How necessary is Android security software?
September 26, 2010 5:14 PM Subscribe
Is Android security software legitimately useful?
Today I was browsing the Android Marketplace and I came across Lookout and DroidSecurity. Disregarding remote wipe and tracking features, I'm interested in whether the antivirus\antimalware parts of these apps actually do anything.
To be honest, I feel my (non rooted) Android 2.1 based phone is a pretty hardened platform already. If I only install apps from the Marketplace (which ought to be safe, right?) is there a legitimate threat of my phone being compromised from a remote host? For example, if my phone and your laptop are on the same wifi hotspot, what can you do to me? I'm wondering what are some typical mobile phone attack vectors and how do these apps mitigate those threats. Are there exploits currently in the wild? It seems a bit like security theater, at the cost of battery life.
Please feel free to get very technical. I am an IT guy, but I haven't been paying much attention to mobile stuff, mainly because my last phone ran Win Mobile 6.1 and had too much trouble just staying alive by itself without any malware necessary.
Today I was browsing the Android Marketplace and I came across Lookout and DroidSecurity. Disregarding remote wipe and tracking features, I'm interested in whether the antivirus\antimalware parts of these apps actually do anything.
To be honest, I feel my (non rooted) Android 2.1 based phone is a pretty hardened platform already. If I only install apps from the Marketplace (which ought to be safe, right?) is there a legitimate threat of my phone being compromised from a remote host? For example, if my phone and your laptop are on the same wifi hotspot, what can you do to me? I'm wondering what are some typical mobile phone attack vectors and how do these apps mitigate those threats. Are there exploits currently in the wild? It seems a bit like security theater, at the cost of battery life.
Please feel free to get very technical. I am an IT guy, but I haven't been paying much attention to mobile stuff, mainly because my last phone ran Win Mobile 6.1 and had too much trouble just staying alive by itself without any malware necessary.
Best answer: On a non-rooted phone, any "antivirus" software you find will do precisely squat. The whole design of the operating system is based around isolating applications from each other. One of these antivirus programs will have no way of scanning the entire system like a Windows antivirus package would. It'll only have access to its own data. I suspect the apps you linked are placeboware.
In any case, Android is (to my knowledge) completely secure out of the box from network intrusion attempts. I just scanned my Nexus One running 2.2, and it didn't have a single open TCP port. Malware is theoretically possible, but it would require a root-level operating system exploit to do anything malicious. To my knowledge, nothing like that has been seen in the wild.
posted by teraflop at 9:02 PM on September 26, 2010
In any case, Android is (to my knowledge) completely secure out of the box from network intrusion attempts. I just scanned my Nexus One running 2.2, and it didn't have a single open TCP port. Malware is theoretically possible, but it would require a root-level operating system exploit to do anything malicious. To my knowledge, nothing like that has been seen in the wild.
posted by teraflop at 9:02 PM on September 26, 2010
Best answer: jrockway is right. Apps in the Google Marketplace aren't reviewed in any way. Developers pay $25 and the apps are made available immediately after upload. Great for developers who need to fix a quick bug (fantastic, really!), but not so good for protecting yourself from baddies.
When you download, you can review the rights they have to your phone, but most people don't often even look at this. Depending on which permissions are requested by an app, they can read/write to your SDCard (taking application data from other apps despite "sandboxing"), send SMSes from your phone without your authorization (there was a malware app in the wild that did this, actually), read phone call state, initiate phone calls, change network state, run in the background and restart themselves to heart's content and more (see here for a list of permissions).
Most apps request these permissions because they legitimately need them to function, but I've seen more than a few apps trying to abscond with far more permissions than they actually need to function.
(While I prefer my Droid to my old Blackberry in countless ways, I really do like the Blackberry model of users' having the power to approve selected permissions much better.)
Your best bet on Android is to check that the permissions the app asks for and compare against what the app does AND read the comments, as inane as they sometimes are. Saw a battery "protector" app today that apparently sends SMS spam after you sign up. I'm sure there are many more where that came from.
