android security model is insufficient, and it needs a firewall



My wife has an Android phone, and while it's good that Android does have some sandboxing, permissions and security against rogue apps, I'm not impressed with the security model and how it appears to be abused in the Android Market.

1. Almost every one of the top 20 free games on Android 'requires' internet access.  Whether it needs this for global high score tables, to show me advertising, to spy on me, or to download additional malware, I do not know.

2. There is no way to deny internet access to a specific app that supposedly 'needs' it.  Well, there is one way: you must get root on your phone (voids the warranty).  Then install iptables, then install 'droid wall'.  This is far beyond the ability of normal users, and it is pushing the limits of what I can be bothered to do myself.  A per-app firewall should be shipped with Android.  Please vote for this by clicking the star at the bottom of the page here:  http://code.google.com/p/android/issues/detail?id=10481

3. A large proportion of the most popular free games request other permissions that are not in any way related to their function, and could severely compromise privacy and security if they were abused.  Examples: exact gps location.  This may be because they use google analytics or similar to track usage, or it might be big brother tracking us, or both.

4. Every app has read access to the whole SD card, where photos go (on my wife's phone at least).  This worrisome fact is not emphasized, and most users would not be aware.  Combined with the almost universal internet access, an app has all the permissions needed to steal private documents, steal personal photos and videos, index media, and report or send content to anyone on the internet.  It is trivial for any competent coder to write such an app, he does not need to be a skilled cracker.  I could write such an app in just one page of simple code.

5. Any app that requests the old Android 1.4 API is also given full write/delete access to the SD card, and the user is not alerted to this when installing the app.  (This was done for compatibility reasons, because full access used to be allowed by default).  Any such app has the capability to erase the SD card, although the user was not told it had write access to the SD card.  http://flash the brain.com/2010/09/market exploit  Combined with internet access, an app could turn my phone and SD storage into a p2p drone node for illegal content.

6. I'm aware that my N900 Maemo phone has a much weaker security model than Android in many ways.  However since the vast majority of apps on Maemo are free/libre open source software based on Debian, I am not very much concerned that they might contain malware.  Does any software in Debian do any sort of spying or unauthorized 'phone home' whatsoever?  I don't recall any instance of this in Debian, or any instance of deliberate malware in Debian (or Maemo).

7. The Android market is altogether different from Debian, it feels more like the windows 'freeware' market, where random popular stuff may very likely contain spyware, and many apps 'phone home' without the user's permission.  It possible for a skilled cracker to write a program that will gain root on your device and completely break its security.  The Android market provides little protection against the deployment of such a program.  http://jon.oberheide.org/blog/2010/06/25/remote kill and install on google android

8. There is a market for stolen celebrity / amateur nude photos and video clips.  An android app with only the 'internet access' permission could identify and steal such media from a person's SD card, and the user would never know that it had even sent data to the internet.  I guess that every second person who is in a sexual relationship and has a digital camera has taken such risque or sexual photos or videos.  I don't find it acceptable that any Android app with internet access could steal and publish private media without the user's permission or knowledge.  An intelligent attacker might write or buy an excellent game, hide malware in it, delay activation for 6 months, then collect huge quantities of media and valuable documents from perhaps 10 million users around the world.  Such a collection which would have a huge market value.

9. Android's security model is good for developers but not for users.  The name 'Android' suggests an intelligent living device that can do whatever it likes.  In fact, in spite of the security model, the majority of Android apps have excessive freedom to do whatever they like.  The security model is much weaker than the Java or flash applet security model for example, while most Android apps such as games do not need capabilities beyond displaying graphics, playing sounds and reading input devices (not gps!).

10. So, may I suggest that the next time you want install an Android app that requests internet access, even if it's very popular, don't install it until you feel you can really trust the developer - and anyone he might sell the app to in future.  Instead, go to http://code.google.com/p/android/issues/detail?id=10481#makechanges and nag google into implementing a decent firewall (and a better security model).

Please correct me if you think I have made some error here.

Sam Watkins
2010-09-25

sam@nipl.net
sam.nipl.net