Terrifying lack of security on Android devices.

[sghere]

I'm sorry if I sound like I'm bashing the OP, but working in Network Security field for the past 13 years there are more things to be fearful of than what you install on your phone and what it has access to.

1.) Don't install any banking apps unless they are put out by the bank itself! I would go to their website just to make sure they actually offer it and it's not some scam.
2.) DO NOT allow third party applications have access to your Netflix/Amazon/Roku (just examples) accounts. Especially by saving your passwords.
3.) Do you REALLY need "free" applications that store information in the "cloud" for you in case you lose your phone? Anything and everything is accessable if someone really wants that information.
4.) Use a different password (8-12 alpha/numeric with one special character) for every single site/e-mail you have. It's a pain, but think about it. One account gets hacked...they're all hacked.

I'm not trying to sound like the Harbinger of Doom here OR some nut saying the government has a satellite following you around....well, with GPS turned on, they could. LOL j/k BUT be realistic and use common sense about what you install and what it has access to. These applications are written by faceless people that you'll probably never meet in person, so if you're not willing to trust your best friend with your username/passwords, then why would you allow an application have access to it?

Again, I'm truly sorry to the OP if I came off sounding like an a$$...it's not aimed at you, but what I deal with on a daily basis would really make people think twice about what information they give out. Yes...I'm a security freak only because in college I had my identity stolen 2 times being naive.

Rastoma...I really want the Android OS to succeed too. I wouldn't buy an Iphone/Ipad/Itouch because the way they do business (closed platform), but the one thing they do have going for them is the review process for all apps submitted for download.

Take care guys and gals. This wife has told me to get off the computer already. Guess who "I" have to answer to? lol

-S

Wow.

I just got my first Android device, Epic 4G and LOVE it. I was excited to find a, what seems to be, good Android community. And I see comments regarding security as 'just go off the grid then'.... 'use common sense'.... 'pull your battery then'.

I can tell that everyone here is a 'geek' with a big computer background (myself included). You all build your own computers, do computer repair or big into programming, etc. And if this the only people in the world that ever buy Android based phones, then yes, none of us will have any problems because we all 'know better'.

But I for one, want Android to SUCCEED (which it is so far but is FAR from beating the iphone yet) and want it to LAST. In order for that to happen, the MASS MARKET is going to have to buy. The MAJORITY of those people will not know better. They will trust that the product is safe to use. They will assume that if the item is the marketplace then it's safe to use. We all assume that if something is for sale in a store then it's ok to use.

Everyone needs to stop acting like they know everything and start appreciating that there's people out there that don't realize there could be a hazard in installing an innocently looking app. That doesn't make them stupid or less intelligent. It's something they don't have background in. And before makes a stupid comment by saying they shouldn't buy an Android phone then.... well that's just a stupid comment. Because if you don't know there's a danger then how would you know not to buy it?

I hope Android conquers the iphone eventually and it will never happen if it's not made safer to use. That's not doom and gloom and I know there's nothing bad happened yet, other than the mentioned one or two wallpaper apps that caused an issue.

I just can't see why it would be so hard for Google to have a team of people to scan through new app submissions for malicious activity or even come up with some kind of automated scanner to check for things.

 

[ksc6000]

Droid wall ------ end of discussion. It works fantastic.

 

[Jethro10]

The sky is falling.................The sky is falling!!!!!!!!!!!!

Do you need to be diligent and do your homework? Of course you do. Is it as bad as some make it sound? Of course not.

How do you do your homework without the right tools (like a firewall for instance)?

great in theory.

Jeff

 

[Jethro10]

Droid wall ------ end of discussion. It works fantastic.

LOL, Droid wall - needs root - er, beginning of discussion more like it.

Most folk don't even know what root is

LMFAO

J

 

[copestag]

there wont be an Android user on the planet who doesnt know the instant a virus is discovered... it will be on every news report for several days..... until that time...... youre safe

 

[Sam Voss]

I'm kinda at a loss here, I don't see to huge of a problem here security wise.. if your downloading stuff from the market generally they're pretty safe.

 

[A.Nonymous]

How do you do your homework without the right tools (like a firewall for instance)?

great in theory.

Jeff

What tools do you need? I tried to install a live wallpaper app once that wanted access to my contacts and full Internet access. What tool do I need to figure out if that's sketchy or not beyond the one between my ears?

 

[sookster54]

The TaintDroid guys figured out how to expose suspicious apps, but modifying the OS entirely (reflashing) is needed, it shows what the app is doing over the air (broadcasting the phone's IMEI, phone #, contacts list, owner's name, etc). Hopefully some security group gets an app that can do that without needing to overhaul the whole OS.

Demo video:
http://appanalysis.org/demo/index.html

 

[ryanissick]

There is means of hacking it...the normal average everyday user probably doesnt even look, let alone know what the permission access a app is requesting does... At the Black Hat conference this year they spoke about hacking android OS...here is a link to simple to write malware that can f*ck up your phone....that 9 of 10 people wouldnt even consider. My best advice...read the comments people leave for an app. If the comment is sketch, or has only one from a rave reviewer, its the dev tryin to push their hack... Also, if you have an issue...comment it in the market so others will be warned. 100 gtood reviews and one saying my email and voiucemail was hacked...im steering clear of free sexy japanese women that change daily. LOLz
Software released for attacking Android phones | Reuters

 

[chawski]

the OP's concerns are the exact reason I dont use any banking apps on my phone, nor do I use any passwords that are tied to a bank account or anything important. Id say chances are good youre fine, but then again, everyone thought their info was safe on facebook too.
Also along the lines of security, If you have ANYTHING on your phone that should be password protected, ALWAYS USE A PIN NUMBER AND NOT THE PATTERN. your finger leaves the pattern smudge on the screen clear as day. Think of it like this...you turn your phone on to check a message, without touching the screen more than once or twice, so you dont disrupt the smudge pattern. put your phone back in your pocket, it falls out, gets stolen, etc... the smudge is still there clear as ever.

 

[sookster54]

I'm one of those that refuses to do any kind of banking on mobile, let alone over wifi. I do it on my PC that's connected directly to the router. I did a survey with a group years ago scanning for routers at apartment complexes and offices and the results was a bit surprising, makes it easy to sniff activity from laptops.

 

[A.Nonymous]

I'm one of those that refuses to do any kind of banking on mobile, let alone over wifi. I do it on my PC that's connected directly to the router. I did a survey with a group years ago scanning for routers at apartment complexes and offices and the results was a bit surprising, makes it easy to sniff activity from laptops.

Actually it's not if the wifi is properly secured.

 

[LickTheEnvelope]

Is there evidence to suggest that Google pays no attention to Apps on the Market? I was under the impression they could pull apps off if dicey. I have read of people reporting and getting some removed.

I don't know if they check constantly though?

 

[bajabum]

I thought this article might be of interest.


Smartphone Malware Multiplies

More than twice the number of malware and spyware hitting BlackBerry, Windows Mobile, and Android phones than six months ago

Jun 07, 2010 | 05:10 PM
By Kelly Jackson Higgins
DarkReading The number of malware and spyware programs found on smartphones has more than doubled in the past six months -- and some types of malware are more prevalent on certain smartphone platforms than others.

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=225402185

 

[sookster54]

Actually it's not if the wifi is properly secured.

That's where the problem lies, most people buy a router, plug it in and don't even go through the network secure setup, I can go to my sister's apartment and get internet for free because there's like 5 routers that are wide open.

Google did pull those wallpaper apps off the Market (the one you see TaintDroid using in their demo video).

 

[Steelwool199]

You haven't looked hard enough, there's about 3 or 4 of them out there right now (they're coming from China and Russia).

It takes common sense to keep your phone secure, think about what apps you're downloading and what permissions they need. Also you're at risk if you go download a pirated app that you don't want to pay for on the market, there's a copy of Swype floating around that I wouldn't touch, also there's Need for Speed: Shift and probably Angry Birds and such.

I think I've come across the free version of Angry Birds. Made my X10 really laggy so i uninstalled it. Now that I'm using it as a web browser I think i'll go and make sure all the permissions are right.

 

[sookster54]

I think I've come across the free version of Angry Birds. Made my X10 really laggy so i uninstalled it. Now that I'm using it as a web browser I think i'll go and make sure all the permissions are right.

The Getjar and Market versions are fine, they have internet access for the ads, but there was one floating around that had more permissions but I forget who was hosting it.

 

[Bob Maxey]

The OP is 100% correct. This platform, as great as it is, happens to live by a "buyer beware" model. All I've ever seen people say about security is "be careful what you install."

So we're supposed to rely upon our "hunches" and "good/bad feelings" to determine what apps pose security problems?

This is where the Apple Store has Google Trumped. At least there is some oversight as to what is being developed.

IMO unless someone creates a new Market and puts layers of review and oversight this platform is going to be in for some bad publicity when hackers flood the market and eventually control it with their malware. At which point consider the platform extinct.

Despite all the doom and gloom I love my Droid. There is just some major room for improvement and it needs to happen ASAP otherwise we'll all be using iPhones (again).

This is something I thought about as well. Interesting how the shift has gone from lock everything down tightly (in the PC World) to the general idea that even though an app can access to almost everything, dont worry about it.

If Android were a new OS for a PC, it would fail miserably because no security expert woth a damn would tolerate what an Android app has access to and can use.

I simply DL the app I need and hope for the best. I also love my phone.

Bob Maxey

 

[Bob Maxey]

The only way to insure complete privacy is to go off the grid completely.

You install applications on your computer don't you? Look at all the cookies that are accepted which collect "anonymous" information.

If you're that paranoid about applications and security, then technology isn't for you.

There are ALWAYS ALWAYS 2 sides to everything...good/bad, light/dark, secure/unsecure etc., etc.

Not flaming you personally here, but if you really want to see something scary, Google your name "firstname lastname" (in quotes) and see what comes up.

There are even sites that charge $14.95 to get your social security #, annual income, where you live, aliases etc.

So if you're worried about the security of the phone, turn around and take it back for a "non" smart phone.

