“No news is good news” for cellular users concerned about security. Android seems to be going through a tough patch lately. The problem stems from the very quality that makes Android unique – the platform is too open. Hackers are developing spyware everyday that can infiltrate Android phones without user knowledge, and most of users have no idea that spyware is on their phones, or how it should be removed. Minimal check-ins and shaky security measures leave these Android devices constantly vulnerable. To top it off, the Android Market is open to all, and getting one’s app on it is as easy as signing up for an email account. By the time Google gets rid of an app, it’s already made its way to thousands of unsuspecting users.
“No permission” apps are not a no-no
Some people want to cut Google some slack, since the Android platform is relatively new. The security issues can be worked on and rectified. However, Android isn’t just failing at keeping developers from creating harmful apps, it’s also failing at controlling what permissions normal apps are acquiring. “No permission” apps have the ability to get access to things that have nothing to do with them. For example, the Facebook app has access to your text messages, even though it has nothing to do with them. An app may ask for ‘obvious’ permission which it requires to work, but can secretly gain access to, something as off limits as your SD card. A user’s sensitive data can very easily make its way into someone else’s hands.
Why so serious?
The extent of the danger can be seen in the fact that the SD card stores OpenVPN certificates, which are easily accessible to malicious apps for infiltration. The system files of an Android can also be manipulated to access information stored by other apps in the phone’s directories. Even if you don’t share sensitive information with a spy app, or a malicious app, it can just as easily find what it’s looking for in these directories.
The Facebook story
One new debacle with the Facebook app is a good example of app security gone wrong. Facebook’s app for Android (and iPhone) can help hackers steal people’s identity. Gareth Wright, a developer who created apps for both iPhone and Android, investigated the app directories on his phone and found a new loophole in the Facebook app’s architecture. He found a Facebook access token that he had managed to create for some games on his iPhone. Wright poked around the app a bit more and found that with that token, a user’s entire Facebook access can be stolen, right under their nose. All your pictures, videos, contact details, private messages, and everything else is in the hands of anyone who can access that one small piece of code. Although not directly linked to Android’s own security failures, this new discovery does nothing but add fuel to the fire. It forces people to stop and think about the number of apps that they add to their phone – and additionally, about apps that are supposedly trustworthy and will keep their data safe.
Natalia David is a blogger by profession and writes about PC monitoring, keylogger, Cell phone security software, and spy software for BlackBerry. If you want to know more about Natalia you can follow her on twitter @NataliaDavid4