The Future of Android - open source

As the Android world grows, it becomes an increasingly juicy target for malware. Infected apps have been spotted in various Android app outlets on numerous occasions. The platform is less restricted than Apple's, for example, and with those freedoms sometimes come security dangers. Critics say Google could address Android's security issues with a few tighter control policies.

The number of attacks on Android devices has been rising over the past few months.

The malware has exotic names such as "Zitmo," "DroidDreamLight," "Hong Tou Tou," "DroidKungFu," "YZHCSMS," "Geinimi" and "Plankton."

In January 2010, Google (Nasdaq: GOOG) removed more than 50 fake banking apps from the Android market, and in March of this year, it removed another 50 infected apps, Amit Sinha, chief technology officer at Zscaler, told LinuxInsider.

Meanwhile, Android smartphones are growing in popularity. They have extended their lead in the United States and Canadian markets, according to IDC's worldwide mobile phone market report for Q2, 2011.

That will make for a bigger pool of targets.

"Android has the potential to become the dominant OS for smartphones," Sinha said. "And ... hackers will aggressively target Android."

Add in Google's support for NFC -- near field communications -- in Android; its launching of Google Wallet, which is undergoing field tests now; and PayPal's using NFC on Android to make payments easier, and we could have a bit of a problem.

But that's not all. Even if e-wallet features don't take off, NFC has another ace in the hole -- it lets owners of NFC-capable smartphone transfer documents by touching their devices together.

You can watch a YouTube video demoing that feature on the Nokia (NYSE: NOK) N9 smartphone here.

The implications for enterprise security are vast, especially when you recall that the increasing consumerization of IT means people are using their own mobile devices at work.

Is Google's to blame for the increasing number of attacks on the Android OS because of Android's design and the hands-off policy Google maintains towards the OS? Will Android survive and be made more secure? Or will Google's laissez-faire attitude finally kill off the OS?

Google did not respond to requests for comment by press time.

Follow the Money

In September, Fortinet came across a banking Trojan it named \u201cZitmo.\u201d That Trojan steals one-time banking passwords. It resurfaced in July.

The mobile malware threat is expected to grow, security experts warn.

"In addition to mobile banking, many retail commerce transactions are expected to take place on mobile phones, and the cybercriminals will go where the money is," Neil Daswani, CTO and co-founder of Dasient, told LinuxInsider.

However, we may have some time before mobile banking really becomes a major security issue.

Many banks still haven't enabled mobile transactions on their websites, indicated Mickey Boodaei, CEO of Trusteer.

"Since online fraud is mostly a big numbers game, attacking mobile bankers is not yet a profitable fraud operation," Boodaei remarked.

That situation will change soon. Trusteer predicts that within 12 to 24 months more than 5 percent of all Android phones, iPads and iPhones could become infected by mobile malware.

Preparing for the Mobile Malware Rush

Device makers and app developers have to shape up in preparation for the expected flood of attacks on NFC-enabled devices once mobile banking takes off.

"The NFC Forum defines the contactless protocol between devices, so much of the security is the responsibility of application providers and manufacturers," Debbie Arnold, the forum's director, told LinuxInsider.

The forum's role is just to define the contactless protocol between devices, Arnold said.

Was Android Built Wrong?

The problem lies in Android's security architecture, and the proof is that it's easy to build applications that can get access to sensitive operating system resources such as text messages, voice, location and more, Trusteer's Boodaei told LinuxInsider.

However, not everyone agrees this is really an issue.

"While the security architecture of Android as well as other mobile OSes can certainly be improved, just as desktop OS security has improved over the decades, the security architecture itself isn't responsible for malware propagation," Daswani said.

Tens of thousands of new malware binary variants are created for Windows and Mac OS, for example, Daswani pointed out. The problem of security isn't going away any time soon, he opined.

Permissions Are a Hollow Protection

In its defense, Google has repeatedly pointed out that all downloaded apps request permission to access resources on uses' smartphones, and users can just say no.

That isn't enough, Boodaei contends.

Users usually just say yes because many applications request access to an "extensive list" of resources, Boodaei explained.

Google could make Android's permissions model more fine-grained, Dasient's Daswani suggested.

For example, when an Android app requests access to the Internet, it gets access to everything, including malicious domains and websites, Daswani said. Instead, Google should perhaps restrict an app's access to the Internet to only what it actually needs.

"That follows the principle of least privilege, which is well-known in the security community,\u201d Daswani remarked.

Google's Slow Anti-Malware Shuffle

In addition, Google doesn't check apps before letting their authors post them on the Android Market. Also, Google has sometimes been criticized as slow to respond to complaints about apps containing malware.

"Distributing fraudulent Android applications is trivial," Trusteer's Boodaei alleged. "There are no real controls around the submission process that could identify and prevent the publication of malicious applications. Compared to Apple's (Nasdaq: AAPL) App Store, the Android Market is the Wild West."

Further, a Google Web page requesting that Google review and take down inappropriate apps from the Android Market is hard to find, Boodaei said.

The form doesn't appear to be of much use, either, he said.

"We used it a few times with no results," Boodaei groused. "In order to have an application on the Android Market taken down, we had to use contacts within Google who are not available to the average user."

Google needs to make "major improvements" in its process of identifying and removing malicious apps from the Android Market, Boodaei said.

"Google already has a kill switch to remotely remove malicious apps, but this approach is reactive," ZScaler's Sinha stated. "They need a more proactive approach to screening and testing apps prior to allowing them on the market."

The Future of Cheap Androids Begins Now

 

The arrival of low-priced smartphones is an event many have been waiting on for some time. Sure there are often buy one, get one deals or one-day specials where you can find a smartphone for as little as a penny, but in most cases, such deals are tied to expensive plan commitments that last for two years. For a real paradigm shift, we’ll need to see unsubsidized handsets priced at or under $100 that can be used on a month-to-month basis. We’re inching closer to that shift.

Take the LG Optimus V, for example. Virgin Mobile just began selling this Android smartphone for $149. Since Virgin Mobile is a pre-paid operator, there’s no contract involved. That means the company is selling the handset at full-price; there’s no subsidy, no contract cancellation fee and no commitment. You pay $149 and the phone is yours. Monthly plans that include unlimited mobile broadband access with Virgin Mobile — which uses Sprint’s network — start at $25 with a limited amount of minutes.

Think about that for a second. With a $149 initial investment and then an ongoing cost of less than $1 per day, someone can have a basic, but useful, smartphone in the U.S., with the flexibility of upgrading to a better phone or different carrier at any point in time. Granted, the Optimus V doesn’t compare to the high-end specifications of the latest and greatest Androids, Apple’s iPhone, or other currently popular devices, but I’m not sure that matters.

I reviewed the LG Optimus T handset back in November, and it’s essentially the same phone as the Optimus V; LG is rebadging the basic design for different carriers. For a long-time mobile device user that values high performance, the Optimus may not be as fast or as feature-packed as what I’m used to. But that doesn’t mean it won’t provide value to those currently on feature phones or other low-end smartphones. In my review, I noted:

This handset does just about everything that my more expensive phone can do. You can install mobile apps from the Android Market (yay Angry Birds!), share pics on Facebook (taken with a decent, but not high-end camera), browse the web over 3G or Wi-Fi, manage email on the go, check-in on Foursquare, use Google’s Navigation and use Google Voice services. The phone uses the latest version of Android, which helps boost performance. Plus, the 1500 mAh battery paired with a slower processor makes for an all-day device.

All of the essential functions are there: 3G, Wi-Fi, Bluetooth, a touchscreen display, GPS, a 3.2-megapixel camera and more. Plus, the handset can run a myriad of software found in the Android Market. Would I like to see the device have more guts than the 600 MHz processor provides? Sure I would, but each improved feature boosts the costs and puts the device out of reach for more consumers on a tight budget, and besides, I’m not in the target audience for this device.

 

The Optimus handset line, especially when paired with a low-cost pre-paid plan, represents the coming wave of cheaper smartphones: a slowly rising tide that will bring additional challenges to companies such as Nokia that sell more feature phones than any company in the world today. Indeed, outside the U.S., where Nokia is a popular brand, such cheap smartphones may even greater risk to Nokia. Why? Because here in the U.S. our handsets are generally tied or locked to a carrier and we have two different network technologies. But in Europe and elsewhere, it’s not uncommon to buy a phone, then purchase a SIM card from whichever carrier is currently offering the cheapest voice and data rates. A cheap, no-contract handset can run on any number of networks in that case, making the device an even more appealing alternative to a feature phone.

Adding additional pressure is the likelihood of these Android handsets getting cheaper in the future. Brian Modoff from Deutsche Bank Equity Research yesterday issued this note:

By 2013, we expect 1 GHz smartphones to be available for $100. The combination of a $0 license for Android and the steady march of Moore’s Law could translate into $100 smartphones by late 2012 or early 2013. At that point, we think even the average emerging markets’ consumer shift their purchase sharply away from feature phones to smartphones, posing a serious challenge to companies such as Nokia without a clear strategy for low-end operating systems.

I agree with Modoff in principle, but I suspect the timeline he presents for a $100 smartphone is too conservative. By the end of this year, I expect to see no-contract Android devices costing $99 or less, paired with reasonably priced pre-paid plans. There may be a question of exactly when that will happen, but there’s no question that it will happen. And when it does, it will open up the floodgates for upgrades to those on feature phones and kick smartphone adoption into an even higher gear.