Saturday, 18 April 2015

Is Android still secure?

Is Android still secure?

Laws, flaws and chores. We look at the latest issues surrounding mobile security.

Right now, it seems as though everyone wants a piece of whatever goes through your mobile device — everyone from the federal government, right down to the code-junkies unleashing new malware. Australia’s controversial data retention scheme will affect mobile device owners even more than desktop users, with phone call, email and internet metadata said to be stored for a two-year-period from the date of transaction. Elsewhere, the claimed total amount of mobile malware has risen from 1.5 million at the end of March 2013 to just over six million by the close of 2014, according to the latest McAfee Labs Threat Report (tinyurl.com/k8m2f3g).

But it’s not all bad news — when it comes to mobile malware infections, Australia has the lowest rate of infection in the world at around 5%, beating Europe on 7%, nearly 8% in North America, while Africa and Asia top the list at 10% a piece, according to the report.


BEST ANDROID ANTIVIRUS SOFTWARE


But it’s no secret that Google thinks antivirus software is a needless exercise for the average Android user (tinyurl.com/odlj49w). Not surprisingly, those selling the software think otherwise. But on deciding you need antivirus, the question remains which of the growing number of Android security apps on Google Play do you choose? We checked with independent security analysts AV-TEST, who ran 31 of the latest Android security tools against a barrage of2,950 recent nasty apps. Of those 31 tested, AV-TEST found 17 worthy of its top six-star rating in both protection and usability. Here, AV-TEST defined ‘protection’ as the apps ability to detect the test malware, while ‘usability’ meant whether or not the app affected device performance, battery life as well as generated false warnings.

This gold-star list includes a mix of newcomers and old stagers, but each of the 17 detected all of the dodgyware AV-TEST threw at them and delivered no discernible drop in battery life or performance (tinyurl.com/kgxvud8).

But things are less equal when it comes to software features. According to AV-TEST, Antiy AVL 2.3, Baidu Mobile Security 5.4 and Cheetah Mobile Clean Master 5.9 don’t include the commonly-found remote-lock/wipe/locate feature trifecta, for example. Further, less than half of the 17 apps were reported to have data-backup options and only three were said to incorporate any form of encryption, whether it’s virtual private network (VPN) support or device or SD card encryption. We’ve listed the features of the top 17 as AV-TEST found them to help you choose.

BYPASSING DATA RETENTION LAWS


While it’s certainly been interesting watching some of our politicians try to explain the extent of Australia’s proposed data retention scheme (which had just passed through the Lower House at time of writing), of far more interest is whether you can bypass the scheme and how hard is it to do.

It seems Communications Minister Malcolm Turnbull has a solution for SMSing he’s fond of — the encrypted messaging app, Wickr (tinyurl.com/ofxs3uz). According to Wickr, all data leaving your device is encrypted with 256-bit AES-grade encryption and no metadata is transmitted.

The minister may have also hinted on another option — using a virtual private network or VPN (tinyurl.com/kjp8szw). A VPN allows your data to tunnel through the internet via an encrypted software connection to a VPN server at the other end, which then disseminates your web-browsing and general internet requests. But the trick to making a VPN work in this situation is that the VPN server should be located in another country. It also means you’re now relying on the integrity and security of this VPN server at the other end.

Could this cure be worse than the original affliction? As we’ve mentioned before, we do have some privacy and security concerns for mobile banking via rerouted services, so at the very least, choose your VPN provider wisely.

ANDROID WEBVIEW FLAW


But we fear this could be overshadowed by a potentially more serious issue facing Android users. Late last year, a new security flaw was discovered in Android’s WebView code component, a part of the WebKit engine for displaying web content in apps (tinyurl.com/pdrqged). WebView is used in countless apps, not least of which is the default Android Browser bundled with every version of the Android OS. It’s not WebView’s first flaw, but Google has now controversially decided to continue patching WebView in KitKat (Android 4.4) and Lollipop (5.x) releases only.

Google’s Adrian Ludwig posted on his Google+ page (tinyurl.com/k263o2d) that the reason behind the decision to stop patching older versions is that with over five million lines of code now powering WebKit and hundreds of developers adding to the open-source code each month, fixing WebView issues in some instances was ‘no longer practical to do safely’. He continued, ‘With advances in Android 4.4, the number of users that are potentially affected by legacy WebView security issues is shrinking every day as more and more people upgrade or get new devices’.

