Serious security threats keep hitting the Android platform. In response, both Google and device makers like Samsung and LG have recently made several proposals and initiatives to remedy this troubling situation. Yet these proposals will take time to implement and will only address a part of the problem.
If you are involved in Android development or you are sourcing Android apps from other software vendors, what risks are you exposing yourself and the users of your apps to? And more importantly, what can you do to minimize those risks? Read on to find out.
The big Android story of 2015 was the Stagefright vulnerability, which resulted from a series of bugs in the Stagefright media engine inside the Android Open Source Project maintained by Google. The various Stagefright bugs were discovered between July and October of 2015, and altogether the exploit exposed 95% of Android devices to arbitrary code execution by an attacker who needed nothing more than the phone number of the device.
But Stagefright is certainly not the only alarming Android security issue. New vulnerabilities keep popping up — from side channel attacks on popular Android cryptography libraries, to a recently discovered attack called “accessibility clickjacking” that exposes an estimated 65% of Android devices to the loss of all text data such as emails and SMS messages.
In fact, according to one estimate, 36% of Android apps contain critical or high severity security vulnerabilities. Combine that with the fact that Android malware more than doubled in the second half of 2015, and it’s not surprising that mobile devices have recently overtaken Windows-based PCs as the main platform for security attacks.
To be fair, other mobile platforms besides Android are also being exposed to increasing security exploits. But there are some important features of the Android ecosystem — apart from its popularity — that contribute to its security problem.
First is the open-sourced nature of the base Android platform and of the many popular libraries used by Android developers. One (fairly old) estimate is that 88% of Android applications use open-source components, and that number will only keep growing. Given the size and the complexity of the entire platform, it’s inevitable that important vulnerabilities will appear in the open-sourced code and will be discovered by attackers.
The conventional view of open source is that with enough eyes, all bugs are shallow. In other words, any bugs in open-sourced code will quickly get discovered and fixed. That might be true in a simpler software distribution, but with Android, the situation is different.
The Android ecosystem consists of thousands of devices produced by hundreds of manufacturers. The carriers and manufacturers are typically the ones responsible for pushing updates, and this means that patches and security updates are slow to get delivered. In fact, 82% of Android devices are currently not running the most recent version.
Several new approaches are under way to improve security on Android devices. Immediately after the Stagefright news broke last summer, Google, Samsung, and LG each pledged to start pushing monthly security updates, which carriers could then make available to their users. Also, Zimperium, the security company which discovered the initial Stagefright exploit, created the Zimperium Handset Alliance — an initiative to communicate security vulnerabilities with vendors directly rather than only with Google.
Second, there is the possibility of static and dynamic analysis of Android code and apps in order to detect security vulnerabilities. For example, Mend provides the ability to inspect all open-source libraries and their dependencies and to get notified of security vulnerabilities as they are discovered. This is something that can be done during development or even in the packaged APK.
Another approach is to detect and block attacks in real time. An example of this is the solution offered by Zimperium, which uses machine learning algorithms to spot attacks as they are happening.
One thing is certain: Android is the dominant mobile operating platform, and with the increasing integration of mobile devices into all aspects of our lives, security attacks on Android will continue. In the end, a combination of all the approaches listed above might be necessary to protect yourself against increasingly complex and novel security exploits.