We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Symantec Uncovers Android Apps Security Threat

Symantec has found a security issue that exploits poorly coded Android apps to hijack permissions and compromise data.

Android has quickly climbed to the top of the mobile OS mountain, and it owes much of its success to being a more open platform than rivals like iOS. However, that openness is a double-edged sword that also exposes Android to potential risk--like the Android Class Loading Hijacking threat discovered by Symantec.

A Symantec spokesperson explains that the Android Class Loading Hijacking threat resembles a Windows DLL hijacking attack. "It relies on the fact that Android provides APIs that allow an app to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked."

Symantec stresses that the Android Class Loading Hijacking threat is not a vulnerability in the Android OS itself, but a flaw in the way some apps are coded that can be exploited to hijack permissions.

Oliver Lavery, Director of Security and Development for nCircle, explains, "This weakness, and others like it that haven't been discovered yet, are an unfortunate side-effect of Android's openness. While open platforms are good, the history of browser vulnerabilities has shown us time and time again how important it is to have effective ‘sandboxing' for content that comes from the internet."

Lavery says that Android security is not significantly better or worse than the security of any other completely open computing device, like a desktop or laptop. "The ‘walled garden' approach iOS uses is almost certainly more secure, but that relative level of additional security comes at the cost of openness and extensibility."

Randy Abrams, Director of Technical Education for ESET, says that the Symantec research is interesting, but that cyber criminals really don't have to work that hard. Abrams warns that the liberal permissions Android apps are routinely granted make an attack like stealing a Gmail verification code text message as simple as convincing the user to install an app that has access to text messages.

"Users routinely grant such permissions to applications without a second thought," laments Abrams. "There is far too much opportunity for cross application pollution by design to invest in the real, but esoteric approaches that Symantec discusses."

There are always tradeoffs of functionality or flexibility vs. security. Android errs on the side of functionality over security, and that means that app developers have to be more diligent, and users need to be more vigilant to guard against security threats.


IDG UK Sites

Galaxy S6 UK release date, price, specs: When is the Samsung Galaxy S6 coming out? Galaxy S6 launch6......

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...