Android security chief: Mobile-phone attacks coming

An application sandbox may limit the impact of malware

As smartphones become more popular, they're going to get some unwanted attention from criminals, Google's head of Android security said Wednesday.

"The smartphone OS will become a major security target," said Android Security Leader Rich Cannings, speaking at the Usenix Security Symposium.

Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger. "Personally I think this will become an epiphany to malware authors," he said.

Microsoft's Windows operating system is the prime target of criminal attacks today, and hackers have generally steered clear of mobile devices.

Security experts say that this is because mobile phones haven't traditionally stored a lot of sensitive data, and because there are so many different devices to attack, it's hard to create a single virus that can infect a large number of users.

That may be changing as more and more people start using iPhones, BlackBerries, and -- Google hopes -- Android-based phones such as the Samsung I7500.

Google was late to market with an iPhone competitor -- the first Android system shipped in October 2008 -- but the company hopes to make up ground by making its platform more open and appealing to developers.

Android uses open-source components, and Google places fewer restrictions on device makers and application developers than Apple.

For example, Apple must first approve any application before it can be featured in the iPhone store. Google applies no such restrictions in its Android Market.

This open approach to security is further reflected in the fact that Cannings was even allowed to talk about Android security in the first place. Mobile-phone makers are traditionally tight-lipped about their security strategies.

Google's openness gives developers more freedom to innovate, but it can also be misused.

"We wanted developers to be able to upload their applications without anyone stopping them from doing that," Cannings said. "Unfortunately this opens us up to malware."

Google runs an application honeypot -- a computer set up with test versions of Android -- to check Android Market programs, but it has also made changes to the way Android's Linux operating system runs applications in order to make things safer.

Each application runs within what Cannings calls an "application sandbox," a virtual-machine environment where the program is unable to mess with other programs on the phone.

Applications are given access to the parts of the system that they need, but they're blocked off from other parts of the system.

Android has a media server process, for example, that can write to the phone's display and use the sound card, but it can't do things like access the phone's browser or Bluetooth connection.

That approach paid off last February, when security researcher Charlie Miller found a bug in the way Android played MP3 files, Cannings said.

On many other operating systems this kind of bug could be used to run unauthorized software on the computer, but Android's application sandbox limited what could go wrong, Cannings said.

Miller recently discovered a serious flaw in the way both the iPhone and Android processed SMS (Short Message Service) messages, but the vulnerability's consequences were not as serious on Android, the security researcher said.

However, the iPhone has some important security features that are lacking in Android, Miller added. Apple's sophisticated memory protection system and its requirement that iPhone code must be digitally signed are both powerful security features. But Android's sandboxing "makes life harder on a hacker for sure," he said.

When he took a close look at Android back in February, Miller didn't find it any more secure than the iPhone, but some security experts think that Google has an edge.

"Google is ahead in the security game even if Apple is head in market share," said Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan.

He believes that Google's more open approach will give the company a "major competitive advantage," and will give Android an edge if Apple is forced to open up its platform.

"The Google system is designed so that an application that is broken can do less harm," he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityAndroidiPhonesmartphonesmobile securityhacking

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?