Wednesday, 24 October 2012

How much can you trust your Android Phone?


Introduction
Android sales has been huge, in the last years.
Surely, one of the key success factors of this platform is the possibility to have a smartphone with thousand of apps available with a starting price of 99$.

A big problem
Its huge user base, makes android a fertile ground in which computer thieves, put their efforts to gain access to:
  • user accounts
  • private data
  • credit card numbers
Let's take the webkit engine: it is used from the browser and from some apps for rendering of webpages.
it is one of the most attacked module on the platform, maybe, because it is easier to find a known bug and obtain access to personal data.
If you have a problem on that components, a lot of apps become a security problem, unless you can update the smartphone.


A platform with no bugs doesn't exist and never exist but, anyone who makes you pay for a phone should guarantee  to have a system repairable and upgradable.


Google can guarantee this, but not Android .. why?

Generally, for my experience the only phones that receive system update, are Nexus phones, made by manufactures for Google.

If you have an Android phone .. you should have Jelly Bean now, lastest version of Android.
That's how it should work...
Is there a system update? and your phone must receive it as soon as possible.

Other phone manufacturers, does not update their software.
After you have bought their phone, they ignore you, they leave you with an insecure system that   compromised with a simple link received from a social network, or scanning a qrcode(link) or by NFC(link).

Most of the problems found on a module like webkit are commons to IOS, because also iphones uses Webkit, but on the Iphone the in-security is limited to people who doesn't want to make a system update.

The problem on IOS are solved in some days. 

The solutions
Here they are some solutions:
  • buy a new phone every year to have new software update.....
  • buy a nexus phone (new will be available soon)
  • use a custom rom: you can flash your phone with a rom made by someone like cyanogenmod  (how can I trust them? I don't know.. but it is opensource and better than a stock buggy rom)
  • don't buy an android phone
Keep your apps updated and pay attention to what you install too
This is an article about a security problem on Google Drive and DropBox of some days ago: http://blog.watchfire.com/wfblog/2012/10/old-habits-die-hard.html
If Google and Dropbox have security problems, you can immagine how many other apps can have security problem... so  think before "yes install / accept accept accept/ don't care / yes do what you want with my phone".
And this is another recent article about how apps are generally insecure when handle HTTPS connection (for example when you want to watch your bank account from your phone in a public wifi).

If you have not seen this yet.. watch this android bug and... think that the only android platform not affected.. is jelly bean.