Video Screencast Help
Security Response

Google's Android Phone

Created: 12 Nov 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:44 GMT
Eric Chien's picture
0 0 Votes
Login to vote

All of the recent rumors about Google releasing a "gPhone" were finally put to rest with their release of Android, which is a software stack for mobile devices. Android includes an operating system (Linux), middleware, and some default applications like a browser.

(Click for larger image)

Applications are developed using Java and use a framework provided by Google including their own virtual machine (Dalvik virtual machine). The entire framework is open source and Google (as part of the Open Handset Alliance) wants to bring openness to the mobile ecosystem, allowing anyone to write applications and make use of all of the functionality available on handsets.

Of course, this begs the question of security. Android's basic security model against standard malicious code is a prompting model. Applications must include a manifest stating what sort of potentially dangerous features they want to use, such as making phone calls. When installed, the user will be prompted (or possibly some other authority will be queried in the case of signed code) and forced to decide if the application should be allowed to perform some operation. In contrast, Apple's iPhone has currently taken a reverse model approach where third-party on-device applications are not allowed, preventing the vast majority of malicious code for the average user—those that haven't unlocked their phone. Because Android is still in development, making predictions about the threat landscape to Android is a bit premature, but history has shown us that a prompting model is far from effective.

Today, the vast majority of Windows malware requires user interaction, some of which is invoked by social engineering and much of it simply because the user isn't sure what option to choose. Imagine that you download a game and the game requests the ability to send SMS messages from your phone in order to post your high scores to a central server. You agree, but little do you know that the application is also sending SMSes to a high-cost pay number.

In addition, determining which APIs are potentially dangerous isn't always the easiest thing to do. For example, should a program be able to use the camera without first asking? What if it takes surreptitious pictures? Nevertheless, with another mobile device platform on the horizon, interesting times await us and we'll have more updates about Android in the future.