Android OS Security:
Advantages and Disadvantages
In the field of computing, few inventions, innovations or technological improvements, have been moving quite like wireless technology. With the advent of fourth generation cell phones and networks (4G), there have literally been leaps and bounds made in the realm of personal computing, productivity and data sharing. It is this increased connectivity both in our personal and business lives that introduce risks to intrusion, corruption or theft of data, or in the worst case, access to personal data that would lead to identity theft. In the business realm, this translates to problems for firm infrastructure and exposure to proprietary leaks, loss of customer data, or damage to the reputation of the business entity. Therefore, it is important that adequate measures are taken to evaluate risks and take steps both personally and professionally to minimize those risks. We present several advantages and disadvantages of the Android OS platform with very high visibility right now in the wireless arena. Both for the flexibility and open architecture, this platform presents some unique challenges in terms of security. The landscape of business is ever-changing, and with the introduction of mobile computing platforms, this amounts to changes that are orders-of-magnitude less than in previous eras of business. The inherent flexibility of mobile computing allows businesses to capitalize on market shifts quickly, translating into a competitive advantage or disadvantage in much less time than it takes to engineer, develop, and market products of any type. It is no less important then, for firms to understand and adopt this technology in a proper perspective considering the measure of risk. We attempt to identify some of the risks inherent in one aspect of this technology: the Android OS platform, upon which a rapidly growing smart phone market is based. The Threat
While previous iterations of phones were exposed to threats in eavesdropping, co-opting phone processes to retrieve personal information, and denial-of-service threats, current phone technologies seem to have evolved the threat into those resembling many traditional computing systems. Specifically, many of the threats detailed in assessments point to vulnerabilities in applications and the user’s interaction with them, or files that may be added to a phone operating system that surreptitiously undermine the security of the phone. There are also issues with some of these applications possibly gaining permissions to control phone functions that the user may be unaware of at runtime. And, finally threats to privacy through access to content of the phone or the location functions of the phone system (Shabtai 2010). So, quantified threats fall into categories that will be covered here: 1) Application threats; 2) Phone control; and, 3) Privacy concerns. Application Threats
The Android OS platform offers a wide variety of available applications from third-party sources that are open-source, free or otherwise user controlled. Even though this large market is one of the best selling points for being advantageous over the iPhone application market, they pose potential problems for individual users downloading these applications from the Android Market or installing these applications themselves. As Charlie Miller points out, Android’s application methodology relies on “crowd-sourcing” that permits any application then allows users to rate the application. Through this method the user can download any application, and then if there is an issue, notification to Google will permit them to remove the application from the Market and then remotely remove the application from all of the devices affected (Aug 2011). This still leaves the vulnerability of the application prior to a problem being discovered, and leads to issues that allow the phone to be controlled by the application. Address Space Layout Randomization seeks to minimize...
References: Anagnostakis, K., Bos, H., Homburg, P., Portokalidis, G. (2010). “Paranoid Android: Versatile Protection for Smartphones”. Proceedings of the 26th Annual Computer Security Applications Conference. New York, NY: ACM.
Chin, E., Felt, A.P., Hanna, S., Song, D., Wagner, D. (2011). “Android Permissions Demystified”. Proceedings of the 18th ACM conference on Computer and communications security. New York, NY: ACM.
Delac, G., Silic, M., Krolo, J. (27 May 2011) “Emerging Security Threats for Mobile Platforms”. Proceedings of the 34th International Convention. Pp.1468-1473. Citation:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5967292&isnumber=5967009.
Enck, W., Ongtang, M., McDaniel, P. (Feb 2009) “Understanding Android Security”. Security & Privacy, IEEE, 7, 1, 50-57. Citation:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4768655&isnumber=4768640.
Enck, W., et.al. (2010) “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”. Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkeley, CA: USENIX.
Jahanian, F., Oberheide, J. (2010) “When Mobile is Harder Than Fixed (and Vice Versa): Demystifying Security Challenges in Mobile Environments”. Proceedings of the Eleventh Workshop on Mobile Computing Systems and Applications. New York, NY: ACM.
Landman, M. (2010). “Managing Smart Phone Security Risks”. 2010 Information Security Curriculum Development Conference. New York, NY: ACM.
Miller, C. (Aug 2011) “Mobile Attacks and Defense”. Security & Privacy, IEEE, 9, 4, 68-70. Citation:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5968091&isnumber=5968077.
Shabtai, A., et al. (April 2010) “Google Android: A Comprehensive Security Assessment”. Security & Privacy, IEEE, 8, 2, 35-44. Citation:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5396322&isnumber=5439518.
Please join StudyMode to read the full document