×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Android Security Practices?

Soulskill posted more than 2 years ago | from the avoid-installing-malicious-ai dept.

Android 173

Soft writes "Smartphone security recommendations seem to boil down to Windows-like practices: install an antivirus, run updates, and don't execute apps from untrusted sources. On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus. What rules should I adopt on my soon-to-be-bought Android device? Can I use it purely with open-source apps and still make the most of it? Are Android's fine-grained permissions (accessing the network, contacts...) reliable? Can apps be trusted not to scan your files and keyboard for passwords and emails? What precautions do security-conscious Slashdotters take to keep control of their phones?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

173 comments

Install a firewall (4, Informative)

girlintraining (1395911) | more than 2 years ago | (#36193940)

Install a firewall. Not to keep the hackers out, mind you, but to keep your data *in*. There are way too many apps that try to phone home or do things they don't need to ('live' wallpapers come to mind). Disable their network access. If an application requires network access, bring it home, set it up on your home wifi network, and run a sniffer to find out where the data goes. You don't need to know what the data is per se. Then, try blocking as much of it as you can until the application stops working. You've now found the minimum amount of access that app needs to function.

Re:Install a firewall (0)

Anonymous Coward | more than 2 years ago | (#36194004)

If you don't want your personal information getting out, don't install those programs that request the information you're not comfortable with giving out?

I mean, as much as you will know, that's a lot of work (and quite a bit to remember to do) for each application. I have about 150 on my N1, not counting ones that I've uninstalled already due to space constraints... If I took 10-20 minutes each, that's a good 3-5 hours.

Or you look on the market and if it's something that doesn't make sense, 2 seconds to do a quick scan over "contacts", etc.

Besides, if you're going to root, you might as well get the root app that selectively disables permissions. Don't remember the name, but it's a lot easier than packet sniffing.

Re:Install a firewall (1)

nschubach (922175) | more than 2 years ago | (#36195050)

Some of them are non-obvious or too lenient.

SD Card access springs to mind. Google considers all data on the SD card public... I, however, do not think my SD card is free range and wish there was a way to limit apps to just their folder. (Well, I know there is a way [symlinks in app path on local memory to directories on sdcard], but Android does not do it.)

Some apps (I have a friend who did this) will check the built in functionality to determine if you have a firewall app and refuse to run unless you buy his pay for version.

Also, Internet Access. I cannot say, "No, you will only have access to google.com/*" without a firewall.

Re:Install a firewall (3, Informative)

mlts (1038732) | more than 2 years ago | (#36194016)

More specifically, root your Android phone (no, it will not lessen security unless you are stupid and click "allow" on any app that pops up the su dialog unless you KNOW it needs the root permission.)

Install DroidWall and allow it full su access. Then when you install a new app, make sure to allow it out, because by default, new apps are not allowed to phone anywhere. LVL is handled by another mechanism, so apps should know they are licensed even if you block them with DroidWall.

After installing DroidWall, and selecting the apps you know that need to communicate, that will provide a decent measure of protection.

Re:Install a firewall (4, Insightful)

improfane (855034) | more than 2 years ago | (#36194018)

On a phone? Are you serious? Honestly I never thought you'd ever need a firewall on a phone. If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones. I always thought that the Bitfrost security architecture from OLPC was a good idea. How come this style of capabilities is not in Android?

Nokia 1661 and loving it baby. As far as I can tell, I can't put software on it!

Re:Install a firewall (4, Insightful)

i.r.id10t (595143) | more than 2 years ago | (#36194064)

The problem isn't that it is a phone, but rather, it is a computer with phone functionality. Would you tote around a laptop w/ no firewall or AV?

Re:Install a firewall (2, Interesting)

improfane (855034) | more than 2 years ago | (#36194212)

I think you're missing my point. It's a phone. You shouldn't have to install security software on something as trivial as a phone. Something is wrong with the API and security assumptions of the device that it is insecure by default, without security software.

Now that the cat is out of the bag, we can never put it back in. App companies have gotten used to the APIs that give them amazingly intimate personal and marketing information. Apple and Google (an advertising company) has a vested interest in allowing companies to phone home with all your personal data. Expect to have phones and tablets that are insecure by default. We aren't going back. It's just going to be a repeat of the PC industry.

It just sounds as ridiculous as installing security software on a walky talky or a landline telephone. The API should not be able to access data that the app store has not agreed to. It should be shipped with a list of capabilities it expects to use. It really sounds like that software on Android just runs and does whatever it pleases. We're reactive rather than proactive again...

I don't think it's an issue of running untrusted executable code, the code IS trusted but it's capable of doing things the phone should never have exposed to the application. I'd like to see security enforced for every execution of an application, so when you close an application, it gives you a list of the data the application tried to access. Rather than trying to ask the user each time to accept or decline, it should be configured BEFORE execution.

Re:Install a firewall (5, Insightful)

The Dawn Of Time (2115350) | more than 2 years ago | (#36194230)

You're missing reality - it's not a phone, it's a computer with phone software. I know that's exactly what the post you replied to said, but apparently it went right over your head.

Re:Install a firewall (1)

afex (693734) | more than 2 years ago | (#36194254)

what's ridiculous is you comparing a phone to a walky talky.

"as trivial as a phone"? my phone almost has a faster cpu than my current nettop (atom 1.6), and about as much ram.

Re:Install a firewall (1)

Riceballsan (816702) | more than 2 years ago | (#36194506)

"I don't think it's an issue of running untrusted executable code, the code IS trusted but it's capable of doing things the phone should never have exposed to the application. I'd like to see security enforced for every execution of an application, so when you close an application, it gives you a list of the data the application tried to access. Rather than trying to ask the user each time to accept or decline, it should be configured BEFORE execution."

You pretty much described the way the android works, when you install the application it gives you a list of what it can access. Out of the box when you install a program the android says "this program requires permission to access X, X and X, do you still want to install it?"

Re:Install a firewall (4, Insightful)

improfane (855034) | more than 2 years ago | (#36194598)

That's the potential to access. Not the actual access. That won't scare users enough.

The software should display the data that would have been accessed with the widgets that is appropriate to the device, say a contact card or a filename and then threaten the user.

Are you sure you want to send this information to somewebsite.com over an unscrambled channel to someone in China?

  • a list of your contacts as displayed in your contact list
  • a recent email of your naked wife (with picture rendered)
  • a map with lines between your last plotted geolocations
  • the following picture captured from your webcam

It should be displayed like numerous bits of scrap data on the screen with a picture of a pipe and the pipe attached to a shady looking figure next to the planet earth on the other side of a cloud. The implication should be obvious.

Would that scare you?