One other interesting thing to note is that while apps are "sandboxed," they all have read-write access to files on the SDCard - plenty of apps write personal data to SD, so that can be harvested by a malicious app, too.
As for these antivirus apps, I've no useful information/opinion, haven't installed or inspected their activity and the fact that Android Market only allows them to describe their functionality in like 300 characters, but I'm inclined to agree with both jrockway and teraflop on this.
posted by jenh at 9:55 PM on September 26, 2010
When you download, you can review the rights they have to your phone, but most people don't often even look at this. Depending on which permissions are requested by an app, they can read/write to your SDCard (taking application data from other apps despite "sandboxing"), send SMSes from your phone without your authorization (there was a malware app in the wild that did this, actually), read phone call state, initiate phone calls, change network state, run in the background and restart themselves to heart's content and more (see here for a list of permissions).
Most apps request these permissions because they legitimately need them to function, but I've seen more than a few apps trying to abscond with far more permissions than they actually need to function.
(While I prefer my Droid to my old Blackberry in countless ways, I really do like the Blackberry model of users' having the power to approve selected permissions much better.)
Your best bet on Android is to check that the permissions the app asks for and compare against what the app does AND read the comments, as inane as they sometimes are. Saw a battery "protector" app today that apparently sends SMS spam after you sign up. I'm sure there are many more where that came from.
One other interesting thing to note is that while apps are "sandboxed," they all have read-write access to files on the SDCard - plenty of apps write personal data to SD, so that can be harvested by a malicious app, too.
As for these antivirus apps, I've no useful information/opinion, haven't installed or inspected their activity and the fact that Android Market only allows them to describe their functionality in like 300 characters, but I'm inclined to agree with both jrockway and teraflop on this.
posted by jenh at 9:55 PM on September 26, 2010
Scratch the "One other interesting thing" line - missed deleting it on preview. Read/write access to SD card are requested (individual) permissions, not available by default to all apps, but do allow apps to read/write to the card and there's plenty of good stuff to be harvested there. Another reason to keep an eye on apps' requested permission.
posted by jenh at 9:57 PM on September 26, 2010
posted by jenh at 9:57 PM on September 26, 2010
As others have said, the best thing you can do is keep an eye on what permissions are requested at install time, and if you have any doubts at all ask if you really need that app.
posted by markr at 10:44 PM on September 26, 2010
posted by markr at 10:44 PM on September 26, 2010
Response by poster: Thanks for your thoughts guys, very interesting
posted by tracert at 6:45 PM on September 27, 2010
posted by tracert at 6:45 PM on September 27, 2010
Possibly also worth mentioning is the fact that "Lookout" also includes a built-in function that can help you locate a lost phone that is running the app (using GPS), and also provides an off-phone backup solution. Both nice functions to have.
posted by illflux at 2:20 PM on October 12, 2010
posted by illflux at 2:20 PM on October 12, 2010
This thread is closed to new comments.
There is absolutely no vetting on the Marketplace; you pay $25 and you can upload anything you want. Sure, an obviously malicious app will be removed eventually, but there is nothing really preventing anything bad from happening. The malicious app could be a fun game that doesn't become malicious until Jan 01 2011; with millions of copies installed, it doesn't matter if Google removes it from the Marketplace.
This problem affects all the other platforms, too; a clever hacker could easily get an exploit past Apple's "reviewers" (who are mostly making sure that you are not interfering with Apple's ads or whatever). Same for desktop OSes; there are real security products available (OpenBSD, SELinux), but nobody uses them on their desktop. The main thing protecting you right now is the fact that most people don't want to harm you, and that the super-obvious leaks have already been plugged.
Do the Android security packages you list do anything? Probably not. Proper Android security would require a rearchitecting of the APIs and a rework of the applications that use them. That's certainly possible in future versions of Android, but there is nothing on the Market that's going to do much.
Sorry, but crossing your fingers is the most effective security policy available these days, Android or otherwise.
posted by jrockway at 8:01 PM on September 26, 2010