Posts Tagged ‘android’

broccoli-390001_1280You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

  • all software has bugs (try as we might, this remains true for anything other than simple programs)
  • some percentage of those bugs are security-related (call it the law of averages)
  • therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple hasAndroid-Army done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

For some, the mere fact that newer mobile phone models exist is reason enough to desire them. For others, the tried and true, trusty sidekick that has served them well (not to mention, that it took it 2 years to figure out how to use the thing) is more than adequate.

I confess to belonging to the first group because I love new technology. I also lean that direction because of my security roots.

As I mentioned in my previous post, old phones run old software and old software has old security bugs that haven’t been fixed.

In keeping with that theme, Graham Cluely recently wrote a thought provoking post entitled “If You Care About Security, Throw Away Your iPhone 4 Right Now.” OK, it’s a bit alarmist, but the underlying point is valid.

This isn’t picking on Apple because Android has the same issue. The point is that while newer doesn’t always mean better, when it comes to security you need to remember that …

Goldilocksold phone = unsupported = security bugs that won’t ever get fixed

Of course, the flip side of this is that …

new phone = not fully tested = new security bugs (that will, hopefully, one day get fixed)

Oh, and, by the way, the same holds true for operating systems, apps, etc.

So, what are you supposed to do? Balance is the key. Too old or too new is always going to be riskier than “just right.” I think Goldilocks said that in the sequel …

Unlike fine wine or cheese, old software doesn’t get better with age, it just starts to smell bad. Certainly it can “mature” as upgrades and patches are applied but if you simply “install it and forget it” then you could be setting yourself up for a world of trouble.

Recently Microsoft withdrew support for an old standby, Windows XP, and, as a result, pushed many to upgrade or face the risk of exposure to an increasing list of unpatched security vulnerabilities. Many grumbled about having to make the change but it was not unexpected. It costs vendors lots of money to support any operating system so it behooves them to support the fewest number they can or risk draining precious resources that could be spent developing newer versions with even better features demanded by the marketplace.

Windows XP is old in OS terms — nearly 13 years old, in fact. So, the end of the ride was inevitable, even if not fully appreciated by everyone.

But what about, say, Windows 95? It would be hard to feel a lot of sympathy for a user still running that moldy oldie if their system got hacked. After all, that was essentially 8 generations ago as a desktop OS. There are tons of security bugs that have been discovered in it since its introduction and, while most of been fixed, there are plenty that never will be since it was withdrawn from support a long time ago. Therefore, anyone still running Win95 isn’t likely to get a lot of sympathy given the known risks of doing so, right?

What about someone doing essentially the same thing on their mobile phone? Smart phones have very complex operating systems and we are finding more and more security holes in them every day. What would you say to someone still running the Win95 equivalent of Android? Good luck!

Well, it turns out that about 20% of Android devices world wide are essentially doing just that. That’s roughly what Android 2.x matches up to if you compare its generations to those of Windows. How many bugs do you think are sitting around on those aging handsets just waiting to be exploited? A lot more than their owners are aware of, I suspect.

To be fair, mobile OS generations have been rolling out faster than desktop OSs lately so the time lines won’t match up perfectly, but the truth is that there are a scary number of mobile devices that are wide open to attack because they are running old software.

Why not simply update the OS on these devices? Because, in many cases you can’t. Unlike the PC world where a single vendor (i.e. Microsoft) can push out a new OS when they like and users can update whenever they choose (for the most part), the Android world involves a sometimes unholy trinity of handset makers, Google (who makes the Android OS) and the carriers. If you want to update your phone you have to get the sun, moon and stars to align so that all three parties allow it and that has proven much harder and slower than most people would like. Since change is happening so rapidly in the mobile space, it is hard for old handsets to keep up with the demands of new OS versions plus handset makers have a stronger incentive to get you to upgrade than they do to keep you on an old device.

What all this adds up to is a lot of handsets with OS levels that have long since passed from stale to downright rotten and since hackers are drawn to vulnerable systems like ants to a picnic, it would not at all be unreasonable to expect a buggy mess as a result.

The Apple/iOS ecosystem is a little less complicated because you have only a two-headed monster (Apple and the carrier) to deal with. This results is fewer options for users but considerably less software rot.

