Android’s app security model is flawed and needs to be improved before the mobile platform can be considered safe for enterprise environments, says Tyrone Erasmus, security consultant at MWR InfoSecurity. Erasmus is a speaker at the 2012 ITWeb Security Summit, where he will demonstrate attacks against Android apps.
Erasmus has created Mercury, a hacking framework which can be used to identify weakness in Android apps and initiate attacks against them, similar to the MetaSploit vulnerability analysis framework. Like MetaSploit, Mercury is open source and can be extended via modules, to enhance its capabilities. “There was nothing for Android in the existing frameworks like MetaSploit, so I built my own,” Erasmus says.
The framework consists of a server component, which is installed onto the mobile device and remotely controlled by client software. Although aimed at vulnerability researchers, the server can be embedded into other apps and used to scan users’ devices for vulnerable apps to attack.
“There’s a module section to allow people to write extensions. It would definitely be possible to write an exploitation scanner, and it could easily be embedded into malware,” he says. “It only needs Internet permission, and even that could technically be avoided.” With most apps, especially those with embedded ads needing Internet permissions, that requirement would be unlikely to raise suspicions, he says.
Recent Android updates haven’t made much difference, Erasmus notes. Version 4, dubbed Ice Cream Sandwich, did not pose any challenges to Mercury’s remote vulnerability assessment. “There are some new mitigation techniques, especially around memory management and the browser, but Mercury wasn’t affected.”
Anti-malware firm F-Secure says Mercury is already on its radar. “We are aware of Mercury,” says Jarno Niemelä, senior security researcher at F-Secure. “Mercury looks like a rather useful testing kit. [It makes] it very obvious how easy it is for other applications to leak information without explicit permissions once the application has been installed. But one has to remember that current Android malware are already doing that and they simply list everything that they do in installation. Malware authors correctly trust in the fact that people do not bother to read the label when they are installing something.”
Android’s openness, and users’ willingness to accept whatever privileges an app requests, has fuelled tremendous growth in Android malware. Late in 2011, Juniper Networks announced a 457% increase in Android malware samples for the latter half of the year. However, some context is needed – the majority of malicious apps are housed on third-party app stores, which must be specifically enabled by users, despite warnings about the potential risks.
Google’s Chris DiBona believes the malware issue on Android is vastly overstated, and points out that no virus, in the traditional sense of the term, has been detected on any mobile OS. “Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM and iOS,” he wrote in a blog post. “They are charlatans and scammers.”
Traditional viruses may not have made the move, but malware is unquestionably abundant, and is successfully capturing personal data, making premium rate calls, and subverting browsing. “The hype isn’t out of proportion,” says Erasmus. He points out that most malware is “pretty dumb”, but there is a lot of it, and users are accustomed to blindly accepting the privileges requested by an app.
(App Profiles is a useful, but incomplete, tool which shows a breakdown of what privileges are available to the installed apps on an Android device.)
Does Erasmus’s Mercury framework provide yet another weapon to the malware authors? Probably not, says F-Secure’s Niemelä. “Right now, there are much easier ways for malware authors to steal users’ private information and cause other kinds of harm. Application information leaks found by tools like Mercury are going to be a small part of the problem as a whole.”
And that problem is a long way from solved, says Erasmus, who believes the current anti-malware approach is unworkable. “AV isn’t doing enough,” he says. “They have basically duplicated the PC approach on Android.” Signature-based detection, Erasmus argues, is insufficient against the speed at which new malware can be developed and pushed into mobile marketplaces.
But a shift from signature-based to behaviour-based discovery is unlikely, says Niemelä. F-Secure runs behaviour analysis to spot misbehaving apps, but that data is only used to update signatures. Using behaviour to identify malware, many badly-coded apps would trigger alarms and overwhelm users, who would likely just disable the AV entirely. “The problem with behavioural analysis is that you cannot alert on everything that looks suspicious. If we do so, we would flood people with false alarms, as there are tons of applications that do absolutely boneheaded things, but with good intentions and no harm to the user.”
iOS and Android just aren’t fit for enterprise use. Only BlackBerry is ready for enterprise use.
Of the big three (Android, iOS, RIM), Erasmus says only RIM has proven itself secure enough for enterprise deployment. Apple’s walled-garden app store has kept malware at bay, but browser vulnerabilities have provided entry points for attackers on several occasions. Apple’s products use browsers built around the same WebKit browsing engine as Android.
“iOS is segregated – the biggest surface to attack is the browser. Public exploits and root kits generally use the browser as the entry point. Only BlackBerry is ready for enterprise use. iOS and Android just aren’t fit for enterprise use. RIM takes security very seriously. There have been no root exploits for BlackBerrys.”
Microsoft’s new mobile platform, Windows Phone 7, has a good security model, but MWResearch already has knowledge of attacks against it, Erasmus says.
“The Android security model is good in terms of sandboxing, but its openness is a detriment. Apps can use IPC to communicate with each other across the sandbox. That adds to the attack surface.”