Does Android security have openness issues?

Is the open marketplace, not open source, inviting malware?

Lately my wife and I have each been getting e-mails from various "companies" that try to link us to an incoming package tracking or online bill page.

These e-mails are well-crafted, but they are also clearly fakes designed to phish for information or (in one case) get us to a website that attempts to stick malware on our computers. (And, as an aside, I often imagine the little plink! that malware makes when it tries to run on my Linux machine.)

But their frequency of late is a bit predictable. Faking a message about an incoming package right now is actually not so stupid, since the increase in online shopping after Cyber Monday means that consumers (like my wife and me) may actually have a lot of packages on the way.

It's in this frame of mind that I read a blog from Rik Ferguson this week that took Google's Chris diBona's mid-November remarks about open source and security to task. In particular, this particular phrase of Ferguson's resonated: "…[C]riminals follow consumers; always have, always will."

The context for Ferguson's response is straightforward: diBona, the Open Source Programs Manager for Google, wrote a lengthy Google Plus post on November 16 that lamented the pervasiveness of FUD regarding open source security.

At the time, I deconstructed the original article that diBona was criticizing. But diBona's broader points about security vendors trying to sell vaporware when they talk about malware on Linux and other open source platforms, such as Android, drew the attention of Ferguson, Director of Security Research & Communication at Trend Micro. You know, one of those security analysts making such claims about malware.

Indeed, in August, Trend Micro's TrendLabs made the claim that the amount of Android malware jumped 1410 percent from January to July of 2011. At the time, I saw this report and concluded that the low numbers of Android malware meant that such huge jumps less meaningful, and didn't jump on what I perceived as a sky-is-falling new cycle.

Ferguson, though, is also well aware of this, writing in his Nov. 21 blog:

"Let me be very clear. I am well aware that this rate of increase is starting from a low base, those four figure increases are not as shocking as they may at first appear. In raw numbers the total amount of malware is of course orders of magnitude lower than for example the Wintel platform. However the more important figure is not the total number of malware, but the rate of increase of that malware quarter on quarter and year on year. That demonstrates current, active and sustained criminal interest in the mobile platform."

Whereupon he makes the comment about criminals following consumers.

Ferguson defends his company's reports on Android malware, but he his very quick to remove open source as the cause of Android's security problems. Directly addressing diBona's remarks that all mobile platforms, not just Android, have malware issues, Ferguson wrote:

"As far as I am concerned, the problem pertinent to Android is not that the OS itself is open source, like I said you made some valid points about that, but that the app distribution mechanism is entirely open. Android embraces the concept of multiple third party marketplaces in addition to the 'official' marketplace, even in the 'official' marketplace there is no upfront vetting of code or functionality. Couple that with the undeniable and deserved popularity of the platform, it is no surprise that criminals are already actively exploiting an opportunity here. It's not the open source, it's the openness of the source."

I would take exception to that last statement, perhaps saying "openness of the applications" instead, but Ferguson still gets a pretty good point across. When people ask me about the security risks of Android, I always caution them to at least get their apps through the official Market, and never "sideload" an app (pull an app in from someone else's phone/device). I never raise this point for iOS or RIM users.

If anything demonstrates that no mobile platform is immune from security issues, the recent discovery and subsequent hullaballoo about the CarrierIQ tracking software would certainly do it. Whether done by carriers or criminal elements, the fact is that it is all too easy to get software onto a mobile device about which the user is unaware.

I realize that Ferguson's remarks about criminals following the money resonate because of my own recent experiences, but this whole business about the bazaar-like nature of Android's marketplace seems something that would be easy to fix.

Before the CarrierIQ kerfuffle, I might have been slightly tempted to argue for the carriers' participation in vetting apps for the Android Market, something that Google does not want to try. Such a suggestion this week is even dumber, so you won't hear it from me.

Here's (hopefully) a better one: Android may already have a mechanism in place that could help. The platform already does a great job letting me know what my apps are doing and what pieces of my phone and its data each app wants to access. I see this information every time I update or install an app.

So here's a question: is there a way to lock this information down a bit and have a warning pop up if an app does something unexpected? Like a trojan phoning home or recording keystrokes when the app was not supposed to do that? It seems like this extra layer of security wouldn't be too hard to implement, though since I am not a developer, I have no idea how hard it would be to circumvent or what kind of performance hit it would add.

It seems to me, though, that such a system would afford Android users at least a little bit more control over their apps and still allow Google's open-for-all marketplace plan.

The question of Android security--like that of any mobile platform--is one that needs to be addressed. Someday soon, mobile devices may be the only computing platforms people own.

Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon