The Bugs Don’t Work, apparently!

Under creative commons: Image by Peter Werkman

Two stories relating to Google’s Android OS caught my eye last week. First we saw Android Security Chief, Adrian Ludwig, presenting a last-minute paper at the Virus Bulletin conference in Berlin, entitled “Android – practical security from the ground up“. The second was no less than Eric Schmidt wading into the discussion and declaring Android to be “more secure” than its closest rival, Apple’s iOS. One could be forgiven for thinking there’s a charm offensive underway.

Let’s look at some of the detail from Adrian Ludwig’s presentation to VB Berlin. Adrian used Google’s unparalleled access to data relating to app installs on Android devices, to present the conclusion that only 0.001% of apps are able to get past the “multiple layers of security” that Android puts in their way and eventually cause harm to the user. That’s an impressive claim for an operating system that is so widespread and so targeted by criminals. According to the presentation, those layers of security are; Google Play, unknown sources warning, install confirmation, Verify Apps consent, Verify Apps warning, Runtime analysis and the permissions-based sandbox that each app must operate within. If I understand the slides correctly then, in user terms, that equates to; Google Play, a dialogue box, a dialogue box, Verify Apps, a dialogue box, runtime analysis and a dialogue box.

While Google’s Verify Apps technology represents a great leap forward, particularly now that it has been decoupled from the OS itself, there are plenty of malicious apps that make it out there into Google Play’s storefront. In fact, at last count (12th October 2013) just over 46% of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play. When it comes to the unknown sources warning, the install confirmation dialogue and the permissions/sandbox warnings, it is fair to say that not only do app developers often massively over-request but also end-users rarely read the questions they are being asked, and even less often understand the potential implications of the permissions that they are granting. Who needs an exploit when you have permission? The questions regarding app permissions are only asked once, and they cannot be subsequently revoked in any granular fashion. It’s all or nothing and app developers are often going for the kitchen sink, encouraging the same “next, next, next” culture that we see in the traditional computing world.

Aside from the fact that a large number of these security layers are left entirely at the discretion of the end-user in the form of a dialogue box, there lurks another potential pitfall. Nowhere in the data available have I seen an indication of how many apps Google actually recognise as being malicious in the first place, or how widely those apps are proactively sourced. Of course if your library of malicious and high-risk apps is limited, then the number of malicious installations that you notice will be consequently lower. I’m not saying that Google do not have a reliable library of such apps, I wouldn’t know. I am saying though, that presenting the figure of recognised malicious installs, without the context of the malware library leaves a pretty large hole in the conclusion that malicious apps are not being successful in the wild.

I won’t shy away from the complimentary statistics that I would like to see from Google. Trend Micro have so far analysed 3.7 million Android apps and updates, this number is growing every day; 18% of those apps have been classed as malicious and a further 13% as High Risk. As I mentioned before, just over 46% of the outright malicious apps were sourced directly from Google Play.

If you don’t know what you’re looking for, it’s no surprise that you can’t see it, as the awareness test below amply illustrates.

As for Eric Schmidt’s assertion at the Gartner Symposium, I’ll leave the last word to the renowned Charlie Miller…

“As someone who has written exploits for both platforms, let me say “no”.”

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.