Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Defending Your Cellphone Against Malware

timothy posted more than 2 years ago | from the did-anyone-else-pack-your-cellphone-today dept.

Cellphones 157

Hugh Pickens writes "Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location."Pickens continues: "One common ruse is a man-in-the middle attack when a target receives a text message that claims to be from his or her cell service provider asking for permission to 'reprovision' or otherwise reconfigure the phone's settings due to a network outage or other problem. Don't click 'O.K.' Call your carrier to see if the message is bogus. For the more paranoid, there are supersecure smartphones like the Sectéra Edge by General Dynamics, commissioned by the Defense Department for use by soldiers and spies which may soon be available to the public in the near future. 'It's like any arms race,' says mobile security consultant Michael Pearce. 'No one wins, but you have to go ahead and fight anyway.'"

Sorry! There are no comments related to the filter you selected.

Easy fix (5, Funny)

Anonymous Coward | more than 2 years ago | (#38859735)

Use a Blackberry. Lack of apps aside, even if the malware authors want to code one, the antiquate API would drive them to whiskey abuse.

Blackberry? (2)

iozozturk (2005838) | more than 2 years ago | (#38859769)

Bitch please :D

Re:Easy fix (4, Funny)

WrongSizeGlass (838941) | more than 2 years ago | (#38859987)

Use a Blackberry. Lack of apps aside, even if the malware authors want to code one, the antiquate API would drive them to whiskey abuse.

Use a BlackBerry? But how will I get my "totallies freez and safes, I promizz" LOL Catz knockoff? My phone wants catz that wantz cheezeburgerz, and I don't want to spend $1 to do it!

Re:Easy fix (2, Interesting)

tom229 (1640685) | more than 2 years ago | (#38860263)

I'm not sure why it's status quo now to snidely disparage blackberry. Being in IT I've had experience using every droid on the market as well as the flashy new siri and I still prefer my 9900 over them all. I'll take an actual keyboard and the convenience of BES over an angry birds app any day.

Re:Easy fix (1)

Billlagr (931034) | more than 2 years ago | (#38860449)

I wholeheartedly agree

Re:Easy fix (1)

Anonymous Coward | more than 2 years ago | (#38860557)

And get off my lawn!

Re:Easy fix (0)

Anonymous Coward | more than 2 years ago | (#38860677)

...Because Slashdot has long since ceased being a haven for IT folk; rather, it's now a wretched hive of fanboys and people who think they're clever by replacing the s in 'Microsoft' with a dollar sign.

Or... (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38859743)

Avoid malware by using an iPhone. Sorry. Someone would have said it if I didn't.

Re:Or... (5, Interesting)

TWX (665546) | more than 2 years ago | (#38859777)

Avoid malware by using an iPhone. Sorry. Someone would have said it if I didn't.

And they'd have been just as wrong too.

The "install an infected app from the app store" route is only one of many ways to infect a device like this. A remote exploit, like how Microsoft's browser brings down hundreds of thousands of PCs a year, is much more likely IMHO to cause real widespread chaos.

Re:Or... (1)

Relayman (1068986) | more than 2 years ago | (#38860029)

When you have an example of this actually occurring, let me know.

Re:Or... (3, Informative)

Wingman 5 (551897) | more than 2 years ago | (#38860061)

It has been patched but this has [jailbreakme.com] happened already.

Re:Or... (2)

Relayman (1068986) | more than 2 years ago | (#38860975)

To me, deliberately jail breaking your iPhone isn't malware. And, from the article you quoted, "the security impact of these vulnerabilities will remain theoretical." You're making a big jump by going from something that you initiated to something that happens by visiting a maliciously-coded Web site.

Re:Or... (1)

Anonymous Coward | more than 2 years ago | (#38860149)

When you have an example of this actually occurring, let me know.

You are joking? One of the original jailbreaks drive-by rooted your iPhone just by visiting a website.

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#38860837)

I love my iPhone, and I feel relatively secure using it. But I have executed a jailbreak on my older iPhone, and it only required me to visit a certain page in mobile safari. Yes, Apple is working hard to defend iPhone users against malicious apps. But they have no control over malicious websites or emails or SMS's.

Re:Or... (5, Informative)

Mitsoid (837831) | more than 2 years ago | (#38859813)

My iPhone doesn't tell me when an app wants permission to connect to the internet or share/sell my personal information with 3rd parties :-(

Re:Or... (-1)

Anonymous Coward | more than 2 years ago | (#38859883)

My iPhone doesn't tell me when an app wants permission to connect to the internet or share/sell my personal information with 3rd parties :-(

Doesn't need to. Apple already screen it for you.

Re:Or... (2)

John Hasler (414242) | more than 2 years ago | (#38859997)

> Apple already screen it for you.

Don't you mean Apple already sold it for you?

Re:Or... (1)

chentiangemalc (1710624) | more than 2 years ago | (#38859885)

Because unlike Android iPhone apps cannot access your personal info unless you give to them. Except location which you do need to explicitly allow per app and can disable later.

Re:Or... (0, Funny)

Anonymous Coward | more than 2 years ago | (#38859915)

It's cute that you think there's never been a remote iPhone exploit.

Re:Or... (-1)

Anonymous Coward | more than 2 years ago | (#38860597)

Citation needed or you are full of bullshit.

Bet's you are full of bullshit, and I am talking CURRENT not something for a few years ago that is no longer relevant.

Unlike a Android phone that usually comes with crap in it from the carrier.

Re:Or... (-1)

Anonymous Coward | more than 2 years ago | (#38860777)

It's cute that you need to backpedal and try to redefine the discussion because reality doesn't share your bias. Do your own research. I'm here to laugh at you, not educate you.

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#38860245)

Yes, this is totally the place to brag about your device of choice.

And of course, Android devices doesn't let an App access personnal info unless you give them the right to. What kind of moron are you for imagining it any other way ?

Re:Or... (0)

the_humeister (922869) | more than 2 years ago | (#38859923)

Easy enough to avoid malware. Just run Windows! Wait a minute...

Re:Or... (1)

Relayman (1068986) | more than 2 years ago | (#38860047)

You're right! On phones, security through obscurity. Why would anyone target Mango when they have millions of Android phones available?

Re:Or... (0)

Anonymous Coward | more than 2 years ago | (#38860963)

Because it's so easy?

Re:Or... (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38859981)

So we are once again stuck onthe myth perpetuated by the Apple marketing machine that iOS is secure.

Lets disregard that it's been hacked repeatedly and easily, and lets also forget the tens of thousands of people who've had there iTunes accounts hacked and been charged for apps they have never downloaded (I know of 3 personally, none of whom ever got their money back)

But yes, the 50 (out of 400,000) malware infected apps are scary.

Re:Or... (1)

an unsound mind (1419599) | more than 2 years ago | (#38860131)

50 out of 400k malware infected apps?

The implication seems to be there's only 50 malware infected apps somewhere. Android Market? Only fifty malware infected applications on *the Android Market*?

Have you LOOKED into the Android market? It seems like I can't search for anything without having fifty different knockoffs with extremely broad requirements pop up.

Re:Or... (-1)

Anonymous Coward | more than 2 years ago | (#38860865)

iOS is much more secure in may ways than most of the desktop PCs out there. In which case, Apple's marketing has a very good point. Compare that to the security of many Android manufactures.

As for the rest, perhaps I'd be more willing to believe it all if you had some references.

Android only of course (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38859745)

And of course the main platform prone to issues is android. Flame al you want but the endless reports of various significance all show it's true that android is more prone to malware than iOS and windows phone

Re:Android only of course (3, Insightful)

K. S. Kyosuke (729550) | more than 2 years ago | (#38859807)

Funny. To me the whole issue sounds more like dupe-only than Android-only. That's a social problem, not a technical one. People who have responded to Nigerian emails in the past have something new to worry about. Me? I'm not so sure about that.

Re:Android only of course (3, Insightful)

NotBorg (829820) | more than 2 years ago | (#38860005)

It's a problem with being able to run software of the user's choice. Wall it up and the problem goes away. Users are stupid therefore you make decisions for them and it becomes more secure because the primary attack vector (the user) gets cut off.

I'm not advocating a Great Wall of China but it should be a bit harder to find malware than picking some random app from the platforms officially sponsored market place.

Wrong, "dupes" not affected on iOS (0)

SuperKendall (25149) | more than 2 years ago | (#38860457)

To me the whole issue sounds more like dupe-only than Android-only

That may be true that only "stupid" people get Android viruses (if you define stupid as simply non-technical, which is rather egotistical but whatever).

However iOS users, "stupid" and smart both do not get viruses or malware on iOS because there is none. It's not a matter of degree, it's a matter of Android users can get viruses/Malware and iOS it is not possible (today) to catch anything no matter what you download.

The truth of the story is that mobile malware to date is a WHOLLY Android phenomenon and to try and cast it as a problem everyone has is simply wrong.

Re:Wrong, "dupes" not affected on iOS (-1)

Anonymous Coward | more than 2 years ago | (#38860551)

Are you fucking retarded? There was a period of time when you could totally own an iPhone remotely just by sending it a text message [mashable.com] .

Re:Android only of course (0)

Anonymous Coward | more than 2 years ago | (#38859877)

Well, you can get Avast! or AVG for Android now, so have fun being safe.

Re:Android only of course (0)

Relayman (1068986) | more than 2 years ago | (#38860043)

And, of course, the main PC platform prone to issues is Windows. But we get called Linux/Apple fanbois when we do...

Not realistic (3, Insightful)

TWX (665546) | more than 2 years ago | (#38859771)

and be wary of apps that want permission to ... connect to the Internet or reveal your identity and location.

So, in other words, all apps that actually make use of the fact that it's a mobile device able to determine its position in real space to enhance the user's real-world experience...

Sounds to me like the OS makers need to address this, and give user-level ways of doing things that don't compromise the whole system if something nefarious happens, and then also give the manufacturer of the OS the ability to alert users when the manufacturer learns of malicious applications so that they can be removed.

Re:Not realistic (1)

marcel (6435) | more than 2 years ago | (#38859843)

The real problem I think is the combination: allow outgoing calls & internet connectivity are a fishy combination. However, even banking apps require these two privileges here in The Netherlands at least, so it's real hard for users to validate the necessity of these privileges. I'm not sure the OS can help here, except by giving the users the ability to disable a requested privilege for an application (the application wants internet, but it's a single player Tetris clone: yeah, right). Even better: only allow 'dangerous' privileges for signed & verified applications (mainly, the ones linking the phones primary functions).

Re:Not realistic (2)

gl4ss (559668) | more than 2 years ago | (#38859893)

it's actually pretty simple.

make the os ask for permission when the permission is needed, not when the app is installed.

you know why they don't like that? they figured it's not a good way since it hampered app use levels on j2me phones (because most j2me phones lacked "allow always" option or making enabling that option pretty hard, users didn't like that or it was claimed to be too technical, as if it's too technical to ask an user if he wants to send a premium sms or not - ..yea smartphones and smartphone malware weren't really invented last year..).

and having shitty mandated signing procedures.. well that trusted computing shit sucks too. the only one's lobbying for it were/are companies who figure they'd get all the permissions to make sw and making entry to sw production much steeper, and the companies which geared up sweat-labs in china so they could offer a "testing" service aka "give us 400 bucks and we'll sign it kthx" - that's pretty much why some stuff isn't available on symbian or is available from only 1-2 vendors and as a consequence costs and sucks even if it's some little simple piece of code -- and that actually has had an effect on platform popularity)

Re:Not realistic (2)

vakuona (788200) | more than 2 years ago | (#38859929)

Making the OS ask users for permission is not a clever idea. Either every app they install aks for pretty much the same thing, and they are conditioned to press "Yes", or the users just click "Yes" because they want the app to work.

Curation mostly works. Yes, there are issues in terms of censorship that need to be overcome, but having a central party that at least tests the app and attempts to screen for malware can be a good thing.

Re:Not realistic (3, Insightful)

Tapewolf (1639955) | more than 2 years ago | (#38860011)

I don't know what Android has been up to since about 2.2, but one thing that has always irked me is that it displayed a list of "This application wants to do: X,Y,Z - Allow or Deny?"

What I'd much prefer is if you could allow or deny individually, i.e. Internet access but not contacts or phone. However I can kind of see why they wouldn't want to do that - it could cock up the advertising funded ones.

Re:Not realistic (3, Informative)

Virtex (2914) | more than 2 years ago | (#38860729)

What I'd much prefer is if you could allow or deny individually

If you can root your phone and install Cyanogenmod then you will gain this ability.

Re:Not realistic (1)

Tapewolf (1639955) | more than 2 years ago | (#38860891)

What I'd much prefer is if you could allow or deny individually

If you can root your phone and install Cyanogenmod then you will gain this ability.

Mine's still on 5.07, so I presume it was added after that. It's working well enough now that I'm a little scared to update it, especially as it's older hardware...

Re:Not realistic (2)

ewanm89 (1052822) | more than 2 years ago | (#38860749)

You mean like my modified /etc/hosts/ file on my rooted phone, and Avast Mobile Security firewall?

Re:Not realistic (1)

Lehk228 (705449) | more than 2 years ago | (#38860805)

Blackberry does this, it even has allow,deny or prompt so you can have the os ask you each time the app wants to

signing also has content sensoring (1)

Joe_Dragon (2206452) | more than 2 years ago | (#38860105)

It's one thing to lock out apps that may send out spam but a other to lock them out based on content.

Step 1 (-1, Troll)

BasilBrush (643681) | more than 2 years ago | (#38859773)

Buy an iPhone, not an Android.

Re:Step 1 (-1)

Anonymous Coward | more than 2 years ago | (#38859785)

Wow you've got courage. Your gonna get flamed big time for the honest and correct comment lol

Re:Step 1 (0)

Anonymous Coward | more than 2 years ago | (#38859793)

step 1: Buy a dumbphone.
step 2: Buy an OpenPandora

Re:Step 1 (0)

Anonymous Coward | more than 2 years ago | (#38860017)

Good luck getting an OpenPandora...

Step 2 (1)

TWX (665546) | more than 2 years ago | (#38859797)

Don't ever turn it on, or for heaven's sake, don't take it out of airplane mode...

Re:Step 1 (1)

StripedCow (776465) | more than 2 years ago | (#38859855)

Buy an i*****, not an Android.

If you're ignoring for the moment the spyware that's installed on an i*****, then yes, that's a good idea.

Re:Step 1 (3, Insightful)

Richard Steiner (1585) | more than 2 years ago | (#38859899)

What spyware is installed on an iPhone out of the box, pray tell?

Re:Step 1 (5, Funny)

darkfeline (1890882) | more than 2 years ago | (#38859919)

iOS?

Re:Step 1 (0)

Anonymous Coward | more than 2 years ago | (#38860021)

iOS,

Re:Step 1 (2)

danomac (1032160) | more than 2 years ago | (#38860619)

Probably CarrierIQ [slashdot.org] . Apple has admitted it's there, but not enabled by default.

CarrierIQ is on a lot of phones, including Android phones, so this point is moot anyway...

Re:Step 1 (1)

pnewhook (788591) | more than 2 years ago | (#38860155)

I think you meant buy a Blackberry.

And the truth will be modded -1, flamebait. (-1)

Anonymous Coward | more than 2 years ago | (#38859775)

It's been said before and it will be said again open dosen't mean secure. Also Linux is no longer immune since the Jersey Shore demographic are targeted with Unity and Gnome 3
.

Re:And the truth will be modded -1, flamebait. (1)

marcel (6435) | more than 2 years ago | (#38859867)

Well, how open are the apps? This has nothing to do with open/versus closed (which applies only to the applications) but to the screening process for applications. One of the reasons open-source is deemed more secure is that if a bug is found you will be publicly flogged for doing such a stupid thing. Apps however are pretty anonymous as far as the author is concerned (even via a legitimate appstore).

Re:And the truth will be modded -1, flamebait. (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38860177)

Any system which allows users to run 3rd party software of their choosing is going to be vulnerable to the stupidity of its users. You can't fix stupid users without putting them in a jail cell.

As long as the user is the primary attack vector it's hard to make a blanket statement about a platform's security. Back when Windows would get infected simply by bing turned on and connected to a network without the user doing a damned thing, it was easy to make a blanket statement about how secure Windows was. And even though the trolls told us that there was nothing Microsoft could do because they were the most popular OS, Microsoft did finally do something and the platform did finally become more secure. Once again things have shifted to target the user rather than sending malformed packets and overflowing buffers. It's hard to call a modern Microsoft OS insecure because the attack vector is more commonly stupid user now.

If we can call MS's slow bloated crap secure because it's all or at least mostly on the user, then we can call Android secure too. Sure neither one is as secure as the walled garden but like I said, it's jail or freedom to fuck yourself.

Presumably (5, Interesting)

deains (1726012) | more than 2 years ago | (#38859779)

By "cellphone" they actually mean "Android". I've never heard of iOS, BlackBerryOS or WinPho7 having any serious malware issues, granted there have been a couple of minor incidents, but Android seems to be the platform of choice to have your phone join a botnet.

Re:Presumably (1)

lostmagik (776421) | more than 2 years ago | (#38859837)

Any person sick of iOS contraints who jailbroken their phone has a lot to worry about malware. I personally blame the person going too slow in the speeding lane when it comes to the accident but that may be just me.

Re:Presumably (1)

wdsci (1204512) | more than 2 years ago | (#38859869)

Only because Google doesn't control what Android users can put on their phones, at least not as tightly as Apple does. If you get an iPhone, it still needs to be defended against malware, but Apple does most of the work for you. That's the advantage you get for the developers giving up some of their independence.

Also, popularity may play a role. Some metrics have Android as the most popular smartphone OS, which makes it the most enticing target for malware authors. Same reason Windows is the most virus-prone desktop OS. (Well, one of the reasons, anyway)

Re:Presumably (4, Interesting)

an unsound mind (1419599) | more than 2 years ago | (#38860161)

The major problem is that I can't HAVE Google do the work for me, and I certainly can't look into the source of most of these applications. Nevermind that I don't want to have to look into the source of applications to know if they're safe.

If Google had a way to force vendors to give us Android updates (to close security holes) and having a separate, vetted market for applications Google has the source of and has inspected for malware and proper behavior, Android would be vastly more attractive.

As it is, iOS and App Store cover those needs. So I bought an iPhone.

Re:Presumably (2)

BasilBrush (643681) | more than 2 years ago | (#38860663)

Also, popularity may play a role. Some metrics have Android as the most popular smartphone OS, which makes it the most enticing target for malware authors. Same reason Windows is the most virus-prone desktop OS. (Well, one of the reasons, anyway)

If that were true then the malware for iOS vs Android would be in proportion to the apps for the two platforms. i.e. More for iOS than Android.

But there's no malware for iOS.

As to the market share. Considering just phones, iPhone was ahead until about a year ago. Then Android moved ahead. Then this last quarter, iPhone has regained it's lead.

Considering all iOS devices vs Android,it's not clear that Android passed iOS at any stage.

Re:Presumably (0)

Anonymous Coward | more than 2 years ago | (#38860931)

But there's no malware for iOS.

Keep drinking the Apple Kool-Aid [betanews.com] , fanboy.

Nokia 3310 (0)

iozozturk (2005838) | more than 2 years ago | (#38859805)

The ultimate solution!

Be wary of everything, then? (1)

powdered toast dude (800543) | more than 2 years ago | (#38859865)

"be wary of apps that want permission to ... connect to the Internet or reveal your identity and location"

So, pretty much all of them, then. Great.

Increasingly, I find myself alarmed at how many "need" the access to my contacts permission in order to operate. As well as those that need my location (for better targeted advertising, apparently).
I hope the masses eventually wise up to this and start refusing even the big-name apps until they relinquish permissions they don't *really* need.

everyone knows (0)

Anonymous Coward | more than 2 years ago | (#38859909)

smartphones are for ID10Ts

Two choices about it... (4, Interesting)

mlts (1038732) | more than 2 years ago | (#38859931)

With iOS, there is not much one can do about malware, if it gets past Apple's gatekeepers. JB-ing the device and slapping on Firewall iP is probably the best thing one can do. However, the barrier for entry for malware writers is very high. It is pretty difficult (and more expensive) for a blackhat organization create a new account with Apple , paying them a C-note a year), and cook up some personal info (like bank accounts and such to register under) to even be able to see iTunes Connect, much less have the app approved. This has done a good job in keeping iPhone users safe, although in theory, if an app decided to have some type of module that would allow code execution, users would never know about an app that would be slurping contact info, E-mails, and other items then shipping that off to a blackhat server, especially if the app was smart enough to do it only on Wi-Fi, or a small trickle over 3G.

Because of this, the only permission iOS asks for is for using the GPS. Since the App Store does all the work essentially, there isn't that much of a need to have anything more than that.

Even with Firewall IP, there is no protection against apps deciding to spam with SMS, other than Apple's gatekeepers.

So, Apple's security model may have some (in theory) bad flaws, but it has proven to be decently tight, with exploits being used for jailbreaking as opposed to turning the device into a mobile money machine for criminal organizations.

Android's model is more robust in some ways. If Android phones were shipped with a marketplace that vetted/approved apps [1][2], this would virtually eliminate compromised phones [3].

The nice thing about Android is that even with full root and a custom ROM, app security is just as tight as it is on a vendor ROM. Unlike jailbreaking on iOS which completely creams the security model, apps on Android still function exactly the same on a rooted phone, other than being able to prompt the user for su access.

Since Android isn't reliant on a store's gatekeepers, its permission model has to be robust. It has been OK so far, provided users read and disallow apps like a game demanding full access, but it would be nice to have a better model -- something along the lines of minimum permissions needed to run the app, optimal permissions, and maximum permissions (a notepad app that just stores notes in its directory generally does not need full access or access to root unless it has some special features.)

What can help Android immensely would be an app that runs as root and can allow/disallow access to SD cards, contacts, SMS, phone, and networking. There is an app called LBE Privacy Guard which runs as root and offers features that should really be part of Android (perhaps some features behind an Advanced menu.) CyanogenMod also has similar features for restricting access.

Another app that is a must have for rooted devices is DroidWall, which is essentially a shell for performing iptables commands. This is an immense help because it can not just block network access for apps, but limit the bandwidth hogs to Wi-Fi (or security sensitive apps to 3G).

Pretty much for the tl;dr in all of us, Android would be best off with two tiers of stores, and having the user go through a dialog of "these apps are untested, but the reviews will be a good guide. Use at your own risk" before a user gets access to the free-for-all market. Couple that with the functionality of DroidWall and LBE Privacy Guard which can be set to prompt/allow/deny access to critical things (contacts, network, phone, SMS) integrated into the OS, and Android would be a lot more secure.

[1]: Amazon is good at vetting apps, and it would be nice for Google to offer two tiers of their Marketplace, where one tier would be the current free-for-all, while having another tier (which would cost app developers more because of the time taken) just for apps that would have a "blessed" flag attached.

[2]: It goes without saying to have a way to add more stores, or if Google went with a two tier/"preferred" app solution, allow all apps to be accessed. This feature can be a double-edged sword because some cell providers would try to lock devices to only their store. I remember one US cell provider trying to do this, where only Windows Mobile applications (not apps) were allowed on a device that were signed by the provider's key, and getting an app certified was in the thousands of dollars.

