We recently told you about a new class of vulnerabilities uncovered in Google’s mobile platform, which is suspected to affect all of the almost one billion Android devices in existence. While it is agreed that the Android operating system will be updated as quickly as possible to introduce a fix to the Pileup attack, one cannot deny the fact that hundreds of millions of phones will continue to be susceptible to attack due to the laggardly pace at which manufacturers release updates to the operating system.
Alec Main, CEO of Graphite Software, shares with Muktware his views on the vulnerabilities that still exist for Android devices from the recent Pileup attack, what device owners can do to protect their devices today and what future steps can be taken to prevent malicious attacks on Android devices.
Monika: The Android threat landscape seems to be growing not just in size but also in complexity. Is it mainly because most users fail to take simple steps to secure their data?
Main: Yes, if you include allowing apps on your device without really understanding what the app permissions allow them to have access to. Smartphones have made it easier and more secure to install apps, when compared to the PC computing model. However, these devices are more personal and more converged and more aware (e.g. sensors) than ever before. There is a fundamental problem on such a converged device if everything potentially has access to your data, your location, your movements, etc.
Monika: Tell us more about the Pileup malware. How does it work?
Main: Pileup exploits the Android permissions. You must have a dodgy app on your device that pre-declares permissions in a newer version of the operating system. Then you need to update to the newer OS version and the dodgy app will get the permissions it secretly pre-declared. It is cool attack, but requires a fair bit of smart timing to make happen. It only happens when you upgrade, so does not increase your immediate vulnerability to malware.
Monika: It is a general belief that the Android operating system will be updated as quickly as possible to introduce a fix to the Pile-up attack. How effective will it turn out for users who want to protect their devices from the malware?
Main: The next version of the OS will prevent this attack. So, upgrading to the next release of Android (e.g. 4.5 or 5.0?) should be safe. Ironically not upgrading your device, especially to 4.4 or less, will keep your device safe as well. Other than downloading the dodgy app in the first place, this vulnerability does not immediately increase your risk.
Monika: The more open and flexible you make something, the more vulnerable it would be in terms of security. Do you think Android’s openness could be one of its biggest disadvantages?
Main: Openness also has its security benefits – like having researchers and security experts review the code to find such vulnerabilities and think of new attacks that had not been considered in the past. The more closed something is, then also more people want to hack in order to make the changes they desire, which creates other issues. And Android is very closed in many respects, but the typical user does not actually check (or understand) permissions. We need a simpler method to give user control of their devices.
Monika: What can be done to enhance security of the Android platform?
Main: Android should adopt an isolation solution like Graphite Software has developed. It give users control of their data, with the benefit of a converged super-powerful smartphone.
Monika: What all should a normal Android phone user do to ensure their online security?
Main: Remember that many “free” apps sell your personal data as part of their business model. Be careful who you trust on-line and segregate your accounts and data to protect your privacy.
Monika: Any quick tip to help users prevent malicious attacks on Android devices in future?
Main: Review the app permissions. Download apps from trusted sources.