Re:Install a firewall (1)

Eponymous Hero (2090636) | more than 2 years ago | (#36195138)

let me get this straight.

first, you couldn't tell the difference between a phone (hardware device), and a multifunctioning computer running a phone application. then when the realization struck, you got scared. now it's your life mission to ensure that everyone who uses a portable-OS-with-phone-app is just as scared as you?

ffs just be responsible. if that's too difficult, no big deal. karma works it all out. or you win a darwin award first. w/e

Re:Install a firewall (1)

spire3661 (1038968) | more than 2 years ago | (#36194684)

The era of pocket cell PHONES is over, now is the rise of pocket computers. i realize you are trying to make point blah blah blah. I get the part about the providers slurping at the trough of personal data but bitching about having to install a firewall on a networked COMPUTER is silly.The reality is that to have expansive functionality, you need to make security compromises. This is true across the computing spectrum and security in general. Its easy as hell to lock down a computer, simply turn it off. For those of us who have to use our computers (desktop and mobile), the want for expandable functionality requires extra security measures. Compromise is the key term here.

Re:Install a firewall (4, Insightful)

girlintraining (1395911) | more than 2 years ago | (#36194910)

I think you're missing my point. It's a phone.

They aren't missing it, they're ignoring it. What it is called isn't the issue, it's what it can do, and whether that is what the end-user wants (or not).

Re:Install a firewall (1)

Desler (1608317) | more than 2 years ago | (#36194280)

Would you tote around a laptop w/ no firewall or AV?

Yes, I do all the time.

Re:Install a firewall (-1)

Anonymous Coward | more than 2 years ago | (#36194444)

Then , unfortunately, you are not smart enough to own either a laptop or a smartphone, and use it safely.

You do look at the sources of the programs you directly install, but if you are using either devic to access web sites or applications, communicate across a network or communicate across any public medium, you are operating under the false assumption that you are in control of what lands on your devices.

With Java based trojans already in the wild, adobe-format banners containing active content and hidden links, and the plethora of drive-bys and polymorphs out there, it is simply not possible to control the source of every item you accept onto your device. As other have explained, even if you do not like the answer, the smartphone is a computer with phone software, as much as running a softphone or skype on your laptop would be, an as vulnerable as any other computer to malicious software.

Re:Install a firewall (1)

ashidosan (1790808) | more than 2 years ago | (#36194580)

Fortunately, some of us are smart enough not to click every stupid shiny thing we see in the web, or even use operating systems extremely vulnerable to this type of attack.

any other computer

Not all operating systems are created equal, nor have the same attack surface. Not arguing against the usefulness of a firewall here, but what good is antivirus if most (of the really bad) exploits are zero-day? If you don't apply the remaining security patches, well, that's really a different issue.

Your post assumes a great degree of naiveté, but all users are not created equal either.

Besides, the post you're attacking wasn't even the poster who claims AV on a phone is stupid.

Re:Install a firewall (2)

rickb928 (945187) | more than 2 years ago | (#36195586)

Until recently, Apple users were quite proud of the relative lack of threats to their MacBooks. This past week seems to have wiped the smirk off their faces, but that will be shortlived. Apple will plug the holes and they will go back to bliss. Reactive again.

And few Linux laptop toters bother with substantial AV. Of course, most Linux distros install a firewall, but it's relatively generic and minimal, and the users also seem ready to gloat about the seeming lack of threats. And they are not entirely incorrect in this, but that's more because the attackers seems to be avoiding DHCP blocks, in favor of named hosts, though that is not 100% and as Linux gains share in the home, they will happily follow these new users and take their machines for their own. Ah yes, security by limited market share.

What I want for my Android phone is a firewall that denies apps access to SMS and phone, GPS, and camera, except by my permission, and then only when I want them to. I've uninstalled Stitcher because it ran a Bluetooth service. My podcast gizmo needed a Bluetooth service? I already got one of those, Suppose I'll get that firewall any time soon?

Re:Install a firewall (1)

spikenerd (642677) | more than 2 years ago | (#36194428)

AV is like installing a house-fly chasing robot. It's big and often gets in the way, but it keeps the fly population in your house small. On proprietary platforms, AV is critical because you cannot close the windows through which they enter. On open platforms, it's a stupid idea. Just close the stupid hole! Why would anyone put up with AV? It's as annoying as what it protects you from, and the days when it was a good thing have passed.

Re:Install a firewall (0)

Anonymous Coward | more than 2 years ago | (#36195000)

If your AV annoys you, you're using a bad one.

Re:Install a firewall (1)

wiggles (30088) | more than 2 years ago | (#36194070)

That's because it's no longer a phone. It's a palmtop computer with phone functionality.

Re:Install a firewall (0)

Anonymous Coward | more than 2 years ago | (#36194078)

Dude, it's wrong to think of it as a phone. It's a computer running Linux, and should be administered just like any other Linux workstation or server.

Re:Install a firewall (1)

mlts (1038732) | more than 2 years ago | (#36194302)

It is a Linux kernel, but the userland is very different. Root is there, but apps have their own UIDs, and almost all the UNIX command lines are links from busybox [1]. To prove this, try getting gcc to work natively on Android.

It really can't be run like a Ubuntu box -- users by default don't even have root access on almost all Android devices. Instead, you have to be careful on the app level.

[1]: Busybox is (IMHO) one of the few programs that just is pure awesomeness in its functionality.

Re:Install a firewall (1)

improfane (855034) | more than 2 years ago | (#36194440)

The rest of the world says no, we shouldn't have to manage the security of a phone. It's a burden that the technological world has failed to recognise.

All my cellphones have been connected to the network (GSM or whatever). It's not the 'being networked' that's the problem. Nor is it code execution. My Nokia 3410 could run Java applications. Internet access was something that the phone ased me for.

Why is my Nokia 3410 more secure than Android?

Re:Install a firewall (1)

fermat1313 (927331) | more than 2 years ago | (#36194114)

If we cannot trust the software running on our phones not to be able to do malicious things, something is seriously wrong with the software architecture on phones.

Ah, the myth of perfect security. There is no system that connects to a network that is perfectly secure. We all want open phones that will run any software we want, and we expect the OS to be able to ward off any possible attempt to compromise it. Ain't gonna happen. That's why we need firewalls, as well as software that blocks processes based on either known signatures or behavior.

Only a mathematician could believe in perfect security. Engineers, they know better.

Re:Install a firewall (2)

improfane (855034) | more than 2 years ago | (#36194378)

I wish I could accept how easily you accept the status quo. One that only benefits big companies that harvest personal information from the clueless masses. Perfect security is impossible, I agree.

I don't want a phone that is continually monitoring my whereabouts by default or can connect to the network at the same time as accessing my data.

Should a phone be able to access my phone book AND the network at the same time?
Should a phone be able to access files on the phone AND the network at the same time? What files can it access and why?

I think these are reasonable precautions. The app developer should have to go through hurdles to accomplish these things. Perhaps enforce SSL by default when your software has the capability of reading phone book information = enforces your data security when transmitting it and the identity of the recipient.

Re:Install a firewall (1)

brainzach (2032950) | more than 2 years ago | (#36194608)

Any app that uses the Internet and saves information on your phone will need permissions for network access and to modify the contents of your SD Card. It is not surprising that many apps require those permissions and there is little way around this if you want to get the most functionality out of your phone.

Applications on Windows, Linux and OS X also save data and can access information on the Internet at the same time too.

