Android security

Discussion in 'other security issues & news' started by Arcanez, Feb 20, 2012.

Thread Status:
Not open for further replies.
  1. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    they there,

    I am a complete noob when it comes to mobile phones and security. Never the less I got myself a new smart phone which is based on the android OS and I wonder if there's anything to do security-wise before surfing the internet or doing something else. I know there are some security suites out there for mobile phones like Gdata, Symantec or Kaspersky but are these really necessary? Any help is appreciated.

    thanks!
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No those mobile sweets are not necessary and they do almost nothing. Android sandboxes all applications and there are severe limitations on them - this prevents malware from being able to do serious damage and it prevents AVs from being useful in any way.

    Android's fairly secure in terms of exploit mitigation.

    One easy way to stay secure is to root your phone. This means you can remove applications that are built in and control things at a very low level. The problem is that you are bypassing some hardware security for more software security (bypassing the bootloader to enhance the kernel.) That's a road you can explore if you're interested.

    Otherwise your phone is fine as it is. Be wary of applications on the market but otherwise you should be fine.
     
  3. x942

    x942 Guest

    +1

    But if you are using a Nexus Series phone you can re-lock it again without losing your data or root. :)

    Also if you only download from the market you should be fine, just don't install anything that has weird permissions (I.E. a Game that wants contacts and GPS data is likely trying to steal your info and sell it).
     
  4. thesawisfamily17

    thesawisfamily17 Registered Member

    Joined:
    Jul 5, 2011
    Posts:
    30
    try dr web lite,awsome program for the andriod.
     
  5. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    I'll be getting the Motorola Razr, guess I will leave it as it is like you guys said. And I think I will recognize if any application behaves suspicious. Thanks for your help :]
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    I know nothing about Android (my mobile phone is just that: a phone and nothing more, besides the fact that it is for folks with bad eyes).
    However, I have a question: If Android is so secure as stated in this thread, why do I notice every day in the definitions update for NOD32 a long list of Android-malware? Just look in the Updates Alert sub-forum where Ronjor posts daily the NOD32 defs updates. I took here NOD32 just as an example.
    Why o why is there a need to add so much defs for Android-malware if Android is so secure :ouch:
     
  7. BrandiCandi

    BrandiCandi Guest

    @ FanJ- because anyone can write an app for Android. I think a lot of people get in trouble when they look for the "free" version of a popular app that costs money.

    I'm interested to hear thoughts from others...
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    FanJ.

    Android's market is very open. There has only recently (last few months) been a screening process to get in, and it's automated.

    Android's security lies in restrictions applied to the applications and running software within a Java VM - contrary to what may seem like common sense Java is actually very secure and it isn't as easy to exploit Java as it is C/C++.

    Exploiting a sandboxed application leaves you stuck in the sandbox. You can then try to exploit the Java VM or possibly the Linux layer (I believe most root exploits happen on the linux layer... but I may be confusing the two.)

    The problem is that users can still install socially engineered malware, which can declare and work within its own sandbox.

    This hasn't actually been much of an issue and AV vendors are blowing it out of proportion.

    Why do you see so many thinsg added? Because all they can do is take a validation signature and add it to the list. No heuristics or fancy hips on Android.
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hungry Man,

    Do you see what you are saying? (although I may have quoted out-of-context)

    IMHO it can only lead to the conclusion that Android isn't that secure as suggested in this thread.


    I doubt very much what you are saying there.

    BTW there is the chance of cross platform infection.
    If Android was so secure as suggested in this thread, that chance would hardly exist if at all.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I'll elaborate.

    Applications declare their own sandboxes. So if Application A declares it wants rights to store data and read my number that's all it can do. If Application A is exploited, the exploit can only store data and read my number.

    That said, if you install malware from the market it can declare a sandbox that can read everythin and write everywhere. At that point it's up to the user to say "Does this applicaiton really need these rights?" and to check up on the author. There is also the heuristics on Google's end.

    Almost all android malware for the last year has been proof-of-concept non-functional "testing the waters" stuff. There has only ever been premium SMS malware and in a few very rare and very spread out cases a malware that exploited android to gain root - this was very brief and was removed quickly and I haven't seen anything like it again.

    Android 4.0 also includes SELinux support in the kernel as well as ASLR (though weak.) ASLR is less important on Android - bounds checking is done by Java on compile time and there should be runtime checks as well done by the VM. It's on the linux layer so it's still useful.

    Not sure what you're talking about here - cross platform? You can't get infected on Windows or OSX by Android malware. Not even Linux.

    In fact, Android has its own implementation of a JavaVM, DalvikVM. This means that exploits in Oracle's Java VM or even OpenJDK do not apply to Android.
     
  11. x942

    x942 Guest

    Adding on to what HM Said:

    The security comes down to not install random apps from 3rd parties (Unknown Sources), not installing pirated apps, and not installing apps with weird permisions (like a game that wants your IMEI number and contact list and GPS Data).

    Do that and your fine. Research apps. Does it have 5 stars? How many people have downloaded it? What are the comments?

    If you are still unsure grab a free AV (There are lots of them; Avast/Eset/Webroot/F-Secure/AVG/Norton and so on). I would use Avast as it's free, doesn't use much memory and has Anti-theft built in (with options for rooted devices too).

    Most (if not all) of the "malware" for android is social engineering and most of them only steal data to sell to advertisers. Not that damaging but still not something you want.
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I've read the first link before. I'll consider getting to the second one later.
     
  14. BrandiCandi

    BrandiCandi Guest

    The first link was interesting.

    Does anyone else get annoyed when security websites give you a pdf to download? :doubt:
     
  15. PunchsucKr

    PunchsucKr Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    123
    Security on Android is basically what we already know for windows... install software from trusted sources and locations. In addition to that permissions are visible which should be checked as well...and remembering that good things in life are not always free.

    Alarmingly, right now i can see two trending apps, both are apparently targeted at an Indian audience, which can send sms messages as well as make calls and a variety of other permissions... both do have low(ish) ratings though.
     
  16. Narxis

    Narxis Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    477
    I think antivirus on android is not necessary but recommended. Almost every antivirus has anti-theft protection and if your phone is lost or stolen you can find it and/or wipe its data with a single sms command. Also you can lock it so whoever has your phone can't use it with another SIM-card.

    I found that Dr. Web and Kaspersky is very good. On the free side i recommend Avast or Zoner.
     
  17. jago25_98

    jago25_98 Registered Member

    Joined:
    Mar 31, 2012
    Posts:
    1
    Location:
    UK
    I agree Android can be pretty secure but even with all the care in the world there's still leaks. For example,

    Cross site scripting browser exploits aren't protected against though, since the browser needs read access;
    you might want to be able to upload a photo you've taken to this forum for example.

    So,

    I suggest using one time paper passwords or using Google Authenticator on an old spare j2me only phone... but of course this only works with Google OpenID.
    I despise the reactive rather than proactive approach of antivirus but it could be useful as an extra step in that you could actually run the scan on your desktop, or online.

    Comments?

    -j
     
  18. x942

    x942 Guest

    Few things:

    1) Google Authenticator is opensource and can work with anything that incorporates it server side. LastPass now supports it and even PAM on Linux. No need for a google account or OpenID.

    2) The browser is still sandboxed, it was broken before but has been fixed. Also now with chrome available for Android XSS is not a huge concern, as chrome has built in protection against XSS.
     
Loading...
Thread Status:
Not open for further replies.