True iOS barrier is lack of ability by app (1)

SuperKendall (25149) | more than 2 years ago | (#38860443)

The thing about iOS is, let's say you get malware past Apple or manage to get arbitrary code executed in an app.

What then? You can't do anything interesting (to malware authors). You can't hook into the system keyboard. You can't send an SMS silently to rack up charges. You can't snoop the contents of other applications to pull back data from something like a Chase app.

All of those things are potentially possible on Android, if the user simply agreed to the laundry list of permissions presented to them on launch. Few would look them over, and even if you do granting permission to send an SMS might seem perfectly reasonable for an app even if actual use engaged in foul play.

It's not just Apple's gatekeeping that has kept iOS Malware free, it's that Apple has been far more paranoid about allowing applications access to the system or each other.

Re:True iOS barrier is lack of ability by app (1)

0xdeadbeef (28836) | more than 2 years ago | (#38861005)

WTF are you talking about? The malware can simply execute the latest jailbreak exploit are the fanboys are so excited about. Then it can do whatever it wants.

Re:Two choices about it... (1)

Solandri (704621) | more than 2 years ago | (#38860471)

With iOS, there is not much one can do about malware, if it gets past Apple's gatekeepers. JB-ing the device and slapping on Firewall iP is probably the best thing one can do. However, the barrier for entry for malware writers is very high. It is pretty difficult (and more expensive) for a blackhat organization create a new account with Apple , paying them a C-note a year), and cook up some personal info (like bank accounts and such to register under) to even be able to see iTunes Connect, much less have the app approved. This has done a good job in keeping iPhone users safe

It's done a good job keeping iOS users safe from blackhat malware. Legit apps on the other hand are having a field day mining and selling user data [zonealarm.com] which most people would consider private.

What can help Android immensely would be an app that runs as root and can allow/disallow access to SD cards, contacts, SMS, phone, and networking. There is an app called LBE Privacy Guard which runs as root and offers features that should really be part of Android (perhaps some features behind an Advanced menu.)

Thank you so much. I already had DroidWall, but LBE Privacy Guard was exactly what I've been looking for. It's my phone. I should be able to control what data can be accessed by an app.

Re:Two choices about it... (0)

Anonymous Coward | more than 2 years ago | (#38860967)

That's the rub:

An app in iOS that has access to contacts can freely do what it pleases to with the info. If you have a firewall program for a jailbroken version, you will be surprised at how many ad sites, tracker sites, survey sites, and other crap an app connects to. A lot of sites don't even have names, just IP addresses.

However, handing contact data and whom you call isn't considered a breach -- it is lumped under normal functionality because it is heavily hidden, compared to Android where it is very easy to spot compromised data. If an iOS app doesn't do something overtly bad, it can pretty much have free reign over the phone, contacts, photos, and stored videos, and if the app decides to phone home only on wi-fi, nobody would be the wiser.

Re:Two choices about it... (1)

danomac (1032160) | more than 2 years ago | (#38860553)

What can help Android immensely would be an app that runs as root and can allow/disallow access to SD cards, contacts, SMS, phone, and networking.

I can see this being used as a central point of attack to gain access to the phone. If anything happens to that you can't trust your phone anymore.

Re:Two choices about it... (0)

Anonymous Coward | more than 2 years ago | (#38860933)

If done right, it would have a pretty low attack profile, mainly because with a sane writing style and proper UNIX perms, a non-root app couldn't touch it. Of course, there might be an exploit somewhere, such as filling up logs or the SD card, but if written with any semblance of security specifics, it wouldn't have to be that big a size, and it would add a lot to security.

Perhaps fuse an active app with SE-Linux, or the NSA's hardening of AOSP?

Re:Two choices about it... (0)

Anonymous Coward | more than 2 years ago | (#38860993)

permission spoofing would be a handy Android feature

loads of apps "require" all sorts of permissions, so if you don't allow it the app doesn't install

if there was a way to let the app only think it had the permission (but not really), it would at least install

if you locked out a permission that an app actually required, the app would stop working and you would have to restart (or uninstall) it, but if the permsiion wasn't really required for anything but stupid banner ads, the app would run fine but get 404 errors in the banners (maybe)

of course the app developers wouldn't approve of this, and many of the "free" apps would become pay only, but at least it might clean up the Market

- crutchy

Dumbphone user here... (4, Insightful)

bmo (77928) | more than 2 years ago | (#38859941)

And the more I read about this, the better off I think I am.

Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.

>free app clones of pay ones are a problem

No, closed source "free" apps are the problem.

--
BMO

Or buy an iPhone (2)

SuperKendall (25149) | more than 2 years ago | (#38860467)

The article likes to make it sound otherwise but iOS does not have this issue.