Take care
S

I Googled my name. Apparently, I own a Ford Dealership in Detroit. Apparently, I am a highly respected dealer.

Bob Maxey

 

[Bob Maxey]

There is means of hacking it...the normal average everyday user probably doesnt even look, let alone know what the permission access a app is requesting does... At the Black Hat conference this year they spoke about hacking android OS...here is a link to simple to write malware that can f*ck up your phone....that 9 of 10 people wouldnt even consider. My best advice...read the comments people leave for an app. If the comment is sketch, or has only one from a rave reviewer, its the dev tryin to push their hack... Also, if you have an issue...comment it in the market so others will be warned. 100 gtood reviews and one saying my email and voiucemail was hacked...im steering clear of free sexy japanese women that change daily. LOLz
Software released for attacking Android phones | Reuters

I do read the comments. Invaribly, the first person says it sucks (or it is great) and the seconfd person likes (or hates) it. Comments are growing more useless by the day. And, those that hate it could be shills for the developer; actually, so could those that love it.

We need forums like this one because even if some nutbar says the app wont run (like themes that cant be opened without the program they were designed for) or says "it hacked my phone" a great forum can help calm nerves and set us right.

Bob Maxey

 

[A.Nonymous]

This is something I thought about as well. Interesting how the shift has gone from lock everything down tightly (in the PC World) to the general idea that even though an app can access to almost everything, dont worry about it.

If Android were a new OS for a PC, it would fail miserably because no security expert woth a damn would tolerate what an Android app has access to and can use.

I simply DL the app I need and hope for the best. I also love my phone.

Bob Maxey

Please tell me what an Android app has access to without telling you that it does not have access to on a PC. An Android app basically has to come out and tell you you, "Hey, I'm going to steal your data. Are you ok with that?" Then you have to say, "Sure. Take my data. No problem." What is the problem with that system?

 

[Bob Maxey]

I'm sorry if I sound like I'm bashing the OP, but working in Network Security field for the past 13 years there are more things to be fearful of than what you install on your phone and what it has access to.

(Snipped a tad)

I'm not trying to sound like the Harbinger of Doom here OR some nut saying the government has a satellite following you around....well, with GPS turned on, they could. LOL j/k BUT be realistic and use common sense about what you install and what it has access to. These applications are written by faceless people that you'll probably never meet in person, so if you're not willing to trust your best friend with your username/passwords, then why would you allow an application have access to it?

I agree with your post.

Lots of experts here that can likely provide long lists of technical reasons why bad apps will be discovered and perhaps a few of us have concerns and we ask questions or make comments because we are not Android programmers with enough knowledge to stop worrying.

I've been on the web long enough to know that every time some Crack Wad hacks this or that site, the response is always the same: We have solved the problem and nothing like this will occur again. Then you read another hacker story and so it goes.

Many of you are programmers and many of us are indeed clueless because we are not programmers. But we clueless users are the ones that buy most of the phones and we do occasionally worry.

A few list mates likely think we clueless Android novices worry too much, but I will repeat myself: The Android turns things around as far as security goes. Now it is ok to install apps that have access to almost everything, unlike the hell many PC users go through because they did not follow a few simple guidelines.

Proceed with caution, read the forums, hope when there is a major problem, you are spared.

Bob Maxey

 

[Bob Maxey]

Please tell me what an Android app has access to without telling you that it does not have access to on a PC. An Android app basically has to come out and tell you you, "Hey, I'm going to steal your data. Are you ok with that?" Then you have to say, "Sure. Take my data. No problem." What is the problem with that system?

So what happens with the data once it leaves my phone? Passwords, for example? If I listen to you and others on this list, I should worry less. When I read any number of random Apple sites, I as an Android user, I should perhaps worry far more and discount everything you have to say because this group is Android users; pretenders to the smartphone market, one and all. Android is easy to hack, an apple fanboy might say.

If I read the occasionally long list of things the Android app has access to, I should probably stop using the app and try another that ALSO has access to lots of stuff. We are told to be careful with apps, but even the great apps everyone seems to favor have access to many things. We the gathered clueless are told to so our research and be careful, and when are faced with these things we wonder about, we are told not to worry.

As the Android market grows, I bet lots of sites offering apps will arise and then what? Avoid them all because we can

 

[A.Nonymous]

Are you just ignoring what I said? An app comes right out and says that it wants to steal your passwords and then you say, "Sure. Go ahead and take 'em." I'm sorry, but if you get taken for a ride, you signed up for it and I don't feel sorry for you.

 

[bajabum]

Are you just ignoring what I said? An app comes right out and says that it wants to steal your passwords and then you say, "Sure. Go ahead and take 'em." I'm sorry, but if you get taken for a ride, you signed up for it and I don't feel sorry for you.

Just got my first smart phone and must admit I am amazed at the lack of security. Most of the apps I've looked at and thought about trying all wanted more access to my phone then I think is necessary or wanted to give to who knows who.
I'm using Lookout and hope it does some good.
Just because an app has been downloaded a gazillion times doesn't make it safe.