We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,108 News Articles

Symantec Uncovers Android Apps Security Threat

Symantec has found a security issue that exploits poorly coded Android apps to hijack permissions and compromise data.

Android has quickly climbed to the top of the mobile OS mountain, and it owes much of its success to being a more open platform than rivals like iOS. However, that openness is a double-edged sword that also exposes Android to potential risk--like the Android Class Loading Hijacking threat discovered by Symantec.

A Symantec spokesperson explains that the Android Class Loading Hijacking threat resembles a Windows DLL hijacking attack. "It relies on the fact that Android provides APIs that allow an app to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked."

Symantec stresses that the Android Class Loading Hijacking threat is not a vulnerability in the Android OS itself, but a flaw in the way some apps are coded that can be exploited to hijack permissions.

Oliver Lavery, Director of Security and Development for nCircle, explains, "This weakness, and others like it that haven't been discovered yet, are an unfortunate side-effect of Android's openness. While open platforms are good, the history of browser vulnerabilities has shown us time and time again how important it is to have effective ‘sandboxing' for content that comes from the internet."

Lavery says that Android security is not significantly better or worse than the security of any other completely open computing device, like a desktop or laptop. "The ‘walled garden' approach iOS uses is almost certainly more secure, but that relative level of additional security comes at the cost of openness and extensibility."

Randy Abrams, Director of Technical Education for ESET, says that the Symantec research is interesting, but that cyber criminals really don't have to work that hard. Abrams warns that the liberal permissions Android apps are routinely granted make an attack like stealing a Gmail verification code text message as simple as convincing the user to install an app that has access to text messages.

"Users routinely grant such permissions to applications without a second thought," laments Abrams. "There is far too much opportunity for cross application pollution by design to invest in the real, but esoteric approaches that Symantec discusses."

There are always tradeoffs of functionality or flexibility vs. security. Android errs on the side of functionality over security, and that means that app developers have to be more diligent, and users need to be more vigilant to guard against security threats.


IDG UK Sites

Windows 9 release date, price, features: Microsoft teases new OS ahead of 30 September unveiling

IDG UK Sites

From the iPhone 6 to the iWatch and a new Apple TV we look at the products Apple is set to launch...

IDG UK Sites

September 2014 creative trends: 5 things you must see

IDG UK Sites

What to expect from Apple in autumn/winter 2014: iPhone 6, iPhone Air, iWatch, iPad 6, new Apple...