At the end of May we attended the Hack in the Box security conference in Amsterdam and we had the opportunity to speak to a number of experts. One of them is Georgia Weidman, the founder and CEO of Bulb Security.
She shared some interesting insight on Android’s permission model and the security holes that come with it, but even more importantly, she offered some great advice on how users can protect themselves against the threats that target their smartphones.
Please introduce yourself for our readers and talk a bit about the company you’ve founded. Georgia Weidman:
I'm Georgia Weidman and I am the founder and CEO of an LLC called Bulb Security. We do penetration testing, security training, and research. Softpedia:
Regarding the Android platform, is the permission model it utilizes efficient in protecting users? Georgia Weidman:
I think that it would be, if users wouldn’t accept every permission imaginable. Take a look at some of the permissions on apps you have on your phone. It's kind of scary how many permissions your everyday app has.
A lot of the most popular ones have permissions that can really hurt you. They can access all your information, and perform functionality on your behalf in the background. What I'm going to discuss here is bypassing the permission model by piggybacking on another app that’s badly coded to allow permission leak.
Anyone can write an Android app and put it on the Google Marketplace. All we need to spend is $25 and that's it. You don't have to be a good coder, you don't have to go to coding school, in order to write apps.
We know that developers have a tendency to write badly coded apps, and with the Android permission model it’s a whole new set of things to look for. It’s not a buffer overflow and it’s not SQL Injection.
In my presentation, we are actually looking at examples of where the permission model breaks down, because developers allow permissions to be leaked to other apps. It’s not something that even developers that are well versed in security are used to. Softpedia:
How would you compare the Android permission model to the security mechanisms used by other companies? Georgia Weidman:
From a security standpoint, compared to other devices, like the iPhone and other mobile devices, I would say that Android is probably the least secure.
The permission model is really the only security they have in place and between users just accepting everything and to leaks like this. Android is taking steps in the right direction such as Monitor, but it's still a bit behind from a security standpoint.
Other researchers looked at just the default install of Android phones and found that about 50% of them had a leak like the one from my presentation. We will show that for such a leak you don’t even have to install other apps.
From a security standpoint, Android isn't all that mature, but, it’s probably the easiest development platform.
It’s extendable and you can do a lot with it with very little learning curve, so from a development standpoint I think it's probable to remain a favorite.
Also, from a user standpoint is just more useable than the other ones in a lot of cases, and we all know that people take usability and ease of development way before security. I think we need to make Android more secure because I think it's going to emerge as the favorite platform of users and developers. Softpedia:
Please talk about your findings. What vulnerabilities did you discover in the Android permission model? Georgia Weidman:
We have shown examples of the permission model being bypassed, we have taken a look at apps that have no permission doing things that require permission, like sending a SMS, or reading your personal identification information just from stealing it from other applications that used bad development practices.
Typically, in the past, this has been done through a root or a kernel exploit against the Android phone. In this case, no vulnerability in the Android platform is required. We instead steal permissions requested by other apps. Softpedia:
Experts from the Leviathan Security Group released an Android app called “No Permissions” to demonstrate how easily cybercrooks can avoid worrying about the permission restrictions and harvest data from devices without the user’s knowledge. Are you aware of the app? Georgia Weidman:
Right! I have seen that. There are a lot of examples of permission issues. That one is interesting because rather than bypassing the permission model by exploiting the phone such as in a root or jailbreak, or piggybacking on other apps as I show in my presentation, that app focuses on what information is available if you really do have no permissions.
There is a lot of data on the phone that can be accessed without any explicit permissions. I think that has been overlooked in favor of root//jailbreaks and research such as mine. For example, did you know any app on your phone can read all the data stored on the SDcard? Apps don't have to ask user permission for this functionality. Softpedia:
Any advice for Android device owners on how to protect themselves against these risks? Georgia Weidman:
I would take a look at all the permissions that your apps are looking for. Just be aware of it.
I know that you really don't have a choice, it's either accept them or you don't get to use Facebook, you don't get to use Twitter, and you want use these things because that's why we have our phones, so that we can run our entire life on them. And I know that that's a difficult decision, but just being aware helps a lot.
For example, the popular game Angry Birds put out an update for the Android and they suddenly wanted SMS permissions so a bunch of users freaked out about it.
Angry Birds doesn’t ask for SMS anymore, so, I would say speak out, tweet about it, say “why are you asking for this?” Companies don’t like bad publicity so, maybe they'll change it.
