We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Symantec Uncovers Android Apps Security Threat

Symantec has found a security issue that exploits poorly coded Android apps to hijack permissions and compromise data.

Android has quickly climbed to the top of the mobile OS mountain, and it owes much of its success to being a more open platform than rivals like iOS. However, that openness is a double-edged sword that also exposes Android to potential risk--like the Android Class Loading Hijacking threat discovered by Symantec.

A Symantec spokesperson explains that the Android Class Loading Hijacking threat resembles a Windows DLL hijacking attack. "It relies on the fact that Android provides APIs that allow an app to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked."

Symantec stresses that the Android Class Loading Hijacking threat is not a vulnerability in the Android OS itself, but a flaw in the way some apps are coded that can be exploited to hijack permissions.

Oliver Lavery, Director of Security and Development for nCircle, explains, "This weakness, and others like it that haven't been discovered yet, are an unfortunate side-effect of Android's openness. While open platforms are good, the history of browser vulnerabilities has shown us time and time again how important it is to have effective ‘sandboxing' for content that comes from the internet."

Lavery says that Android security is not significantly better or worse than the security of any other completely open computing device, like a desktop or laptop. "The ‘walled garden' approach iOS uses is almost certainly more secure, but that relative level of additional security comes at the cost of openness and extensibility."

Randy Abrams, Director of Technical Education for ESET, says that the Symantec research is interesting, but that cyber criminals really don't have to work that hard. Abrams warns that the liberal permissions Android apps are routinely granted make an attack like stealing a Gmail verification code text message as simple as convincing the user to install an app that has access to text messages.

"Users routinely grant such permissions to applications without a second thought," laments Abrams. "There is far too much opportunity for cross application pollution by design to invest in the real, but esoteric approaches that Symantec discusses."

There are always tradeoffs of functionality or flexibility vs. security. Android errs on the side of functionality over security, and that means that app developers have to be more diligent, and users need to be more vigilant to guard against security threats.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite