Some Thoughts On Android OS Security

By bkumar 14 Jun, 2013 Leave a comment

Android OS and Application Security

A lot of has been written about Android o/s security issues in the popular media.  Unfortunately, most of it is totally misleading, irresponsible, and totally erroneous.  While Android OS may have many security issues, but many problems cited with Android Phones are not related to the OS at all.

Most of the writers in the popular press published articles about Android security weaknesses citing sources that were themselves wrong. They took their information from white papers that were created by vested interests, or from academic research papers that were dated and old and were no longer relevant. As a result, a false impression has been created as if Android phones were insecure and you had to buy third party security software to use them like PCs. Many big articles were written with the aim to scare average consumers and sell their expensive virus checking software subscriptions on Android phones.

If you look deeply from an engineer’s perspective, Android OS is nothing, but Linux at its heart with keyboard handler, screen handler and other tech goodies added for  managing the phone services. Being an open source OS it comes with certain benefits that one can associate with open source software. Open architecture means that don’t need any one’s approval to distribute your application on android phones. Naturally, it means that a user should never download and install third party applications unless they know what they are installing.

Poor Application Testing By Google

A lot of bad impression was created by Google’s own fault or lack of mobile environment at Google. Google did make many mistakes in the beginning by not even doing the minimal testing of submitted mobile applications before putting them on the Google App Store for consumers to download. The main incentive, it appears, was to keep the Android market place open for small developers by not putting too many barriers.   Otherwise, it was easy for them to require RSA style verified certificate for code signing before allowing apps on the Android as was the case with J2ME phones.  Or, they should have at least added some level of basic security checks on the applications before allowing them for the user download.

After getting initial bad rap Google integrated necessary automated security testing to market place applications. And, they can also remotely disable an app if it is deemed security threat. Moreover, with much iteration of the Android os at this point, Android is no less or more secure than any other os.

No security approach is foolproof, and added scrutiny can often lead to important improvements. Google’s systems are getting better at detecting and eliminating malware every day, and to keep Android safe. Here are some ways Android phones are protected.

Google’s Bouncer Android App Checking Software

 

The new service called “Bouncer” performs automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.

According to Google, the bouncer service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and Trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags.

Google team  actually runs every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. They also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.


The service has been looking for malicious apps in Market for a while now, and the number of applications that pose any threat to android security has seen a significant decrease recently. This drop occurred at the same time that companies, who market and sell anti-malware and security software, have been reporting that malicious applications are on the rise.

  • Sandboxing: The Android platform uses a technique called “sandboxing” to put virtual walls between applications and other software on the device. So, if you download a malicious application, it can’t access data on other parts of your phone and its potential harm is drastically limited.
  • Permissions: Android provides a permission system to help you understand the capabilities of the apps you install, and manage your own preferences. That way, if you see a game unnecessarily requests permission to send SMS, for example, you don’t need to install it.
  • Malware removal: Android is designed to prevent malware from modifying the platform or hiding from you, so it can be easily removed if your device is affected. Android Market also has the capability of remotely removing malware from your phone or tablet, if required.

Adding Another Layer of Security

Obviously, Google needed to add a layer of verified security certificates. But that would have made phones less open and more expensive for developers to put their apps in the market place. Since Google didn’t do it, manufacturers like Samsung have taken to add such a layer themselves. The end result is Knox.

Knox, Samsung’s enterprise security platform for Android devices, has been approved for use by the United States Department of Defense.

Knox was designed around securing devices that users bring from their homes into the workplace for use, a trend that the technology industry as a whole has taken to calling “Bring Your Own Device.” By supporting Samsung Knox and other BYOD platforms, large organizations like the Defense Department and companies in the private sector can better protect their internal networks while providing a way for their employee’s device’s to be used in work place environment. In effect, the single device is able to partition the user’s personal data from that of the organization, and secure it against theft.

Samsung Knox was approved through the Defense Department’s Defense Information Systems Agency. That agency approves all devices that can be used on the Defense Department’s secure network. The agency also announced its approval of Knox at the same time as it announced approval for BlackBerry’s BlackBerry 10 operating system.

The handset maker announced Friday that its Knox-enabled mobile devices have been approved by the Pentagon for government use. Samsung’s Knox software offers high-level encryption, a VPN feature, and a way to separate personal data from work data. The software also enables IT administrators to manage a mobile device through specific policies. For now, the Galaxy S4 is the only Samsung device equipped with Knox. But the company promises that other smart phones as well as tablets will receive the security software.

The thumb’s up from the Pentagon means that the S4 and future Knox devices can be used by U.S. government and military departments that tap into the Department of Defense networks. Access to these networks requires high security standards, and the S4 is the first Android phone to meet the requirements, according to Samsung.

The new security clearance also opens up certain types of businesses as potential new customers for Samsung.

In the past, BlackBerry was the go-to vendor for government and big business due to the high-level security on its devices. But Apple and Android have begun carving out of a chunk of this lucrative market. Samsung in particular is aiming to muscle in on BlackBerry’s territory with help from its Knox software.

Part of the Samsung for Enterprise (SAFE) initiative, Knox comes built into the operating system and addresses all major security holes in Android, according to the company. Knox’s ability to keep personal and business data separate matches a similar feature in BB10 called BlackBerry Balance. Up to now at least, BlackBerry hasn’t appeared to be concerned about Samsung’s efforts. The government’s nod to both Samsung and Blackberry still leaves Apple out in the cold.

The iPhone maker is also seeking approval from the Department of Defense for its mobile devices. Specifically, the DOD needs to certify the iOS 6 operating system as secure enough to be used by defense agencies and the military. However, that approval is expected within the next few weeks, The Wall Street Journal reported Wednesday.

Passing the government’s security test doesn’t automatically guarantee a sale. Approvals “do not directly result in product orders, but facilitate the process by eliminating the need for security reviews at the individual DOD organization level,” a Defense Department spokesman told the Journal.

Samsung, BlackBerry, and potentially Apple will still need to fight over lucrative government contracts just as they do in the business world. But assuming Apple does win security approval, all three rivals will duke it out on an even playing field.

I have over 30+ years of experience of product development and R&D in Software Engineering, IP Networking, Wireless, Computing Security, and Web Technologies. Besides being part of product development and R&D teams, I have been involved in wide range of activities such as setting up Cloud Computing & Data Center Infrastructure, Scale-able Media Streaming, SIP VoIP Phone Networks, Software and Hardware development, Patents Filings, Claim Charts & Evidence of Use (EOU) Development, Patent Litigation Support & participating in many Standards bodies.

Leave a Reply