Android Application Security

Installing an application on an iPhone is a bit different than installing an application on an Android based system. With the iPhone you go to the App Store, select your application (and pay if required) then download and install it. For the Android based phones you go to the Android Market, select your application, download it and then you must approve of the access to your phone that the application will have. For non-technical people this may seem like a waste of time, but in fact it gives you some really interesting information. Let’s take the application MotoSpeak as an example. Motospeak is an application that works with the Motorola h17txt Bluetooth headset. Using the headset and the MotoSpeak app when you receive a text message it will speak the text to you and send an SMS telling the sender that you will reply later… even if you won’t be replying.

Upon choosing to install MotoSpeak a screen comes up and advises that the application has access to the following:

Your personal information – read contact data, write contact data
Services that cost you money – directly call phone numbers, send SMS messages
Your messages – read SMS or MMS, receive MMS, receive SMS, receive WAP
Network communication – Create Bluetooth connections, full internet access
Your accounts – act as an account authenticator, manage the accounts list
Phone calls – read phone state and identity

These permissions make sense for what the application needs to do, however if Motorola wanted to, they could abuse the permissions. How? Look at the combination of permissions. Although I am confident that Motorola didn’t program MotoSpeak to do the following, by installing the application I have allowed enough access for Motorola to copy all of my contacts and send them SMS messages saying anything they want to say. Motorola could send themselves my entire contact list with email addresses and phone numbers. Just because you know why an application needs permissions, it does not mean that that application was not written to also abuse those permissions. This is one of the reasons that you should have a fairly good reason to trust a developer before you install an application.

Let’s take a look at another application. Tapsnake is no longer available on the Android Market because it is spyware. If you looked at the permissions before downloading you would see that it is able to access your GPS, and use the internet, among other things. There is no reason that a game likes this needs those permissions and the reason it wanted them is that it secretly was broadcasting the user’s location to a server. The description of the game didn’t mention the spying, but understanding that there is no way such a game should be requiring such permissions means that you can make the educated decision not to install the application.

I randomly searched on androlib.com and selected a game called Pacific Wings. I didn’t install it or even download it, but I did look at the permissions. The game only asks for one permission, the ability to use the Internet. I sent an email to the developer asking why such a game needed Internet access? The developer responded back “The internet-permission is needed for the in-game-ads (to keep the game free). This is a legitimate way to distribute games, however do expect ads that take you to malicious sites to be appearing. 

The Android security model is really very cool, however most people will not understand or pay attention to what permissions they grant the apps they download. If people generally did pay attention then I believe the platform would be approximately as safe as the iPhone, but they don’t and it takes very little to get an app onto the market. As a result there will be a lot of security problems for the Android based phones.

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • Patrick Bolino

    Is Eset covering this aspect of prospective installation of apps before the or after the istall is finalized?,-,  It sounds as though Eset knows and has implemented that security subset in their Smartphone software, which I hope is true. It would be a great feature of Mobile Eset.

    • Randy Abrams

      Currently ESET doesn’t make an app for the Android platform. Our desktop product does detect some malicious android apps, but typically an Android user ins’t getting their apps form the desktop.

  • Curt Wilson

    Hi Randy,

    This makes me think that we need the ability to audit the code for such apps. I don’t yet own a smartphone but the Android is on the agenda in the near future, despite these concerns. As a security guy I’ll be careful, but I think we’ll see a lot more security problems with these and future handhelds being 0wned by malware or other attacks to make money for the usual array of sewage-spewing crooks.

  • Jason Chambers

    Sounds like a great opportunity for ESET to be in the mobile app space. Now that ESET is on Windows Mobile and beta testing Symbian, does ESET see itself protecting Andriod users in the future with a mobile antivirus application or is the Andriod API's limiting this type of service?

  • hi

    hi
    pleas make an anti virus for sality virus , i give an message : error when cleaning !
    pleas fix this problem !
    sality is very sabotage

    • David Harley

      @hi: if you’re having a disinfection problem and you’re an ESET user, you need more direct help than we can offer on the blog: you need to contact your supplier or check out the support page http://www.eset.com/support.

  • R. Rynearson

    Please tell me that ESET is close to releasing  a smart security product for Android, I just acquired one of these phones and I can't seem to keep from cramming apps into it.  This Samsung Epic 4G is very cool.  I read up on the apps I'm playing with and watch permissions upon install but it would be better to be able to look at the files before they get into the phone or are installed or run.  Thanks.

  • Randy Abrams

    ESET is not close to releasing an Android based solution at this time. I am sure our product managers are considering it, but so far I have not heard of any plans.

  • Android Apps Today

    is this mean tha ESET is want launch an antivirus for the Android OS Phone? is this free for download or user must pay a little money to use this antivirus for full feature ?

    • David Harley

      I believe ESET has an Android product in beta, though I haven’t looked at it myself yet. I’ve no information on licensing at the moment, but I imagine it would be similar to the licensing for ESET’s existing products in the mobile sector.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

14 articles related to:
Hot Topic
19 Aug 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.