Re:Install a firewall (1)

improfane (855034) | more than 2 years ago | (#36195044)

Writing data that cannot be executed from the internet is not as bad as accessing data and uploading it. Of course as long as it cannot be read into memory and executed.

We have HIPS because it wasn't programmed in by default. The security model in the PC world is non-existent. The phone securiy model has just repeated the same mistakes from the PC industry rather than try solve it. HIPS really do help. Capability based security and appropriate permutations would be a good start for fine grained security.

Re:Install a firewall (1)

Eponymous Hero (2090636) | more than 2 years ago | (#36195554)

i wish you could easily accept that the devices being discussed are not phones. they are computers that can, among many other things, do what a phone does.

let's say you run skype on a desktop pc. technically the pc is now equivalent to a smart phone, it just can't fit in your pocket. if you used the pc primarily for using skype, wouldn't you still want to put a firewall on it?

i use my android phone more for search, maps and hockey scores than i do for making and receiving calls. the fact that it makes calls is incidental, and is merely convenient so i don't have to carry a separate phone and a pocket computer. it is primarily a computer, no matter what you use it for most. thus common sense dictates securing it in the manner appropriate to a computer, i.e. antivirus, firewalls, etc.

since you don't even use a smart phone, why should anyone listen to you rant about them? hell, even i played world of warcraft for 9 days before i went around telling everyone i think it sucks. is it too much to ask that you know what you're talking about when you give an opinion?

Re:Install a firewall (1)

poetmatt (793785) | more than 2 years ago | (#36194418)

so basically you like the complete lack of control over what info we can pull from your N1661? Specifically where you are, who you've talked to, etc?

Re:Install a firewall (1)

improfane (855034) | more than 2 years ago | (#36194540)

Do you really think your phone being an Android or an iPhone protects you? Any intelligency agency could pull whatever they could pull my phone from an Android or iPhone plus everything else. I don't doubt the remote code execution of phones.

The recent phone "hacking" scandal [wikimedia.org] in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.

I protect myself from myself by using a dumb phone. Not from others...

Re:Install a firewall (1)

GP1911 (1439907) | more than 2 years ago | (#36194688)

Hacking voicemail systems has nothing to do will the actual mobile phone.

Re:Install a firewall (1)

improfane (855034) | more than 2 years ago | (#36195100)

You are right. I didn't read my article.

The recent phone "hacking" scandal [wikimedia.org] in the UK which I cannot tell if it were server side (provider) or client side (phone side) demonstrates that it's not that hard.

It must have been server side then. Still, an Android or iPhone is not immune to server side attacks. So using one does not make you any more secure, I'd say it makes you less secure. All I did was some googling of the victims on phones, like, victim name + "phone" or "on the phone". They just happened to be using blackberries and what appeared to be smartphones. Of course correlation != causation. I wouldn't trust RMI.

Re:Install a firewall (3, Insightful)

Jeremiah Cornelius (137) | more than 2 years ago | (#36194082)

Agreed. When "signed apps" are little different than trojans to steal your PII and report on your activities, the definition of security moves away from one of "penetration and exploitation" towards "scope of trust and violation".

As to the original article.posting, with its naive POV regarding security? What does your posture do for you, when exploitation and abuse are built into signed apps - or signed apps consume and interpret code from untrusted, arbitrary sources? Flash, Acrobat and any AJAX capable browser are all wide-open to abuse, on any given 0-day.

Re:Install a firewall (1)

molnarcs (675885) | more than 2 years ago | (#36194364)

I think firewall is a bit overkill. My advice would be to just use normally. I do. I DON'T install apps from shady sources, I just use the official Market. I have a few dozen apps installed, and I clicked through the permission screen mindlessly, yes. Why? Almost every app needs network access, after some time I got bored reading through the list of permission they require. BUT - the apps I install are well established apps with overwhelmingly positive reviews (based on a large number of reviewers). That's basically it - just use common sense.

And yeah, I enabled geolocation - not allowing it doesn't make me any safer. The information is NOT shared with the world by default, but it helps with weather apps, and targeted ads in the few ad supported apps I have. And I do prefer those to random shit from accross the world... So, as I said, just use it, the Market is pretty safe, but don't install just released apps mindlessly (you won't need to anyway, the quality of apps in the market has increased dramatically since I started using my Nexus last August).

That said, I never ever do anything like online banking on my phone. I have a PC and a Laptop (well, slate actually) for that. I entered my password for sync (gmail/picasa/calendar/etc) when starting up the phone the first time. So even if some app installs a secret keylogger (very very unlikely with the above common sense measures) what can they get? My text messages? I'm not in the habit of writing lenghty emails on my phone either... So never type sensitive passwords (banking, cc numbers, passwords) - and that's about it. If you need apps that want some password (Skype, YM, whatever) install them first before installing anything else. And just enjoy your phone, don't be too paranoid - I'm very very satisfied with my Nexus (ran cyanogenmod for some time, but switched back to stock, running Gingerbread 2.3.3 now + Go Launcher) - it's a very well built, sturdy little thing.

Re:Install a firewall (1)

nschubach (922175) | more than 2 years ago | (#36195158)

I think firewall is a bit overkill. My advice would be to just use normally. I do. I DON'T install apps from shady sources, I just use the official Market. I have a few dozen apps installed, and I clicked through the permission screen mindlessly, yes. Why? Almost every app needs network access, after some time I got bored reading through the list of permission they require. BUT - the apps I install are well established apps with overwhelmingly positive reviews (based on a large number of reviewers). That's basically it - just use common sense.

The problem is, 99% (woo, fictional stats) of the people that voted that app a 5 star app did the same thing. Nobody pays attention to what they are giving access to. They only care what the app tells them it's doing. (I'm a background switcher and I need access to your contacts so I can display them on the background and full internet access for ads!). They do not care that it's sending their contact information to a central server of spammers.

Re:Install a firewall (2)

TheCRAIGGERS (909877) | more than 2 years ago | (#36194612)

Install a firewall. Not to keep the hackers out, mind you, but to keep your data *in*. There are way too many apps that try to phone home or do things they don't need to ('live' wallpapers come to mind).

Bah! Screw that. Maybe I'm too idealist, but if I'm looking at an wallpaper (for example) and the security permissions require net access, SD card access, and access to your bookmarks, I just don't install it. There are two main reasons for this:

First and foremost, the app is obviously shady, if not outright malicious. I don't want it on my device at all.
Secondly, and no offense here, but you are trusting a firewall / antivirus program to protect you from stupidity. There is no replacement for some common sense when it comes to installing programs on your computer. Most of us geeks here on /. already have a finely-tuned bullshit meter that can detect the majority of malicious software in the PC world before we run it. You need to enable that mental filter on your mobile device as well.

Android gives you more information than we ever got on our PC. It's up to you to use it. Yes, I know that live wallpaper is oh so pretty, but resist the urge to install it when you see something fishy in the permission list and 99% of your security concerns disappear.

Re:Install a firewall (1)

brainzach (2032950) | more than 2 years ago | (#36194770)

The most obvious reason that a wallpaper app needs permissions to access networks and SD card access is because it will download images off the internet to store on the SD card. It is basic functionality that improves the user experience so it doesn't necessarily make it malicious.