More freedom/choice or more security? I actually use both but hope that whichever one you choose, you at least do so with your eyes wide open…

 

 

 

 

 

Here’s a link to a posting I did for IBM’s Security Intelligence Blog on the perils of ignoring the whole Bring Your Own Device (BYOD) trend. Enjoy …

http://securityintelligence.com/byod-why-you-better-not-ignored-it/

 

 

It’s been an interesting year in the world of IT security and privacy. It turns out that all the world’s spy agencies are, in fact, spying on each other. Shocking, right? OK, so they aren’t just spying on other spies but probably you and me as well to one degree or another. How much do they know? How long have they known it? How is the information being used?

I think the best answer is a quote from Tom Waits that predates this latest controversy but is quite apropos, nevertheless …

“The folks who know the truth aren’t talking. The ones who don’t have a clue, you can’t shut them up.”

In other words, don’t believe everything you hear because the people making the most noise tend to be those with the least actual information. At the risk of falling into that latter category I will suggest that the organizations that might know more about you than the TLAs (Three Letter Agencies) are the ones that we voluntarily give up our personal information to in exchange for free email, social media, cloud storage, navigation services, etc.

Along those lines comes a revelation that sits squarely between the uncomfortable intersection of security and convenience — your wifi passwords. If, for instance, you have an Android device you probably connect it to a wireless LAN on occasion. Unless you enjoy typing in long, complicated passwords on tiny keyboards, you probably opted to let the OS store this info for future use. For further convenience you probably allow Google to back up the settings on your phone since this makes recovery far easier when you get a new one. All very nice but …

This means that Google is storing all those “secret” passwords somewhere in their cloud. Who has access? How well is it secured? How could this information be used/abused? Now the heartburn begins…

I have no idea whether Google does a great job or a poor job of securing this data just like I have no idea how well credit card numbers and other sensitive information is being secured on systems for major retailers but I do know that at least in the case of the latter there have been some major breaches. We might not know about these failures were it not for legislation that requires public disclosure of such incidents and I suspect we wouldn’t necessarily know about similar compromises in social media, email and other Internet-based services.

And don’t make the mistake of thinking that a leak of wifi passwords would only affect a few home networks or that if you choose not to have your info backed up by Google or because you use an iPhone or no phone at all that you will be safe because all it takes is for one user — any user — of any wifi network you use to have saved and backed up this info for it to make everyone on that network at risk. 

Just another reason why you should make sure that you use a good VPN or SSL connection, even when you think you are on a secure wifi network…

The conventional answer to this question is that Apple’s “walled garden,” which places restrictions on app developers, creates a more secure environment for iOS whereas Google’s more permissive model puts Android users at greater risk.

As I have posted here before, there is plenty of ammo to bolster that position:

But the story is more complicated than that. For instance, take this recent report from Appthority which finds that “iOS apps leak more personal data than do Android apps”.

The differences are not huge but they do add fuel to the fire regarding which platform is safer. Apple Insider sums it up well:

A number of questionable policies and security concerns have painted Google’s Android platform as inherently less secure than Apple’s iOS. Android does appear to be more vulnerable to malware than iOS, but mobile malware affects only one percent of apps. The larger concern, the study concludes, should be over how mobile apps handle personal information and company data.

In the end, the unsatisfying answer as to which is more secure is, you guessed it, — it depends — so pick your poison … 🙂

 

If my last post regarding Android devices being marshaled into zombie armies sounded a little over the top maybe this one will resonate a little better.

According to forensic blog, which focuses on mobile phone forensics and malware, as of December 26, 2012, there are 115 unique Android malware families known to exist. That number would be significantly higher if you counted all the variations on these that might be circulating.

115 doesn’t sound like a lot compared to the tens of thousands of Windows viruses in existence but its a far cry from zero and should serve as a wake up call regarding the need for malware protection on mobile devices. If that still doesn’t convince you then maybe the analysis regarding the threat that these present might:

Families that steal personal information 51,3 %
Families that send premium rated SMS messages 30,1 %
Families with characteristics of a Botnet 23,5 %
Families that contain Root-Exploits 18,3 %
Families downloaded from the Google-Play Market 11,3 %
Families that install additional applications 10,4 %
Families that steal location related data 8,7 %
Potentially unwanted applications 7,8 %
Online-Banking Trojans 3,5 %

Source: forensic blog, http://forensics.spreitzenbarth.de/

And don’t get too smug because your phone or tablet runs iOS. We had this debate years ago when people claimed that Mac OS was immune and then again with UNIX/Linux. Granted, the relative risk might be lower over the entire population of these install bases but the fact remains that any functional OS can be exploited because none are perfect.

Put more succinctly, all software (of any significant complexity) has bugs and some percentage of those bugs will be security-related, therefore, all software carries with it a set of security risks.