Over the years, the Java ME/MIDP security model has been widely criticized. Keeping asking users for security confirmations on untrusted programs is painful and dangerous. I must admit that I don’t like it, and that I don’t like the idea of confirming any potentially dangerous idea.
There are many solutions to that, that can even be combined:
- The PC model. Don’t provide any guarantees whatsoever, and expect all users to use antivirus software of some kind. The model works quite well on billions of PC, and not that well on millions of PCs that are used in botnets to send us spam.
- The signature model. Make sure that all applications deployed are signed. You may get many properties out of a signature, and the most likely is an identification of the application provider (because they need to prove their identity when applying).
- The explicit user authorization model. With this model, the user is asked once to authorize an application to perform some security-sensitive actions. You are quite likely to allow an e-mail application to use the network and to access your contacts, but you may not necessarily want to allow it to know your current position.; you should be able to make that decision.
- The firewall model. This is the Java Card security model, in which applications share a platform, and still are completely isolated from each other. This is also the Chrome security model, which seems efficient, since this browser appears to be more resistant, at least to some attacks.
As far as I know (hopefully, I will know more in about a month from now, with the release of an Android device by SFR), the Android operating system uses most of these things in its security model. The question is to know how well it protects Android devices against Trojan horses.
First, all Android applications need to be signed before to be loaded on a commercial phone. So, we get some kind of proof of origin of the application. This will not protect you much, but it gives you the ability to fight back if an application causes you trouble. Actually, Android Market offers you something even better: you can rate poorly the application that gives you trouble. If you are not isolated, then it will have some effect. Google also most likely has the possibility to disable an application remotely (consider this as the final update for this application).
Applications seem to be somehow firewalled from each other, as they reside in different Unix processes. Of course, like any firewall, there is a hole, since Android applications are also supposed to be content providers for other applications. This may of course be attacked, but Android remains a Java platform, and it may not be that easy to do.
Explicit user authorization is also used, since the end user is warned of the permissions required by an application to run, and is given the possibility to reject an application is it unexpectedly requests a permission. Since this happens before actually launching the application, and since most users aren’t really experts, this efficieny of this measure may be limited.
Finally, about the PC model. The main point that I want to make here is that Android is one of these platforms that does not give you any guarantee about the software you load on it. There does not seem to be a stronly enforced policy for such applications, and no real way to enforce them.
Now, let me think like an attacker. What would I like to try with an Android application?
- Abuse content providers. This is quite likely to work well with some applications, with poor protections. But then, if the applications are poor, they may not be the most interesting.
- Social engineering. Since users are asked to confirm a permission, there is always a way to abuse them, or at least some of them. It may therefore be possible to install an application with permissions that should never have been granted to it. The problem is how to use these permissions. If I start sending premium SMS messages, the users are quite likely to identify my application as the origin, and my ratings on Android Market will go down fast.
- Trojan Horse. How do I define a Trojan Horse? It is the malware equivalent of a terrorist sleeping cell. It does nothing (or almost nothing), until it is told to do something. And naturally, its objective is to conceal very cautiously its “illegal” activities. Trojan Horses are very difficult to defend against, and Android is no exception here.
Before detailing the little security bits that make Trojan horses possible, let’s consider two examples:
- The first example is a Trojan Horse that sends out your contacts to a spammer. Of course, it will not start by dumping your entire contact base to the Internet. Instead, it will randomly choose records to publish, avoiding of course the ones that you actually use, to avoid detection. This kind of malware could be hidden in a game that allows you to send a message to a friend when you hit a high score.
- The second example is a Trojan Horse that does anything illegal you can think of, from sending all your contacts to a spammer to calling premium numbers or worse things. Here, the idea is to avoid detection until “the” time of the attack. The objective is of course to make it impossible, or at least difficult, to disable the application before it becomes bad. The app will rapidly be labeled as “bad” in the Android Market, but then, who cares? It has worked, let’s move to the next one.
These attacks both exploit the same weaknesses in the Android distribution model. In particular, they use the fact that permissions are granted once and for all to an application, and that some combinations are particularly dangerous. For instance, granting read access to your contacts and access to Internet is like granting the right to dump your contacts on Internet. Similarly, granting the right to setup a call to your friends also grants the right to call any premium number.
Another weakness comes from the application store model. This is a reputation-based model, so your application will keep being distributed until it gets a bad reputation.
Now, don’t get me wrong. I am not saying that your phone will soon be infected with all kinds of horrible beasts from all over the world. I am just saying that bad surprises may occur at some point.
I would like to have a solution ready, but I don’t. I do believe that static analysis could at least partially address the problem, by making it harder for attackers to develop malware. However, this is only a theoretical view, as I don’t think that anything really interesting exists yet for Android.