Android OS VULNERABILITY
 

Several companies are warning about a flood of malware aimed at the Android OS.
I assume this is a Unix based system. Would anyone like to comment on why it is so vulnerable?

Matthew

Why assume when you can just read android.com?


Dunno but the sum of Linux kernel tweaks (the kind Linus doesn't seem to want included in mainline), a proprietary software stack, firmware security weaknesses, the ability to load unofficial apps, DEX-which-surely-isnt-Java, but most of all the commercial nature including whats sold on (or illegally obtained outside of) Android Market seems like a fertile basis for trouble.

// CVE's for Android alone: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=android

It is alleged (by people who know???) that one of the major aspects is that apps in Google's App Store are not really audited in any systematic way, while in, eg, the Apple App Store, apps are audited more closely (...and can be ejected on an 'what Apple thinks that you ought to be able to do with your phone' basis, but that's another issue...).

Probably, Google have to do a better job with this in future, but you have to remember that one of the reasons got from zero to having a well populated app store in a relatively short period of time is that Google was liberal with developers and made the platform easy to develop for and allowed devs to put almost anything on the app store (if you were spending money on developing something that you knew was 'on the edge', what would you develop for, a platform from which you were likely to get kicked off at any time, and there was no way back or one where you were pretty certain to stay in the app store, and for which there were alternative channels?).

Android is Linux Based not Unix. Unix was original designed by AT&T labs with a restricted Licenses aka proprietary software . Now there are a few flavors of Unix with couple are free and Linux was developed by Linus Torvalds with the devotion to make an OS that will always be free no mater what.

Anyways I do see how it could be a possible security flaw in the system but do you have any Links to your sources. I can't say its not that secure considering I don't really know how its developed.

Android Malware ?
 

My reason for asking the question is that the media tells conflicting stories.
Matthew

E.g. "... The open-source advocate, who manages Google's developer outreach programs and oversees the company's license compliance practices, dismissed the Android threats reported by the security industry until now as little things that didn't get very far because of the platform's sandbox model and other architectural features.

Security experts disagree with this assessment and point out that the levels of Android malware have registered a huge increase this year.

"Today malware for Android devices is one of the biggest issues in [the] mobile malware area," said Denis Maslennikov, a senior malware analyst at Kaspersky Lab, in an email interview. "The growth of numbers of malware for Android is significant in [the] last 5 months. In June we've discovered 112 modifications of Android malware, in July - 212; August - 161; 559 in September; 808 in October," he added.

A similar trend was observed by other antivirus vendors, with Trend Micro reporting a 1410% increase in the number of Android threats from January to July 2011. "The more important figure is not the total number of malware, but the rate of increase of that malware quarter on quarter and year on year. That demonstrates current, active and sustained criminal interest in the mobile platform," said Rik Ferguson, the company's director of security research and communication.

The majority of Android malware threats consist of Trojans, not traditional self-replicating viruses or worms. However, these can be just as damaging if not even more so, the security experts said."

Anti-virus companies have a tendency to emphasize the danger of threats; it sells AV programs.

Please note that I'm not bashing Kapersky; I quite like their stuff. It's more a "when you're selling hammers, every problem is a nail" syndrome.

What reading I've done on this indicates that the biggest danger is from installing dodgy applications, rather than spontaneous infections.

This is not necessarily solely a Google problem.

If I want to install a simple single user game, and that game tells me at time of install that it wants to access the internet, read the GPS, and access my contacts, for example, I should have enough smarts to ask myself, "Why does Pookie Pookie Pong want to see my GPS and go on line and see my contacts?"

If there's no satisfactory answer, then I don't install Pookie Pookie Pong.

This article seems like a more-or-less balanced account of the current dispute.

Indeed.

Never trust someone with advice who has something to sell you.

While there is nothing "intrinsically secure" about one system or "intrinsically insecure" about another, the way in which Windows systems have been deployed in a purposely-defenseless way is legend. And, lucrative.

Apple simply made "code signing" mandatory. You have to obtain a digital certificate from them. Your phone won't install anything that doesn't have one; it just won't. It is my understanding that Android does much the same thing.

Windows has had code-signing support for years, but never required it. Don't ask me why.

Yes, I do think that these are just "snake-oil salesmen." For a generation, they've made their money by removing the doors from the barn and photographing your prize race horses as they were carted away.

The same reason why windows is attacked the most. Windows is the most used desktop OS and android is the most used OS on mobile devices.

Also, malware writers know some people are not cybersmart because they will click and download anything.

Another thing that makes android vulnerable is the permissions some apps need. The good thing is nothing is installed until you say so. In fact, it shows the permissions it needs. However these permissions can be unclear to a novice user and can get them infected if they installed a bad app.

Looking at the Android market reminded me of those old shareware, freeware and adware sites of dubious quality when I used to use Windows 98/NT/2000.

That alone swore me off the Android platform. Associating the Android name with Linux (or worse UNIX) is the worst possible advertisement for Linux/UNIX.

Android is also a battery life sucker. I hear they fixed the problem in later versions than 2.2 though.

Rumors have it that Ubuntu will have a tablet in the near future.

Not a fan of the *buntus, but will get one just to install over it with another linux distro like arch.

Thank you each & all for your input.
When an application is downloaded to Android, it sounds like the User is asked to confer certain permissions. (I do not own a Android-device). Anyone care to speculate about which 'obvious deadly permissions' are never to be granted and more interestingly, which sneaky or covered permissions, can be subverted and mis-used.
Matthew

Read this
How to be safe, find trusted apps, & avoid viruses - A guide for those new to Android
http://androidforums.com/android-app...w-android.html

I suggest you print this out for easier reading. It is very informative. But if you want to read about permissions only then scroll down to Permissions.


Hope this helps

Spot On!!, Redneck- LQ
This clears up the gist of my concerns.
Many thanks.

Matthew

You're welcome :D