No, closed source "free" apps are the problem.

It's not realistic to think that everyone would compile applications if they could, or be able to do a source audit to see they are truly safe.

Re:Or buy an iPhone (4, Insightful)

bmo (77928) | more than 2 years ago | (#38860585)

It's not realistic to think that everyone would compile applications if they could, or be able to do a source audit to see they are truly safe.

No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*

That's the advantage.

Nefarious code does not live long in open sauce. Basically because not everyone is Ken Thompson to quote Tom Christiansen.

Tom Christiansen has a pretty good rant about why the source-code world is superior. I have saved this as a text file since I read it the first time here, because it is that good.

http://news.slashdot.org/comments.pl?sid=2540&cid=1522840 [slashdot.org]

--
BMO

Re:Or buy an iPhone (2)

BasilBrush (643681) | more than 2 years ago | (#38860721)

No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*

No, you only know that they can, not that they do. Nor do you know that even if they do, would they recognise the few lines of code that are performing a malware task. Code review is slow and tiring.

Re:Or buy an iPhone (1)

bmo (77928) | more than 2 years ago | (#38860765)

In order for people to contribute to an open source project, one must do code review anyway as a matter of course, and most projects are multiple people.

Sure, maybe you can slip your nefarious code past a few end users if you are a sole developer, but try getting it past your fellow developers in a project.

"Three people can keep a secret if two of them are dead." - Franklin.

--
BMO

Re:Or buy an iPhone (2)

BasilBrush (643681) | more than 2 years ago | (#38860835)

Most open source code is a produced by a sole developer. There are way ore calls for programmers to join projects than there are programmers interested in joining projects.

And even where there are multiple programmers, they tend to find their own specialist areas of the code that are probably never looked at by anyone else.

The idea that "given enough eyeballs, all bugs are shallow" is a fallacy.
http://en.wikipedia.org/wiki/Linus'_Law [wikipedia.org]

Re:Dumbphone user here... (1)

danomac (1032160) | more than 2 years ago | (#38860573)

Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.

Well, if you're the only one who has physical access to the phone, getting a dumb phone that can't connect to the internet is the best way to avoid getting hacked... although most of the "hacking" is through social engineering.

As smart phones get more and more prevalent this will get worse. Apple's app store tries to remove the social engineering factor, but it's still plausible to hack the phone through the cell networks, and attack the device directly. If that happens to the iPhone ecosystem all hell will break loose.

Re:Dumbphone user here... (1)

lexman098 (1983842) | more than 2 years ago | (#38860603)

And the more I read about this, the better off I think I am.

Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.

Why even step outside.

Simple really (4, Insightful)

Osgeld (1900440) | more than 2 years ago | (#38859949)

Don't download every dumb shit dancing santa talking cat bullshit app your mom's co-workers recommend

option B is to not use a smartphone and get over your facebook/twitter addiction

As long as they don't send spam... (1)

John Hasler (414242) | more than 2 years ago | (#38859977)

n/t

Really? It's called common sense. (2)

ne0codex (2503500) | more than 2 years ago | (#38860019)

And why is there a constant need to feed this fear? If I get a weird text message, I ignore it and delete it. "Security measures" that one takes when browsing the web on a computer should apply for cell phones! If you get a pop up saying "click here to jailbreak now" or "click here to get free i-p-a-d" or "click to see my naughty pictures" or "click here to increase your manhood," etc. of COURSE that's fake and should be closed/ignored! If you download apps for your cell phone, then read the reviews! Try to determine if it's a trusted source if possible! Taking these safety precautions under ANY device will make you 99.9% malware proof! Why is this posted on Slashdot? This is the kind of content that the brainless general media would repost over and over again! Not a technology-savvy site!

Re:Really? It's called common sense. (1)

Relayman (1068986) | more than 2 years ago | (#38860057)

Because the whole antivirus industry is at risk. Eliminate malware and a whole section of the economy just shrivels up and dies. I sympathize with those who make good money on others' misfortunes.

Apple and malware (1)

Skapare (16644) | more than 2 years ago | (#38860127)

From the article NOT behind the NYT paywall:

Miller's reward for showing Apple that it, too, is vulnerable? They kicked him out of the app developers program. Nice going, guys.

Isn't that exactly how Apple deals with malware? Think what would happen if Google did that.

I defend ANDROID smartphones w/ HOSTS files (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38860239)

DO THE FOLLOWING (after obtaining a good reputable solid HOSTS file, like mvps' -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]

---

1.) Get ahold of the "Android Debugging Bridge" (ADB) & install it

2.) Mount your system mountpoint as READ + WRITE (as powerful of priveleges as you need is this)

3.) Using the PULL command, copy the file over from your PC (or even on your ANDROID if its there already) using PULL & overwrite the etc. folder's copy of HOSTS

---

* DONE!