Re:Install a firewall (1)

nschubach (922175) | more than 2 years ago | (#36195186)

Also, a majority of the phone users are not geeks with finely tuned BS meters or the ability to tell what the access even means.

Re:Install a firewall (1)

TheCRAIGGERS (909877) | more than 2 years ago | (#36195216)

An image is what, a few KB? That could easily be packaged with the original download.

If you are looking at an app that can download other wallpapers as a service, then sure, I agree with you. But if you do a search for wallpaper in the Android marketplace, most of what you see are packages with one, maybe two wallpapers- not a service. Also, I don't see an explanation of why it would need access to my bookmarks.

Regardless, I only used wallpapers as an example, and yes you can probably poke some holes on my argument by finding some apps that fit my criteria and aren't malicious. But my point was that we just need to apply some common sense here. If the app asking for more than it needs to do its job, then that should raise some warning flags in your head.

Re:Install a firewall (1)

Celestialwolf (1656075) | more than 2 years ago | (#36195174)

Do you happen to have any firewall app recommendations for a non-rooted phone? I've seen a firewall app I liked, but I required the phone to be rooted. I have a Samsung Galaxy S, and so far it's done just about everything I need (including the WAP feature) without rooting, and I'd rather not if I can avoid it...

Security on Android (1)

Anonymous Coward | more than 2 years ago | (#36193966)

Only thing I can think of is to read details on the app, for example why would a notepad app need access to the internet or my contacts.
Another thing is to install only apps from Google or "Good known sources".

Re:Security on Android (1)

nschubach (922175) | more than 2 years ago | (#36195198)

Well, the notepad app could say it needed the Internet access for ads and the contact information for the quick contact paste feature.

A smart phone is just a computer. (3, Informative)

Kenja (541830) | more than 2 years ago | (#36193974)

A smart phone is a computer like any other and should be treated as such. Trust mobile apps as much as you would trust desktop applications. Do not install unknown software from unfamiliar sources and in general be as vigilant as you are with your Windows, Linux, OS X system. If you are paranoid enough, there are firewall and app activity scanners out there. But perhaps you dont trust them either. In which case, write your own apps. Its not hard for even the inexperienced with the app-builder tools.

Re:A smart phone is just a computer. (0)

Anonymous Coward | more than 2 years ago | (#36194120)

There is some truth in this assertion at the technical level, meanwhile, as a consumer device, it is not a computer. And this is exactly why Android is not much better than a glorified (late) Windows Mobile. The current Android implementation is prone to security breaches and disasters and time will prove it.
In the other hand, the Apple and mostly teh WP7 design, atlhough more restrictive, are by far better suited for a consumer audience. Again here, time will prove that WP7 and its very isolated sandboxes and API access is the way to go for broad audiences markets.
Should people care about viruses and identity theft on phones? No, they should not.
Should a platform restrict operations in favor of security for such an audience? Yes, it should.

Re:A smart phone is just a computer. (1)

tepples (727027) | more than 2 years ago | (#36194472)

Should a platform restrict operations in favor of security for such an audience? Yes, it should.

But why should a platform restrict running even "Hello World"?

Re:A smart phone is just a computer. (1)

pixelpusher220 (529617) | more than 2 years ago | (#36194500)

There is some truth in this assertion at the technical level, meanwhile, as a consumer device, it is not a computer.

How does it's intended use have any bearing on what it *actually* is?

Re:A smart phone is just a computer. (1)

clang_jangle (975789) | more than 2 years ago | (#36194622)

Should people care about viruses and identity theft on phones? No, they should not. Should a platform restrict operations in favor of security for such an audience? Yes, it should.

Except that there tends to be an inversely proportional relationship between "power and flexibility" and "lockdown", so it comes down to individual choice. Yes, the average techphobic user will not do as well with Android as with an iPhone. BTW WP7 is too new to call, but the history of utterly screwing users over on any kind of data service deal (sidekick, playforsure, etc) should give anyone with any sense visions of great red flags...

Re:A smart phone is just a computer. (1)

peawormsworth (1575267) | more than 2 years ago | (#36194528)

A smart phone is a computer like any other and should be treated as such.

Agreed, smart phone = computer. Viruses are a good indicator that you can install software that gets the full use out of the hardware you purchased. I really hate when a manufacture attempts to "protect" me from using devices in ways that they didn't already envision. Like by limiting applications I can/can't install. Because this "protection" can be used as a means to protect their alternate revenue streams. And frankly, I don't expect any one company to ever be big enough to keep-up with all the software I may want to install. Kinda like the way Linux is beating Microsoft in speed of application development and virus protection at the same time. Point is... "protection" obviously doesn't work and currently only serves to reduce functionality and increase costs. GET RID OF IT!

Permissions aren't 'fine grained' (3, Interesting)

c0d3g33k (102699) | more than 2 years ago | (#36194066)

The problem with Android is that the permissions aren't in fact "fine grained" (though they might seem so to the 'TL;DR' generation). They are relatively course-grained with respect to what modern applications might require. Any non-trivial app will require permissions from the available pool that can be abused by malicious developers. The user has to fall back on trust when installing any non-trivial app.

Android needs something more like a sandbox environment for each application and a reasonable system where the user is asked for permission before accessing sensitive information.

Android permissions == FAIL, at least from a personal privacy and security perspective.

Re:Permissions aren't 'fine grained' (3, Informative)

ShavedOrangutan (1930630) | more than 2 years ago | (#36194190)

Every app requires full permissions, for no useful reason. Why a stopwatch wants access to my calls and read/write on the SD card, I don't know, and the choices are to either accept it or don't use the app. This is seriously broken. I don't even look in the Android Market anymore because it's just too much risk to install anything. It's actually worse than Windows, where at least I know where the software is coming from.

Re:Permissions aren't 'fine grained' (1)

afex (693734) | more than 2 years ago | (#36194264)

plus, at least with windows you can deny it on the firewall and the app will still run. with android, (like you said), you can either submit or you don't get the app : (

Re:Permissions aren't 'fine grained' (3, Insightful)

Reapman (740286) | more than 2 years ago | (#36194340)

EVERY App? I doubt this, in fact as an App Developer I know this isn't true. Adding permissions to your app is something you opt in - if a developer is so lazy he opts in every single perimssion then I wouldn't trust that app.

I've decided against installing apps that require permissions I don't want, and have quite a few apps that I've trusted onto my phone.

Google is providing you the ability to, at least, get an idea as to what your getting into. Something like the iPhone doesn't give this, and I'm not sure if Blackberry does or not. Could it be improved? VERY. Is it better then nothing? VERY.

How is this broken? Because an App Developer has some crazy permissions? I'd call that working - you know what it's asking for and you choose not to install it. How is it better then Windows? Do you know if your Windows Stop Watch app is talking to your Contacts stored in Outlook or Thunderbird?

