Fix It

Despite the immense popularity of the Android mobile operating system, one significant damper on the euphoria is the lingering sense that Android devices lack security. Although virtually any business laptop today comes with convenient features for encrypting the hard disk, comparable features in Android smartphones are rare. Smartphone security in general, and security of Android phones in particular, is not good if you believe the media reports.

Kaspersky Lab had already discovered the 10-millionth Android malware app by the end of January 2014, despite the fact that Google Play lists hardly more than a million apps. Of the 350,000 unique mobile threats and more than 840 threat families, 98-99 percent now target Android.

The full gamut of Windows malware also exists in the Android universe: worms, adware, backdoors, monitors, risk tools, malicious remote admin tools, SMS flooders, and a full set of trojans: downloaders, droppers, fake AV, PSW, SMS, spyware, clickers, bankers, and ransom tools.

According to Christian Funk, a senior virus analyst with Kaspersky, the reasons for Android's security issues are wrapped up in developer practices and program verification. "The way access privileges for interfaces and user information have been implemented on Android is okay in principle. But what we see is that app programmers very often ask for access to areas that have nothing to do with the way their app works. Attackers take such permissive apps, inject malicious code, and offer them on sites other than Google Play."

To give users some peace of mind, Google plans nothing less than a total revamp of the security features for the upcoming Android L release (Figure  1). Although the L release is still a work in progress, and it doesn't even have a dessert name yet (although Lollipop is a likely candidate), many details of the new security architecture have already reached the public (Figure 2).

Figure 1: The Android L desktop. The new system introduces some changes under the hood, but the security remains fairly piecemeal.

Figure 2: Android L is ready for testing and already booting in the SDK.

Opportunity Knox

One of the more interesting developments is that Samsung is helping Google implement additional security for the L version. The fact that Google is leaving it to Samsung is not surprising: Unlike most other manufacturers of Android phones, Samsung has offered its proprietary security framework for Android for some time; it goes by the name of Knox [1] (Figure 3). The Knox framework is named for Fort Knox, the super-secure facility where the United States government stores its gold.

Figure 3: Samsung's Security Framework Knox comes with many new and good ideas, but it remains unclear whether other manufacturers will benefit.

Knox offers many features that are of critical importance in the enterprise. One important principle is establishing a "secure path" for the execution of programs. As long as UEFI is enabled, the BIOS executes only operating systems that a well-known manufacturer has digitally signed. Verifying the identity of the app could theoretically prevent an attacker from doctoring up an app with malicious code and posting it independently for download. (One could possibly work around this protection and still have a working device, but you would void the warranty, and, obviously, you would be foregoing the security benefits of the new feature.)

Knox offers many more security features, such as TIMA, the Trust zone-based Integrity Measurement Architecture [2]. TIMA combines several tools that protect the system kernel at run time. Options for biometric or smartcard authentication prevent unauthorized access, especially if the device falls into the wrong hands.

And then there are the managed profiles: Knox lets you separate business data from personal information on smartphones. Users can do whatever they want in the private part of the profile, but any business data is kept safe on the same smartphone. You'll find profiles along with other (fairly unsurprising) security features in the Android Settings app below Settings | Security (Figure 4).

Figure 4: Configuring security in Android L.

At last: SE Linux becomes Android SE

Android also integrates the SE Linux [3] security feature, in the form of Android SE. The SE Linux tool, which provides sophisticated policy-based access control for Linux desktop and server systems, plays a central role in the security architecture of Android L.

SE Linux prevent programs from executing functions that they are not allowed to run, and if a program does gain unauthorized access, the protections integrated through SE Linux will help prevent privilege escalation. (A side effect is that you might have a more difficult time rooting your own phone.) Clamping down on the privileges assigned to a application at the policy level should help prevent attackers from modifying programs to do things they were never intended to do.

Updates

Security updates for older devices have been an issue with Android in the past. Porting these modifications to new versions of Android costs a lot of money, and because new Android smartphones are continually pouring onto the market, updates are regularly discontinued for devices that sometimes are little more than a year old. Even maintenance updates for patching well-known vulnerabilities sometimes don't find their way to users. Devices that don't receive regular updates pose a problem regardless of how many new security features you add to the operating system. Integrating SE Linux features could certainly add an additional barrier for malware slipping onto the system, but any way you look at it, a system that isn't receiving updates is still vulnerable.

Users have the option of installing aftermarket firmware. Tools such as Cyanogenmod [4], Paranoid Android [5], or Mokee [6] offer users an alternative to the update dead-end, but these solutions can sometimes have nasty side effects. Also, installing aftermarket firmware invalidates any form of app verification, because you first need to unlock the bootloader.