mitigation.

One easy way to stay secure is to root your phone. This means you can remove applications that are built in and control things at a very low level. The problem is that you are bypassing some hardware security for more software security (bypassing the bootloader to enhance the kernel.) That's a road you can explore if you're interested.

Otherwise your phone is fine as it is. Be wary of applications on the market but otherwise you should be fine.

[x942]

+1

But if you are using a Nexus Series phone you can re-lock it again without losing your data or root.

Also if you only download from the market you should be fine, just don't install anything that has weird permissions (I.E. a Game that wants contacts and GPS data is likely trying to steal your info and sell it).

[thesawisfamily17]

try dr web lite,awsome program for the andriod.

[Arcanez]

Quote:

Originally Posted by x942

+1 But if you are using a Nexus Series phone you can re-lock it again without losing your data or root.

I'll be getting the Motorola Razr, guess I will leave it as it is like you guys said. And I think I will recognize if any application behaves suspicious. Thanks for your help :]

[FanJ]

I know nothing about Android (my mobile phone is just that: a phone and nothing more, besides the fact that it is for folks with bad eyes).
However, I have a question: If Android is so secure as stated in this thread, why do I notice every day in the definitions update for NOD32 a long list of Android-malware? Just look in the Updates Alert sub-forum where Ronjor posts daily the NOD32 defs updates. I took here NOD32 just as an example.
Why o why is there a need to add so much defs for Android-malware if Android is so secure

@ FanJ- because anyone can write an app for Android. I think a lot of people get in trouble when they look for the "free" version of a popular app that costs money.

I'm interested to hear thoughts from others...

[Hungry Man]

FanJ.

Android's market is very open. There has only recently (last few months) been a screening process to get in, and it's automated.

Android's security lies in restrictions applied to the applications and running software within a Java VM - contrary to what may seem like common sense Java is actually very secure and it isn't as easy to exploit Java as it is C/C++.

Exploiting a sandboxed application leaves you stuck in the sandbox. You can then try to exploit the Java VM or possibly the Linux layer (I believe most root exploits happen on the linux layer... but I may be confusing the two.)

The problem is that users can still install socially engineered malware, which can declare and work within its own sandbox.

This hasn't actually been much of an issue and AV vendors are blowing it out of proportion.

Why do you see so many thinsg added? Because all they can do is take a validation signature and add it to the list. No heuristics or fancy hips on Android.

[FanJ]

Quote:

Originally Posted by Hungry Man

Android sandboxes all applications

Quote:

Originally Posted by Hungry Man

FanJ.
Exploiting a sandboxed application leaves you stuck in the sandbox.

Quote:

Originally Posted by Hungry Man

The problem is that users can still install socially engineered malware, which can declare and work within its own sandbox.

Hungry Man,

Do you see what you are saying? (although I may have quoted out-of-context)

IMHO it can only lead to the conclusion that Android isn't that secure as suggested in this thread.

Quote:

and AV vendors are blowing it out of proportion.

I doubt very much what you are saying there.

BTW there is the chance of cross platform infection.
If Android was so secure as suggested in this thread, that chance would hardly exist if at all.

[Hungry Man]

I'll elaborate.

Applications declare their own sandboxes. So if Application A declares it wants rights to store data and read my number that's all it can do. If Application A is exploited, the exploit can only store data and read my number.

That said, if you install malware from the market it can declare a sandbox that can read everythin and write everywhere. At that point it's up to the user to say "Does this applicaiton really need these rights?" and to check up on the author. There is also the heuristics on Google's end.

Quote:

I doubt very much what you are saying there.

Almost all android malware for the last year has been proof-of-concept non-functional "testing the waters" stuff. There has only ever been premium SMS malware and in a few very rare and very spread out cases a malware that exploited android to gain root - this was very brief and was removed quickly and I haven't seen anything like it again.

Android 4.0 also includes SELinux support in the kernel as well as ASLR (though weak.) ASLR is less important on Android - bounds checking is done by Java on compile time and there should be runtime checks as well done by the VM. It's on the linux layer so it's still useful.

Quote:

BTW there is the chance of cross platform infection.

