Smarten Up! Everyone Needs to Think About Android Security

When writing about Android security, I tend to see a lot of the same issue over and over again (SSL, guys! Come on!). We asked Widdit CEO Noam Fine and head of mobile development Nir Orpaz to explain why Android developers make the security choices they do and what needs to be done better after dealing with a security crisis of their own.

A Lack of Knowledge
From talking to Widdit's developers, there seems to be a disconnect between the players in the Android ecosystem. "User are not educated enough to look at what they're adding to their phone," said Fine. "I'm not sure everyone really cares that much."

Developers, on the other hand, don't always know the risks their apps can represent. "Developers don't fully understand that what they transmit is personal information," said Orphaz. Fine agreed, saying that there were no hard and fast rules about what information was really "personal."

Another problem is third-party advertisers which pay developers to include software development kits (SDKs) into their apps to gather information on users. Advertisers can compile data from multiple apps into shockingly detailed dossiers. For example, one app might ask for your age, and another for your name, but the same advertiser might have deals with both.

It's worth noting that Widdit is sort of between app development and advertising. They develop an SDK platform that can be inserted into apps so the app developer's can earn some money from their creations. 

To Fine, the lack of user education puts the onus for security entirely upon developers. "If you care about your reputation, you invest a lot of effort in maintaining it. This means your business practices just as much as your security practices," said Fine. He encouraged developers to think carefully before signing up with advertisers and installing SDKs into their apps. He also encouraged developers to examine the permissions required by SDKs before enabling them on their app. "If you as a developer did not ask for those permissions [for your app] are you willing to give the SDK those permissions?"

Developing Securely
Both Fine and Orphaz said that talking about security was one thing, but implementing it in apps was quite another. Maintaining an encrypted SSL connection for transmitting information is a good practice, but one that can be a challenge for small developers. "You have to get an SSL server, and sometimes that's not an easy thing to get," explained Orpaz. We've seen a lot of companies criticized for shirking or mishandling SSL.

Some vulnerabilities crop up from even the most basic functions. By example, Fine pointed to the Android permission that allows apps to connect to the Internet. "That's something every developer does," said Fine."Once you're connected to the network, that is immediately a vulnerability."

He encouraged developers to use common sense, and map potential risks of the features they include in their apps as well as gathering information on users. "If you're doing this, you need to stop and think 'what am I doing to minimize the risks?'" said Fine. "I'm not sure most developers do that."

First Hand Experience
Widdit had its own security problems, which we reported in a recent Mobile Threat Monday post. Their system uses SDK code within the app that daily calls a remote server to download an update to the Android phone. Security researchers flagged it as dangerous since the communication was handled without an SSL connection, potentially allowing an attacker to intercept the file and replace it with a malicious one.

Fine and Orphaz stressed that they knew about the problem before it was announced by researchers, and had already planned to fix it in the future. "This vulnerability was perceived as having a very low probability of happening. Once we understood it better, we took care if immediately and released a new version." Fine described successfully carrying out an attack using Widdit as "one in a billion" chance.

But he conceded that a change that needed to be made. "It wasn't good enough to say that it was really low probability," said Fine.

It's true that an attacker would have to go to great lengths in order to use Widdit to attack someone's phone. It certainly wouldn't be the kind of thing the average Android scammer would attempt. But attackers can muster enormous resources if the payoff is worthile, and the mobile threat landscape is changing all the time. What might be a billion-to-one chance today, could be a sure thing tomorrow.

Everyone, Up Your Game
Android users may be more concerned about security because of the Snowden revelations about NSA data gathering, but they should also be looking at their own apps. We've already seen how the spy agencies are taking advantage of games like Angry Birds to do their information gathering. Fine said that users drive the Android ecosystem, and if they demand better security the developers will have to follow.

"Everyone has a responsibility as an Android user to set the standard and educate yourself and your kids," said Fine. "Our kids growing up [today], they won't know a time when everything wasn't being shared." Fine continued that developers, "need to feel the same sense of responsibility."