Re:Permissions aren't 'fine grained' (1)

c0d3g33k (102699) | more than 2 years ago | (#36194468)

Any non-trivial app requires permissions to one or more of the following:

- Your location (coarse or fine grained)
- Full network capabilities
- Call status
- Your personal contacts
- Account information

And the big kahuna:

- Your SD card

Putatively for storage of application data, settings etc. But as far as I know, there is no mechanism to prevent an app from accessing ANY other information on the SD card once granted access. And just about every app requires read/write access to the SD card. Let the data-mining begin - high fives all around. I honestly have no idea why sane people do things like personal banking from their Android devices.

Apps should be limited to only their own sandboxed storage on the SD card or world-readable data. Everything else should require explicit permission from the user.

Re:Permissions aren't 'fine grained' (1)

hedwards (940851) | more than 2 years ago | (#36194480)

One of the problems is that some ad software that free apps use seems to need to spy on people in order to work. You can opt not to install that software but the marketplace lacks transparency when it comes to what the app is actually doing with that permission. And I'm not aware of any way of keeping an eye on apps to make sure that they aren't doing anything nefarious with the permissions. Trust but verify ought to be the way with apps that you've decided to trust.

Additionally, some functionality like placing phone calls from within an app is either all or none, the platform doesn't provide a middle ground for apps which might from time to time have a legitimate reason to place calls.

Re:Permissions aren't 'fine grained' (1)

ShavedOrangutan (1930630) | more than 2 years ago | (#36194652)

I made a Hello World with the Android Eclipse SDK and it requires Storage and Phone Calls permissions during installation. I didn't even ask for that!

It's great that these permissions are presented to the user during installation, but there should be an option to say "NO" to individual permissions. If an app wants to make phone calls and I don't think there is any reason for that, I should be able to say no and it should still work.

And if an app needs SD storage to function, that's just fine but it should not be able to read my photos, emails, music, etc.

Anyways, I won't install anything anymore. The security model is broken.

Re:Permissions aren't 'fine grained' (1)

Reapman (740286) | more than 2 years ago | (#36194930)

Not to sound cruel but I think your doing it wrong. I made a Hello World app that didn't require to do that - just because you wrote the app wrong and don't know how to modify the manifest XML file to set the permissions you need isn't Android's fault.

Not going to install anything anymore? So I assume you don't install applications on your computer either? Did you check if the last program you installed wanted to see your contacts in Outlook / favorite email program? Did you check if it would access iPhoto / Picasa albums? Did you check if it would write to your hard drive?

So what mobile OS do you consider having a superior per app permission listing system in place? Or would you rather just not see anything and assume that your handset maker is protecting you?

If you don't like the way an app works - contact the app developer or use a competitors.

Re:Permissions aren't 'fine grained' (1)

ShavedOrangutan (1930630) | more than 2 years ago | (#36195382)

The default permissions for an empty app should be none.

As an example, I just picked "Blast Monkeys" from the Android Market. Requires Full Network Access and Phone Calls. "Paper Toss" needs Network, Location, and Phone. "Stupid Zombies", Network and Phone. These apps do not need these features and I do not trust the developer to have this access. Thus, I do not use the products.

Same with the desktop PC. If the application isn't open source or come from someone I can hold accountable, it does not get installed.

Re:Permissions aren't 'fine grained' (4, Interesting)

nabsltd (1313397) | more than 2 years ago | (#36194574)

Why a stopwatch wants access to my calls and read/write on the SD card, I don't know,

Many apps that need access to "phone calls" are doing so to be good resource users, and to follow some Android UI conventions.

Knowing if you are talking on the phone or not allows the app to change its behavior to not bother you, use less CPU cycles, etc. And, this sort of thing is why there are so many complaints about the overly-broad permission groups on Android...you can't know the "in-call state" without being given permission to "phone calls".

Re:Permissions aren't 'fine grained' (0)

Anonymous Coward | more than 2 years ago | (#36194196)

The problem with Android is that the permissions aren't in fact "fine grained" (though they might seem so to the 'TL;DR' generation). They are relatively course-grained with respect to what modern applications might require. Any non-trivial app will require permissions from the available pool that can be abused by malicious developers. The user has to fall back on trust when installing any non-trivial app.

Android needs something more like a sandbox environment for each application and a reasonable system where the user is asked for permission before accessing sensitive information.

Android permissions == FAIL, at least from a personal privacy and security perspective.

So, what you're really saying is... you should get a blackberry instead of android.

Re:Permissions aren't 'fine grained' (2)

c0d3g33k (102699) | more than 2 years ago | (#36194300)

No. What I was saying is that Android permissions aren't all that fine-grained and are seriously broken if protecting the user is the goal. What I didn't say is that they should be redesigned if personal security and personal privacy are a priority. I'm saying that now.

You, on the other hand seem to be implying that Blackberry is better for some unspecified reason. Since you obviously don't live in a Middle-eastern country where Blackberry caved and allowed personal communications of BB users to be monitored. So what was your point again?

Security is only valid if it's completely in the hands of the users at the endpoints of the desired communication, not the middleman who is managing it all while saying "trust me - you're completely secure, honestly".

To me, Android is much more secure than Blackberry, because at least I can root my android device and set up my own communications channel that has at least a chance of being secure. Don't really see that as an option for the dark fruit.

Re:Permissions aren't 'fine grained' (0)

Anonymous Coward | more than 2 years ago | (#36194606)

You, on the other hand seem to be implying that Blackberry is better for some unspecified reason. Since you obviously don't live in a Middle-eastern country where Blackberry caved and allowed personal communications of BB users to be monitored. So what was your point again?

That the blackberry platform allows very fine grained control of what applications can do:

- what computers the app can connect to
- what protocols the app can use to connect
- whether the app can access email, address book, sms, calendar, etc.
- whether the app can use usb, bluetooth, wifi, phone, location data, communicate with other apps, etc.

And they can all be enforced server-side to protect users from their own mistakes.

Security is only valid if it's completely in the hands of the users at the endpoints of the desired communication, not the middleman who is managing it all while saying "trust me - you're completely secure, honestly".

The blackberry platform has been audited from end-to-end by many, many people.

And with a blackberry enterprise server (BES), the encryption/decryption keys are only located in two places: on the device itself, and on the BES. RIM doesn't have the keys, neither does the wireless carrier.

Re:Permissions aren't 'fine grained' (1)

c0d3g33k (102699) | more than 2 years ago | (#36194956)

And they can all be enforced server-side to protect users from their own mistakes.

Very nice for multinational corporations who want to protect their trade secrets and monitor employee communications and can afford a BES. Not so nice for an individual who wants a personal device that respects their security and privacy. How does a private BB user enforce server-side permissions exactly? I don't recall seeing a free BES offered with my Blackberry mobile plan.

Your arguments are irrelevant to the current discussion and obsolete since RIM made concessions to allow monitoring of communications in repressive countries. Come back and discuss this again when private citizens can realistically and securely benefit from the advantages you espouse. Until then, you're entirely missing the point.

