We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Android's biggest security flaw is its users, report finds

Apple's iPhone more secure but also closed

Google's Android has solved many of the security weaknesses that beset Windows but at the expense of handing a dangerous level of decision-making to users, a Symantec study has argued.

A Window into Mobile Device Security compares Android's security architecture to that of its major rival, Apple's iOS, which runs the iPhone and iPad, and finds the latter to be superior, at least for now.

Android's relative openness, fragmentation of different versions, weaker app vetting, and immature use of encryption all mark it down compared to iOS, but Symantec's authors still worry that its whole security model might start to cause it major problems over time.

The problem for Android - and to some extent all mobile operating systems - is the power it hands to applications and the way users interact with them, which leaves it wide open to social engineering attacks.

Most of this is already well-documented and some of it is unavoidable. For instance, although each Android app is securely isolated using minimal privileges from every other running, a rogue program can still ask for access to any subsystem, including those for SD card storage, GPS, telephone and Wi-Fi interfaces and a user's email inbox.

The danger is that those permissions are granted by click-happy end users who have no way of assessing the implications of hitting the 'yes' button.

"At first glance, Android's permission system seems to be extremely robust, enabling software vendors to limit an application to the minimal set of device resources required for operation," writes report author and Symantec vice president, Carey Nachenberg.

"The problem with this approach is that ultimately it relies upon the user to make all policy decisions and decide whether an app's requested combination of permissions is safe or not," he adds.

"So far, we've seen only a handful of different malware apps released for Android, but it's already clear that many are able to cause damage without having to "crack" or bypass Android's permission system."

None of this is exactly helped by the relative ease with which fraudsters can reverse engineer Android's Java-based apps and distribute them using third-party websites over which Google has no control. The first generation of Android app attacks have also shown that apps can easily impersonate legitimate programs in order to bypass Google's digital app signing.

The report does not look at the emerging Windows Phone platform but it is possible that Microsoft's smartphone OS might enjoy a late-mover advantage in terms of security compared to Android.

The report predicts that security companies will inevitably push the traditional antivirus security model on Android users but will struggle to contain the social engineering attacks that simply manipulate users into installing bad apps by other means. One technology that might gain traction is cloud-based reputation scanning.

Nachenberg cautions businesses against allowing employees to simply import a potential mobile "back door' without proper security controls.

In the first half of 2011, Android has been hit by several small waves of malware which have left Google scrambling to remove problem apps from its Marketplace. In April, software giant CA even found a fake antivirus app targeting Android users.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model