Not sure what you're talking about here - cross platform? You can't get infected on Windows or OSX by Android malware. Not even Linux.

In fact, Android has its own implementation of a JavaVM, DalvikVM. This means that exploits in Oracle's Java VM or even OpenJDK do not apply to Android.

[x942]

Quote:

Originally Posted by FanJ

Hungry Man,

Do you see what you are saying? (although I may have quoted out-of-context)

IMHO it can only lead to the conclusion that Android isn't that secure as suggested in this thread.




I doubt very much what you are saying there.

BTW there is the chance of cross platform infection.
If Android was so secure as suggested in this thread, that chance would hardly exist if at all.

Adding on to what HM Said:

The security comes down to not install random apps from 3rd parties (Unknown Sources), not installing pirated apps, and not installing apps with weird permisions (like a game that wants your IMEI number and contact list and GPS Data).

Do that and your fine. Research apps. Does it have 5 stars? How many people have downloaded it? What are the comments?

If you are still unsure grab a free AV (There are lots of them; Avast/Eset/Webroot/F-Secure/AVG/Norton and so on). I would use Avast as it's free, doesn't use much memory and has Anti-theft built in (with options for rooted devices too).

Most (if not all) of the "malware" for android is social engineering and most of them only steal data to sell to advertisers. Not that damaging but still not something you want.

[FanJ]

OK, thanks guys for your info.

Some more for example:

Android, Malware and Rehabilitation
by David Harley (ESET Senior Research Fellow)

Appstore security: 5 lines of defence against malware
by ENISA, the European Network and Information Security Agency.

[Hungry Man]

I've read the first link before. I'll consider getting to the second one later.

The first link was interesting.

Does anyone else get annoyed when security websites give you a pdf to download?

[PunchsucKr]

Security on Android is basically what we already know for windows... install software from trusted sources and locations. In addition to that permissions are visible which should be checked as well...and remembering that good things in life are not always free.

Alarmingly, right now i can see two trending apps, both are apparently targeted at an Indian audience, which can send sms messages as well as make calls and a variety of other permissions... both do have low(ish) ratings though.

[Narxis]

Quote:

Originally Posted by Arcanez

they there,

I am a complete noob when it comes to mobile phones and security. Never the less I got myself a new smart phone which is based on the android OS and I wonder if there's anything to do security-wise before surfing the internet or doing something else. I know there are some security suites out there for mobile phones like Gdata, Symantec or Kaspersky but are these really necessary? Any help is appreciated.

thanks!

I think antivirus on android is not necessary but recommended. Almost every antivirus has anti-theft protection and if your phone is lost or stolen you can find it and/or wipe its data with a single sms command. Also you can lock it so whoever has your phone can't use it with another SIM-card.

I found that Dr. Web and Kaspersky is very good. On the free side i recommend Avast or Zoner.

[jago25_98]

I agree Android can be pretty secure but even with all the care in the world there's still leaks. For example,

Cross site scripting browser exploits aren't protected against though, since the browser needs read access;
you might want to be able to upload a photo you've taken to this forum for example.

So,

I suggest using one time paper passwords or using Google Authenticator on an old spare j2me only phone... but of course this only works with Google OpenID.
I despise the reactive rather than proactive approach of antivirus but it could be useful as an extra step in that you could actually run the scan on your desktop, or online.

Comments?

-j

[x942]

Quote:

Originally Posted by jago25_98

I agree Android can be pretty secure but even with all the care in the world there's still leaks. For example,

Cross site scripting browser exploits aren't protected against though, since the browser needs read access;
you might want to be able to upload a photo you've taken to this forum for example.

So,

I suggest using one time paper passwords or using Google Authenticator on an old spare j2me only phone... but of course this only works with Google OpenID.
I despise the reactive rather than proactive approach of antivirus but it could be useful as an extra step in that you could actually run the scan on your desktop, or online.

Comments?

-j

Few things:

1) Google Authenticator is opensource and can work with anything that incorporates it server side. LastPass now supports it and even PAM on Linux. No need for a google account or OpenID.

2) The browser is still sandboxed, it was broken before but has been fixed. Also now with chrome available for Android XSS is not a huge concern, as chrome has built in protection against XSS.