Re:Permissions aren't 'fine grained' (0)

Anonymous Coward | more than 2 years ago | (#36195478)

Very nice for multinational corporations who want to protect their trade secrets and monitor employee communications and can afford a BES. Not so nice for an individual who wants a personal device that respects their security and privacy. How does a private BB user enforce server-side permissions exactly? I don't recall seeing a free BES offered with my Blackberry mobile plan.

Want a free BES? Click right here [blackberry.com] . You don't get the full suite of auditing (for example, you can't keep track of all your users' SMS), but you get all the important features. No licensing or additional costs from RIM. No additional costs from your mobile carrier aside from the basic blackberry data plan. But the BES is only used to apply application permissions to the device (and make them mandatory if desired).

Even without a BES, individual users can go to Options - Advanced Options, Applications, scroll to find the application, and Edit Permissions. You can also edit the Default Permissions.

Your arguments are irrelevant to the current discussion and obsolete since RIM made concessions to allow monitoring of communications in repressive countries.

Not really. You're asking about application security: what third-party applications can do to YOUR phone. Protection from government (benevolent or otherwise) is a different question. As seen in recent months, repressive dictatorships are more than happy to beat their citizens, jail them, or just plain shoot them. http://xkcd.com/538/ [xkcd.com]

Come back and discuss this again when private citizens can realistically and securely benefit from the advantages you espouse. Until then, you're entirely missing the point.

Once again, you asked about third-party application controls, which blackberry does very well.

The "concessions" made by RIM require a long explanation since there are many services provided under the blackberry name.

1. It's a cell phone. All the existing vulnerabilities/govt controls for tapping phone calls still exist.

2. It sends SMS. All the existing vulnerabilities/govt controls still exist.

3. Blackberry messenger. BBM is encrypted, but only with 3DES. The reason BBM works with all blackberries is that by default they all share the same 3DES key, and it is well known in the security community. Even without the key, brute-forcing 3DES isn't that hard for a government. Even RIM's own documentation refers to BBM as scrambled and not encrypted. This information could be tapped by RIM and handed over to governments, but a government could easily do this without RIM's cooperation.

4. Web browsing through the mobile carrier. This is the "WAP browser" on your blackberry. All the existing vulnerabilities/govt controls still exist.

5. Web browsing through RIM. This is the "internet browser" on your blackberry. The data is encrypted with AES to/from RIM (RIM has a copy of the encryption keys), and then goes from RIM to the internet at large. This information could be tapped by RIM and handed over to governments.

6. BIS (blackberry internet service) email. This is what you use for email if you don't have a BES. The data is encrypted with AES to/from RIM (RIM has a copy of the encryption keys), and then goes to the internet at large. This information could be tapped by RIM and handed over to governments.

And now, the crown jewels:

7. Web browsing through the BES. This is the "blackberry browser" on your blackberry. The data is encrypted with AES to/from the BES. RIM does NOT have the encryption keys, and couldn't hand over the plaintext even if they wanted to.

8. BES (blackberry enterprise server) email. The data is encrypted with AES to/from the BES. RIM does NOT have the encryption keys, and couldn't hand over the plaintext even if they wanted to.

Now, here's what RIM probably did: assist governments by handing over plaintext for #3, #5, and #6.

RIM is not able to provide #7 or #8.

Re:Permissions aren't 'fine grained' (1)

im_thatoneguy (819432) | more than 2 years ago | (#36194672)

Well not only that but you can never be fine grained enough for the user to understand.

If your app saves data to the cloud then it needs the ability to "Copy files to remote servers".

That's either a trojan or the app operating correctly. No way to tell without per-file transaction confirmations. "I'm about to move a temp.dat to the cloud. Ok?" And even then. "Wait, what's in temp.dat?" And so on and so forth.

The only difference between a malicious network aware application and a good one is what data is being transferred.

It's like a webcam app. "This app will access your camera and transmit video across the internet."

Perfect!

But there is no way to secure that video so that they couldn't also store a copy on their servers and post it to voyeuristic sites. The only security in such a situation would be a physical tag over your camera lens.

Phones are designed to transmit and share your data. They're essentially designed to be exploited.

Re:Permissions aren't 'fine grained' (1)

improfane (855034) | more than 2 years ago | (#36195300)

I think getting the users to understand and not just accept mindlessly (like Windows UAC and Facebook Applications) is the hardest part. It's a social problem. The permission message must be clear and almost threatening. It should show the data that is being displayed. I replied to someone else about this with the same view [slashdot.org] as you :-).

Multiple devices (1)

rwa2 (4391) | more than 2 years ago | (#36194160)

I have one relatively cheap Android smartphone (HTC Slide), which I pretty much install a minimum of useful apps upon.

My second device is a Viewsonic G-Tablet (running TnT-Lite v4), which is a cheap (~$320 these days) but high-spec device. I use it for "playing" with apps and flash sites (some of them shady). Its main purpose is to let me to play with high-end apps and games while keeping me from doing anything too dangerous with my phone :-P

Custom OS updates come out for the latter quite often, so I'm usually flattening it and reinstalling it relatively often anyway. So as long as the malware isn't breaking into my gmail account, I'm mostly OK :-P

Driod slogan v1.1 (1, Troll)

starglider29a (719559) | more than 2 years ago | (#36194240)

"When there's no limit to what Droid gets, there's no limit to what Droid does^H^H^H^H can do to you."

Take these for what they are worth... (4, Informative)

mlts (1038732) | more than 2 years ago | (#36194244)

Take these for what they are worth, but here are my security practices:

1: Install DroidWall and use that to lock down everything except the apps you do want going out.

2: Use TouchDown or a discrete app for secure Exchange email. This allows you to keep contacts separate from the rest of the device, and the app can keep the contacts encrypted. If it is work E-mail, it is good to keep it separated anyway.

3: Consider a PIN protecting app for #2 above, as well as your terminal, settings, and su app.

4: Use Titanium Backup with the encryption feature and store on Dropbox. If you look at TB, you will find that the way it does encryption using RSA keys is pretty well designed, so storing backups of apps on DB can be done securely.

5: Get a utility (I use WaveSecure out of habit, but there are others) that will lock the phone if the SIM card is changed, airplane mode is put on, and even allow one to remotely wipe the device and SD card. I'd like a utility that would give the ability to wipe the device and SD card if the phone has not seen Net access in "x" amount of time, similar to what BlackberryOS provides.

6: Look at reviews before buying apps.

7: Look at what the app asks for security permissions. If a notepad app wants access to your contacts, phone, SMS, or perhaps even pops up the su dialog, get rid of it ASAP.

8: If you use nandroid, consider some type of file encryption. This sucks when restoring a ROM image, but there are ways around that (decrypting the image while the SD card is mounted via USB, using a temporary ROM image with no data for decrypting, etc.)

9: Use AdBlock with Dolphin Browser. Ad rotation services are a noted source of malware.

10: Use known ROMs. The ROM ecosystem has been astoundingly clean for now, but it is only a matter of time before blackhats start adding their own "functionality" and putting ROMs on xda-developers and other sites.

11: Consider PIN protecting your SIM card. This way, when you do a remote erase, the thief might have a clean phone, but won't have free access to bandwidth, SMS, or calling capabilities.

12: Consider a "stuffbak" sticker. If the phone is found, at least there is a small chance it might get back to you, as opposed to 0 chance without it.

13: Keep backups. This way, if you do lose your phone, you can get another Android phone, fire up Titanium Backup, log onto DropBox, type in your decryption key, and restore your apps with their saved data.

14: Bug Google for them to put volume encryption (LUKS) into Android, so it can be used on the SD cards.

Re:Take these for what they are worth... (1)

vbraga (228124) | more than 2 years ago | (#36194362)

11: Consider PIN protecting your SIM card. This way, when you do a remote erase, the thief might have a clean phone, but won't have free access to bandwidth, SMS, or calling capabilities.

Can't you just call your carrier and report a theft? At least where I live this means the phone services (calling, and so on) are blocked by the carrier. He can't also just switch the SIM card, since the carrier blocks the cell phone "serial number" (IMEI?). He can put another carrier SIM card, if the phone is unlocked.

Re:Take these for what they are worth... (0)

Anonymous Coward | more than 2 years ago | (#36195130)

How does one call their carrier if their phone has been stolen? Is the thief supposed to lend you the phone back for just a second?

Re:Take these for what they are worth... (1)

c0d3g33k (102699) | more than 2 years ago | (#36194368)

All good advice, except I don't think Dropbox is an absolute requirement, since you can store the same data on a personal computer or thumbdrive. Unless you live in an area where random search-and-seizures occur with regularity. But then your screwed in many other ways, so your phone security is trivial in comparison.

If there's anything that demands more suspicion than the mobile ecosystem, it's the cloud. Keep your most sensitive personal information away from there. Seriously.

Re:Take these for what they are worth... (1)

elPetak (2016752) | more than 2 years ago | (#36194380)

#13... dropbox? really? that's a security practice?

Re:Take these for what they are worth... (1)

Anonymous Psychopath (18031) | more than 2 years ago | (#36194460)

If the file is strongly encrypted, who cares where it is? Brute-force is always a possibility, I suppose, but I doubt anyone wants your phone data badly enough to do that sort of thing. And if they do, don't use Dropbox.

Re:Take these for what they are worth... (1)

tepples (727027) | more than 2 years ago | (#36194496)

It is when you encrypt the backup file before sending it to Dropbox.

Re:Take these for what they are worth... (0)

Anonymous Coward | more than 2 years ago | (#36195058)

10: Use known ROMs. The ROM ecosystem has been astoundingly clean for now, but it is only a matter of time before blackhats start adding their own "functionality" and putting ROMs on xda-developers and other sites.

Clean? says Who?

the maximum we can give is the benefit of doubt. As nothing has surfaced yet to prove the ROMs are corrupt.

Re:Take these for what they are worth... (0)

Anonymous Coward | more than 2 years ago | (#36195502)

I have two more: Permissions denied [google.com] from the busybox dev and prey [preyproject.com] for when I lose my phone.

Re:Take these for what they are worth... (0)

Anonymous Coward | more than 2 years ago | (#36195622)

Touchdown is a buggy, bloated monster. It's like running a copy of Windows Mobile 5 within your Android phone. It's slow, it crashes and loses all of its data every week or two, and you have to literally uninstall and reinstall it once every month or two in order to keep it working.

If you try to rely on it to receive critical work mails, you'll find yourself checking every hour or so to make sure it hasn't lost its database. The app's developer has given up on trying to fix this, btw, they claim that it's entirely Google's fault and there's no conceivable way to implement a workaround.

if you see a droid powered drone coming your way (0)

Anonymous Coward | more than 2 years ago | (#36194286)

security may be rapidly diminishing, unless it's one of the citizen issue droid powered drones. security is in the forecast? mild accompanied by disarmament. the good news is just piling up for us now

Always run AV on everything! (0)

Anonymous Coward | more than 2 years ago | (#36194304)

I don't have an Android device, but I do know you shouldn't run any computer (including smart phones) without basic security software (like anti-virus).

THAT INCLUDES LINUX. IT IS NOT IMMUNE.

Check out ClamAV for your Linux machines.

Re:Always run AV on everything! (1)

cos(0) (455098) | more than 2 years ago | (#36194618)

AV is a resource-intensive crutch for those who don't know how to correctly manage their systems.

Re:Always run AV on everything! (1)

improfane (855034) | more than 2 years ago | (#36195368)

I bet I could install malware on your computer if you sat me in front of a logged in user.

I won't touch the hardware, just use it.

Plenty of free solutions (1)

rickzor (1838596) | more than 2 years ago | (#36194332)

I use Lookout Security (virus scanner + location tracker) for my personal security, and for the paid version it also allows you to see in a compact view what personal information and permissions your apps are using. There are plenty of other free antivirus, firewall and security apps for Android. If you want to root your device (like jailbreaking an iPhone) you may also install firmware which encrypts the entire device automatically (MIUI etc) and allows infinite self modification of the system. When you install an app from the market it will tell you which permissions it needs, and android will stick to that. The only downside is (to my knowledge) you cannot install an app without giving it all the permissions it requires.
As a general rule of thumb, only use trusted sources to install apps from (Android Market) as almost all malicious apps are found in 3rd party markets

Check out the android market and do a few searches for what you need. Google hosts the whole market at http://market.android.com/ [android.com]

Not all devices come with Android Market (2)

tepples (727027) | more than 2 years ago | (#36194544)

Check out the android market and do a few searches for what you need.

Unless your device didn't come with Android Market. A lot of Android-powered devices, especially Wi-Fi-only devices, run the AOSP version of Android instead of the OHA version. AOSP Android-powered tablets tend to come with AppsLib, and the user can install the APKs for SlideME Application Manager and Amazon Appstore, but Google doesn't officially offer Android Market for download as an APK.

Re:Not all devices come with Android Market (1)

rickzor (1838596) | more than 2 years ago | (#36195234)

Good point. There is also Appbrain.com, which is a mirror of the android app store where you can download apps directly from the website or with the Appbrain .APK for android devices. Either that, or you can root any device and install the gapps package (all google apps including market) although the ease of that varies across devices.

For security ... (0)

Anonymous Coward | more than 2 years ago | (#36194478)

I embed the 4 laws of robotics in all my androids.

fork the droid (1)

anwyn (266338) | more than 2 years ago | (#36194616)

We need to put standard GNU/Linux on our pads and phones. Not some OS only kludge with Linux OS but proprietary app space. Down with stores! Up with free repositories! Google can not use patents to block this because Google is member of OIN! And if Google left OIN it would be hit by the proprietary vampires!

What kind of weird environment is it when you can not run native apps on your own hardware? Only some bad imitation of Java applets!

If Google tried trivialization, they would find manufactures already know how to make the hardware, and why not sell 2 versions a GNU/Linux version and a prison version!

Android security (0)

Anonymous Coward | more than 2 years ago | (#36194642)

A restraining bolt, like the Jawas used.