Keep your phones up to date, it's not new or interesting if your phone gets rooted or you install a piece of malware. DroidDream was a big one that would go in and root your phone in the background.
Then the permission model is completely gone. The permission model does not apply to apps with system level (root) permissions. The DroidDream attack happened over a year ago now.
Keep your phone as up to date as possible, so you don’t fall victim to stuff like that, and if you are going to be a developer, I would say check out the best security practices Google has out there.
Google doesn't link to the security page in any of the tutorials for learning how to actually write Android apps so, you may not find it unless you are really going out there and looking for it.
But if you are interested in developing for Android even if you are really well versed at stopping things like SQL Injection or buffer overflow, the implementation of Android is a little different.
The way the permission model works and the way its interfaces work add new elements to secure development. If you don't keep this in mind, even a strong secure developer could fall victim to the sort of things we’ve shown, so I would recommend spending some time on the security page. Softpedia:
Would it be better if Google didn’t allow each phone vendor to make its own Android version? Georgia Weidman:
There’s good and bad to both, but from a security standpoint, yes.
In a recent research paper from the University of North Carolina, they studied every vendor’s default Android build. They saw that it’s up to every vendor what gets put in in terms of default apps and the system apps which have extra permission, so if these apps have a permission leak issue, it’s definitely a problem.
As long as there’s not an oversight group that gets to decide what’s secure and what’s not, you are going to get more vulnerabilities.
Another problem with that model is the updates. When Google puts out an update, every single platform has to port it to their devices and get it out to the users, which we’ve seen in the past has not necessary happened very quickly.
Basically, you are sitting with a large population of Android users who are vulnerable to an 0-day for months and months at the time and that’s never a good thing. So, having just one platform would get the update faster and there would be more of an oversight on what actually goes into the platform in terms of security.
I could see this is a good thing, but again, it’s one of the things people like about Android. Anybody can make Android if they want to do so. Usability, security, we all know who wins, and it’s not security. Softpedia:
Many Android users still don’t think that malware poses such a great threat? When do you think this mentality will change? Will it ever change? Georgia Weidman:
I think there are more and more malware outbreaks going to the media and people start thinking about it more because it can be pretty scary. I think once people actually start losing money…
We haven’t really seen an outbreak where anybody lost anything more than maybe getting a high phone bill, but when they start getting their credit card stolen, because you see apps that take your credit card all the time.
I think when something like that happens, people start taking it more seriously.
I saw an app at a bar where you give your credit cards info and you scan a QR code that pays your bill for you. I think when people start exploiting apps like that in the wild, then it will definitely show that we do need to be vigilant about malware on smartphones.
I recently saw an interesting security talk that discussed the economics of why there have not been more attacks against smartphones. According to these researchers, for malware writers at this point they have a greater attack vector still attacking traditional PC platforms. Consider a malicious website.
If the website attacks the Internet Explorer or Firefox browsers, it will likely compromise more victims than if it exploits Mobile Safari or the Android browser. Malware writers want to exploit as many victims as possible.
This is how they make money. As smartphones and other mobile device become more ubiquitous, this will become more profitable than targeting PC platforms. We will then see more malware in the wild targeting mobile devices. Softpedia:
So would you say that best security practices are the most recommended? Georgia Weidman:
Android antivirus would definitely be a good thing and it can get you past known malware so it would help. I would recommend having it on your phone, but I wouldn’t say it’s a catch-all end-all.
What I don't want to see is users using anti-virus as a crutch. I don't want them to think if they have anti-virus they don't have to vigilant about their smartphones. Anti-virus only stops known threats.
Open a link with your smartphone browser to the newest mobile browser exploit, and you will become a victim regardless of anti-virus. If you put your credentials into a bad website on your phone, antivirus isn’t going to help you, I think that user awareness is good as well. Softpedia:
What is your opinion regarding the presence of women at a top level in the security industry? Georgia Weidman:
We need more of them. It seems like there aren’t that many. On the whole, the community has been very welcoming of me. I think that the industry as a whole would like to see more women doing research, developing tools, speaking at conferences, so hopefully that will happen. Softpedia:
Is there anything else you would like to add? Georgia Weidman:
Don’t give up on the Android. It’s a great platform. I’m always attacking it and finding holes in it, but I think as it matures it’s definitely an interesting platform to work with as a developer, as a security person, and as an end user.
I think if I had to guess, I would say it would be the one that’s going to come out on top in the end. So don’t write it off, but do spend some time thinking about the security. Georgia Weidman's presentation from HITB 2012 Amsterdam is available here