March 27, 2013, 8:44 PM — Microsoft's Windows operating system spent close to two decades as the 'problem child' of the IT world - ubiquitous, buggy and easy to hack. But this week brought more evidence that Google and its Android mobile operating system may be taking that mantle from the Redmond, Washington, software giant.
Andrew Hoog, CEO, ViaForensics
Two stories this week highlighted Android's mounting security problems. First, researchers at Kaspersky Lab reported evidence that unknown assailants had used an Android application as bait in a targeted attack on Tibetan and Uyghur activists. Those communities have been the target of frequent, sophisticated attacks, which are believed to have the backing of the Chinese government.
Writing on Tuesday, Kaspersky researchers Costin Raiu, Kurt Baumgartner and Denis Maslennikov reported that a malicious, information-stealing Android application was pushed to attendees at the World Uyghur Conference in Geneva, Switzerland. The application, which was delivered in e-mail as an APK-format file, masqueraded as a conference-specific Android application, but pilfered information from infected phones, including the victim's contacts, call logs, SMS messages, geolocation and phone information.
The attacks were launched from the e-mail account of a Tibetan activist who had been hacked, and relied solely on social engineering to compromise victims. Kaspersky said it was the first example known of a targeted attack using a mobile phone application as bait, though there has long been evidence that cybercriminal and nation-backed groups were experimenting with such attacks. Android is a natural choice for this type of attack, given the more open application ecosystem that allows application installs outside of Google's official Google Play application store.
The other bad news for Android users came by way of ViaForensics, which published an analysis of a popular Android scheduling and task management application, Any.DO. That app has more than one million downloads from Google Play, and 50,000 reviews.
The application also has serious and exploitable security holes including a vulnerability that would allow an attacker to conduct a "man in the middle" attack on Any.DO users. ViaForensics said their analysis of the application revealed that the Android version of Any.Do failed to properly validate SSL (Secure Socket Layer) communications, leaving users vulnerable to Man-in-the-middle attacks. The application was also found to store user passwords in plain text, along with other sensitive data including: usernames, tasks, dates, times, emails and task data. The security holes present a "significant security risk to users," said Andrew Hoog, ViaForensics' CEO in the blog post.
Contacted by ITworld, Hoog said that the man-in-the-middle vulnerability in the Any.DO application should be a concern to organizations, not just Any.DO's users.
"People reuse user names and passwords. There are lot of unprotected wifi networks that an attacker can use to set up a man in the middle attack. And this is the kind of application that's used by non-technical consumers. They're not going to be sitting there worry about security,'" he said.
Hoog said ViaForensics made many attempts to inform Any.DO about the vulnerability and share the results of its audits, but that the company did not respond to efforts by ViaForensics to reach out. Efforts by ITworld to reach Any.DO were also not returned.
Hoog said that Android's rapid adoption gives it the kind of exposure that makes it comparable to Microsoft Windows. However, most of the security issues that have been identified are the result of insecure and poorly written applications for the Android platform, not the underlying operating system. The proliferation of third party application stores offering Android applications is also an issue, he said.
But Hoog said that he isn't convinced that the Android operating system is any less secure than iOS - but says that Apple's model of centralized management of updates has many advantages over Google's model. "I hear CXOs saying to me 'I know that (Apple) might get it wrong with an update, but I feel confident that a fix will be issued right away and that my users will get it."
The bigger issue, says Hoog, is that mobile operating systems vendors like Google and Apple don't allow security companies to have the low-level access to their operating systems that's needed to implement security features for mobile devices such as malware detection, digital rights management and so on.
"We're in this predicament because, as a security industry, we're locked out of building the kinds of tools we need to manage mobile devices because of the way the mobile industry has developed. Until that changes, we're going to be locked in to doing one-off solutions where you'll have to jailbreak a phone to do low level testing."
Third party security products might not make mobile operating systems hack-proof, he said. But the industry has come up with tools to help manage and mitigate risk. "I may not be able to prevent everything, but at least I have data," he says. Currently, however, security firms and organizations that face mobile threats have a dearth of options. "All I see is the walled garden," Hoog said. "And it's not pretty - it's not all roses."