Sounds like windows (1)

thetoadwarrior (1268702) | more than 2 years ago | (#36194696)

Seriously, anti-virus for your mobile? I think I will go with iphone once I'm done with my Android phone even if I have to pay out the ass I'm not running fucking anti-virus on my phone.

Use common sense. (2)

alt236_ftw (2007300) | more than 2 years ago | (#36194794)

Use common sense:

1. Don't root unless you REALLY need to.
2. If you are rooted, don't give root rights to an application unless you know what it is supposed to do AND you trust it to do just that.
3. Install a firewall.
4. Don't install applications from vendors you don't trust, or know little about.
5. Read the reviews of an application. See what people complain about.
6. Don't install applications which ask for rights that make little sense in context (a calculator which asks for access to the network and contacts for example).
7. If unsure about some permissions, check the developer's website to see if there is a good explanation. If not, contact the developer directly and ask.
8. If you suddenly find an app for free which you thought it was pay-only, check to see if it is cloned. If so, don't install it as it might be tampered.
9. Check if the developer of an application matches who you know it should be. If not don't install it as it might be tampered.
10. Personally I don't install or use an application which handles credit-card or bank account information directly/indirectly. This includes Paypal/Amazon and eBay. The reason for that is that I don't know how the information is stored on the phone, how it is transferred to the servers or if the authentication system is broken and can be hijacked (like the problem Google had the other day). Unfortunately I'm stuck with Google checkout, but I a secondary cash card.

Steps 8 and 9 would have saved quite a few people from grief in the last malware outbreak.

If you are so inclined (and rooted), you can also AdFree to block ad and some malware sites. This will also cause developers to lose income though.

The permission system works well but only if there is no root exploit involved. Once an app gets root rights it can do just about anything. For example, it can download a precompiled linux executable which will send all application info from your phone to a remote server. This will include contacts/application and preferences (point 10 above).

Re:Use common sense. (1)

nschubach (922175) | more than 2 years ago | (#36195364)

Use common sense:

5. Read the reviews of an application. See what people complain about.
6. Don't install applications which ask for rights that make little sense in context (a calculator which asks for access to the network and contacts for example).
7. If unsure about some permissions, check the developer's website to see if there is a good explanation. If not, contact the developer directly and ask.
8. If you suddenly find an app for free which you thought it was pay-only, check to see if it is cloned. If so, don't install it as it might be tampered.
9. Check if the developer of an application matches who you know it should be. If not don't install it as it might be tampered.

I can see 5, and 6... that makes sense for most people. But the rest of these make having an app store pointless. If you need to go outside the phone environment to find out why someone asked for a particular permission.

What good is compiling here? (1)

G3ckoG33k (647276) | more than 2 years ago | (#36194898)

Soft wrote: "On my own computers, running Linux, I choose to only install (signed) packages from the distribution's or well-known repositories, or programs I can check and compile myself, or run them as a dedicated user — and I don't bother with an antivirus."

Seriously, what good are programs you can check and compile yourself?! If the program with 25,000 lines of contain a piece of "virus", how would you know?!

It sounds to me like you already know the answer.. (1)

gravis777 (123605) | more than 2 years ago | (#36195126)

install an antivirus, run updates, and don't execute apps from untrusted sources.

That pretty much takes care of a majority of your issues. Read other user reviews. If you feel the Android Marketplace is too laxed, try the Amazon marketplace. And if you decide to root your phone, pay attention to which apps you are giving root permission to. I mean, you are a Linux user after all, you should understand simple security.

Oh, and I suggest that if you are going to buy an Android phone, check and see if its supported by CM7 - http://www.cyanogenmod.com/ [cyanogenmod.com] Talk about a lifesaver - my Android phone ran like CRAP until I found this goody. You should realize as well that there are several projects to port CM7 to other phones that are not part of the official tree yet - my phone is not on this list, and the first ports for cm6 / cm7 happened just a couple of months ago. If you are using an unstable build, make sure you read the notes, and MAKE SURE you do a backup of the factory rom before you start installing your own stuff.

Android Security Practices (5, Interesting)

privateerlabs (2183826) | more than 2 years ago | (#36195392)

1. Use caution when installing software! Remember that the Android market place does not vouch for the security/integrity of the apps. To my knowledge, minimal analysis is performed on apps, but nothing that provides any real security guarantee to the mobile user. There is no guarantee that the app you are installing is not malicious in nature, or chuck full of software vulnerabilities. Many of the legitimate apps in the marketplace are rapidly developed by individuals with little or no secure coding background. Also I highly recommend you only install apps from publishers you trust and make sure you read the user comments. If the app has a few thousand reviews and rates at 4 stars this would often indicate added legitimacy.

2. When installing apps be cautious of the permissions requested. The READ_PHONE_STATE permission permits access to sensitive device specific values that would normally be an invasion of privacy to supply. The problem arises when developers use a function called GetDeviceId() to get a unique ID for the mobile device that is later used for user account correlation on third-party services. The correct way to do this is to use Settings.Secure.ANDROID_ID. Google has a blog describing this issue in depth:
http://ask.slashdot.org/story/11/05/20/188228/Ask-Slashdot-Android-Security-Practices [slashdot.org]
Be very cautious with apps that ask to read/write SMS messages, read/write contacts, and place calls. Malware frequently uses these to pilfer unsuspecting users.

3. Careful when jail breaking your phone. If you jailbreak your phone you are opening yourself up to more serious compromise. Ask yourself, if all you have to do is run "su" from a jail broken command shell, why can't a malicious app do the same and run as root? SuperUser.apk is a popular alternative to traditional dirty jail breaking. It attempts to guarantee that the user is active in the Android UI by prompting the user without a dialog asking if the privilege elevation should be allowed. Remember that you are allowing that particular app to escalate privilege from now on. If you allow "sh" to escalate to root then an app may be able to simply run the shell "sh" and then escalate from there.

4. Firewalls are an option and will add another layer to the phone security, especially when connected to Wi-Fi access. Currently there aren't many remote attacks to listening services on the Android phone, but I wouldn't be surprised if we start seeing them with more frequency as more hackers started riding the wave.

5. Disable services you are not currently using. For example; if you are not using Wi-Fi, then disable it until you need it. Same goes for Bluetooth.

6. Remove unused apps. Many apps expose themselves to compromise by examining incoming text messages, integrating with mime/file types, etc. Go through your installed app lists and remove anything you don't use.

7. Android security products are starting to appear on the market (shameless plug). Rather than blindly recommend ours I would rather recommend you search the Android Market for "security", "antivirus", "malware", and the similar criterion. Read the reviews and find something that will scan your apps prior to install.

-Riley Hassell
CEO,Founder | Privateer Labs
email: riley@privateerlabs.net
Website: http://www.privateerlabs.net/ [privateerlabs.net]

+6, Hypertroll (0)

Anonymous Coward | more than 2 years ago | (#36195610)

That ridiculous list above for firewalls, PIN protectors, etc is exactly what will cause Android to eventually lose the mobile OS war. It's already behind in the US for tablets+phones, and waaaay behind overseas. Typical consumers can't be bothered with goofy shit like that.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...