Guest author Min-Pyo Hong, CEO and founder of Seworks, has advised corporations, NGOs, and governments on digital security issues for over 20 years, and led a team of five-time finalists at DEF CON.
Nearly every month, Android owners encounter fresh news of serious security breaches to Google’s mobile platform, with the StageFright hack and the porn clicker Trojan just the latest, worrying revelations.
Google has taken steps to protect Android consumers, providing better security tools for Android developers. But when it comes to the two latest threats, crucial improvements still remain. These need to be addressed before Google Play can approach the level of safety afforded by Apple’s App Store.
The Android maker’s focus on mobile security hasn’t quite extended far enough, leaving some critical work in the balance. The following tops my list of urgent matters that it must address immediately.
Imperfectly Protecting Google Play Users From Themselves…
Google recently reported (.pdf link) that under 1% of Android devices had potentially harmful apps installed in 2014, which sounds impressive on the surface.
So does its server-side malware scanner, which the company uses to review apps in Google Play and third-party app stores. Its goal is to protect end users by preventing the installation and usage of malicious Android apps. But when my company (mobile security provider Seworks) performed repeated tests on it, we found that it doesn’t perform thoroughly enough to block malicious apps.
A few were able to slip through the cracks—likely, at least in part, because malware developers can sometimes upload compromised apps faster than Google can block them.
The tech giant’s statistic doesn’t tell the whole story either. Mobile security firm Lookout reports that 7% of Android owners in the US were exposed to security threats in 2014 alone. Quick Heal, another security provider, reports that Android malware skyrocketed by 300 times between 2011 and 2014.
If these reports are true, then it seems highly doubtful that Google’s scanner is as accurate as the company claims.
See also: Here’s What’s New In Android M
There’s even more reason to doubt its efficacy: Working with several major clients on a simulation, we recently ran a test to decompile existing Android apps. Essentially, we wanted to know whether the company could identify and catch malicious code designed to gain unauthorized permissions to user data (such as contacts, call log, etc).
The experiment sampled a common type of malware, and yet, it was never detected by Google’s scanner. We ran the test multiple times.
To help shore up security, Google is performing manual reviews of submissions to the Google Play store, which is a laudable development. But it’s unclear how comprehensive that process is. The extremely short approval process—which can be measured in hours, as opposed to days—is concerning.
As for third-party Android app stores, Google offers a built-in “Scan device for security threats” feature, though many device owners don’t reference it, let alone realize it exists. Fortunately, it runs in the background by default.
… While Developers Must Still Mostly Fend for Themselves
While Android consumers are somewhat protected by automated safety systems, Android developers must take the initiative in securing their own apps—both when they’re written and after they’re published.
Google Play warns developers about some potential security issues, such as insecure storage of credentials or out-of-date libraries. But many developers are overwhelmed by bug fixes and feature requests, making it easy to backburner those warnings for a future update or even miss them entirely.
I regularly warn developer colleagues about the unfortunate nature of such advisements: If you add security measures to an app that’s already been published, it’s often already too late. Not that they shouldn’t patch the vulnerability, but they must realize that the work doesn’t stop there.
Google’s device platform is based on Java, which means that the compiled app package (also known as the APK) is in Java Bytecode form, which is extremely easy to decompile. In other words, hackers can easily view the original source code with readily available tools.
Google recommends that Android developers use a free tool called ProGuard, which does name obfuscation at the source code level. (My colleague, Mary Min, recently covered this topic in an article title “Source Code and String Obfuscation.”) The effort helps, but it doesn’t protect against decompiling, and it isn’t a comprehensive technique to prevent reverse engineering at all.
Why Google Play Needs a Binary Solution
The evidence suggests that Google’s scanning capabilities are not fully reliable. If the company cannot identify and block malicious apps that have been written, then it must help Android developers protect their apps at the binary level. This is the most significant matter for the company to address now.
This may take the form of an educational campaign: Developers must understand that binary protection is crucial in preventing the decompiling and reverse-engineering of their apps. This is what enables pirates to alter those apps—for instance, to remove security controls and inject malware, or other hacks—and repackage them.
Cutting that off has another benefit as well: Decompiling also enables outright copycatting, as the mobile game industry knows all too well. Unsurprisingly, OWASP escalated the “lack of binary protection” as one of the top ten security risks for mobile apps last year.
The need is urgent. As I write this, there are well over one billion active Android users around the world. Next year, there may be a billion more.
Google now has the opportunity to transform Android into the globe’s most important Internet platform, connecting us even more securely across the oceans that divide us. But pirates and saboteurs know this too, and they are gathering in the seas—waiting for the opportunity to plunder.