(Yes, it's THAT simple vs. hosts-domain based threats which ARE THE MAJORITY OF THEM OUT THERE (because hosts-domain names are recyclable unlike IP addresses)... &, it works - you CAN'T be burned if you can't go into the malware kitchen!)

APK

P.S.=> Of course, your HOSTS file will need to have the domain/hosts name of the C&C servers, & that you have to obtain for this to work vs. threats like bogus servers &/or maliciously scripted sites. Here's some good sources for that above & beyond mvps.org (I noted them above):

http://hosts-file.net/?s=Download [hosts-file.net]
http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]
http://mirror1.malwaredomains.com/files/ [malwaredomains.com] (justdomains here)
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext [yoyo.org]
http://sysctl.org/cameleon/hosts [sysctl.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
https://zeustracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
http://www.malwareurl.com/ [malwareurl.com]
http://www.safer-networking.org/en/download/ [safer-networking.org] (updater for Spybot "Search & Destroy" & it fortifies HOSTS files)

Those are some of my regular sources that are reputable & reliable for custom HOSTS file data populations vs. known threats online - I consolidate them here via programs I wrote that normalize/deduplicate repeated entries, sort/alphabetize the results, & change from larger + slower 127.0.0.1 (longer & loopback ops happen here) to the faster & smaller 0.0.0.0 (or even 0 on Windows 2000/XP/Server 2003): Enjoy!

... apk

Re:I defend ANDROID smartphones w/ HOSTS files (4, Insightful)

SoupIsGoodFood_42 (521389) | more than 2 years ago | (#38860879)

Yes, it's THAT simple

Only on Slashdot could you say that with some vague sense of truth to it.

Re:I defend ANDROID smartphones w/ HOSTS files (0)

Anonymous Coward | more than 2 years ago | (#38861035)

so what website this you plagiarize all that from?

you so remind me of that geek on a movie called "The Core"

have you EVER had sex... like... with a girl?

...and no reference to "open sores"?

hello (0)

Anonymous Coward | more than 2 years ago | (#38860283)

hello there my friend

iPhone (0)

Anonymous Coward | more than 2 years ago | (#38860349)

Buy an iPhone. nuff said.

Google (1)

Henriok (6762) | more than 2 years ago | (#38860397)

This artichle seems to be solely about Android and it's not that surprising since it's the operating system from the company whose business model is to sell your personal information to everyone who wants it. The users of Android are the advertisers, you are a part of the product packaged by Google for the OEMs and carriers. Welcome to the open!

Easy way (0)

Anonymous Coward | more than 2 years ago | (#38860769)

Get a REAL cellphone, not a smart-hd-mini-tablet something. One that looks like a phone, and is HANDY to talk to it.

Year of mobile malware (0)

Anonymous Coward | more than 2 years ago | (#38860949)

It has been the year of mobile malware since 2006. It didn't materialize then, the same experts keep predicting it, why should it materialize now? Yes, they will eventually be right but they'll be as surprised and unprepared to deal with it as they were with every new threat that came along while they were waiting for the year of mobile malware.

Re:Year of mobile malware (0)

Anonymous Coward | more than 2 years ago | (#38861093)

I remember when bluetooth, then MMS, vulnerbilities were all the rage. I even remember seeing one bluetooth worm in the wild - we were on a bus, someone's phone uploaded a worm on my friend's phone. It didn't go much further, because it popped up a confirmation prompt after that. I think it was 2005.

6 years later and still no armies of zombie phones out there. Most malware is still of "I didn't know it will send my personal data" variety.

With smartphone and tablet sales in hundred of millions range, I'd think blackhats would try harder to get a botnet or two running.

more firewall granularity (1)

denbesten (63853) | more than 2 years ago | (#38861003)

I've often wished the android permission model considered "phone home" and "access the Internet" separately. It seems much less risky to me to allow an application to access a predefined small set of sites than to access "everything".

VPN over wireless (1)

koan (80826) | more than 2 years ago | (#38861061)

If I go to the coffeeshop I use VPN to connect, I do have a paid VPN account but I also have a VPN server set up at home on my NAS so I can use that as well if I don't want to pay.

Normally WiFi is off as is Bluetooth.

The only apps that get permission to use my location are TomTom GPS and some camera software both of which are vetted, everything else gets denied as I don't use social sites or any other crapware.

I only give out my real phone number to a very small group of friends & family, everyone else including businesses and stores get my Google voice number, which then allows me to block if it's spam or that Ex that's stalking me, Gvoice best thing ever as spam filtering is to email Gvoice is to my phone (if you don't mind being recorded)
Personally I would pay for Google voice it's that useful to me.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?