POSSIBLE SOLUTIONS


To be fair, Ludwig also gave some solutions for those on Android 4.3 or older devices. Provided your device runs at least Android 4.0/Ice Cream Sandwich, you can solve the browser issue by installing Google’s Chrome browser from Google Play and using it instead. If you’ve passed your old HTC Desire or Wildfire phone onto your kids and its running Gingerbread/2.3, you’ll need to go with the latest release of Firefox, also available free on Google Play.

But as for general apps using WebView, the situation seems far less clear. Ludwig has recommendations for app developers on how to mitigate WebView security issues and reduce the risk to users, but there’s no guarantee every app developer will know of the recommendations and/or update their apps.

IMPLICATIONS


We’re concerned by this new development, which, for us, raises several questions. For starters, is Google now picking and choosing which flaws it decides to fix in older Android releases? Ludwig’s comment that ‘with advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices’ won’t offer much comfort to users who spent good money not long ago on devices that may never see a factory KitKat/4.4 update in Australia. For example, where does this leave the Samsung Galaxy S3, which, in Australia, appears to still be officially a Jelly Bean OS-only phone?

What concerns us is that Jelly Bean/4.1 was only released in June 2012, the latest 4.3.1 update in October 2013 or around 18 months ago — we’re not talking about an ageing ‘Windows XP’ OS here. Further, according to Google’s latest Android distribution map from 2 March 2015, the proportion of devices running Jelly Bean/4.3.1 or older versions of Android is still over 50% , which some equate to near-on one-billion devices, now wandering around with potential security issues that may never be fixed (tinyurl.com/m83grz8, tinyurl.com/o2d5hho).

The problematic Android patch and OS update distribution model certainly doesn’t help. Even if Google comes up with a patch or OS update, it’s reliant upon device makers choosing to validate it for their particular devices (and in the case of phones, additional validation by phone network providers) before an update is pushed to users. But if Google doesn’t provide a fix to start with, users have little hope of a patch.

In addition, you have a situation now at time of writing where new Android devices are still being sold by Australian retailers and listed to ship with a Jelly Bean-class OS — where does this leave these devices? Personally, I’ll be making sure any Android device I purchase in future has at least KitKat on-board before I buy.

If nothing else, one thing is abundantly clear to us — we all must start taking far greater interest in the chore of mobile security, including the operating system.

FREAK OUT


In early-March 2015, a new security vulnerability was announced in secure-socket layer (SSL) and transport layer security (TLS) protocols used to provide encryption and secure web sites. Dubbed ‘factoring attack on RSA-Export Keys’ or ‘FREAK’ for short, the flaw affects major web browsers, including Internet Explorer, Chrome and Safari — the notable exception being Firefox.

As for Android, both the original bundled Android Browser and Chrome for Android are affected (tinyurl.com/ly5j6w2). You can use the FreakAttack checking tool (freakattack.com/clienttest.html) to see if your device is also vulnerable. If so, ensure you download as soon as possible the latest version of your preferred browser that’s known to address the flaw. At time of writing, Chrome as of version 41 appeared to fix the issue.

However, it’s not just browsers that need attention — Security analysts at FireEye recently found 1,228 apps on Google Play with one-million-plus downloads that are FREAK-vulnerable (tinyurl.com/l988xw8). A significant number of iOS apps are also affected.

YOUR PHONE, YOUR SECURITY!


While Apple released iOS 8.2 in mid-March, in part, to address FREAK, a Google spokesperson told the search giant has developed an Android FREAK patch and that it ‘has been provided to partners’. That’s great news, but with this bucket-brigade method of Android patch distribution, it’s ultimately now up to those ‘partners’ — Android device makers and phone network providers — as to when or if users actually receive it.

Combine this with Google’s decision to no longer patch WebView pre-KitKat, along with the number of Android devices in circulation effectively abandoned by their makers and we think the whole security situation is greatly concerning. There are likely many users still under the impression that mobile devices are impregnable, but this should be the wake-up call we all need.