At this year’s Google I/O developer conference, the technology giant shared its vision of a connected world where smart watches, smartphones, cars, laptops, televisions, and thermostats all interact seamlessly with one another. Of course, central to this vision was one of the conference’s main themes, the idea of Android everywhere and on every device. However, while all this is very exciting and filled with possibility, this new wave of devices and capabilities will spur on a race to develop more contextually aware and voice-enabled apps on the Android operating system (OS) – which, as a platform, has been a popular target for attackers.
Google’s next version of Android to be released, referred to as Android L, comes with many new features and capabilities. There are also a few noteworthy security updates. Google representatives emphasized that they are taking security seriously and are now offering security updates that will be pushed out every six weeks for the Android OS through the Google Play Service. This means that issues, such as the recent OpenSSL vulnerability, can be fixed for most devices in a timely manner, reducing the attack window.
One of the most notable security features for everyday users is the “personal unlock” feature for Android L smartphones. This feature allows the user to setup a trusted environment where no passcode is required to unlock their Android device. The trusted environment can be a defined location based on GPS coordinates or the presence of a trusted Bluetooth device, like a smartwatch. This handy feature should encourage more users to enable security precautions on their phones. The need for more security precautions is badly needed and highlighted by our Norton Report which showed that 50 percent of current users do not even use basic precautions, such as passwords, on their smartphones.
Of course a clever thief might simply steal your smart watch and your smartphone or unlock your device while standing nearby. Hopefully the personal unlock feature will not look for device or Wi-Fi names because they can easily be faked. Of course, someone could also spoof the GPS location, but that may be more trouble than attackers would like to go through just to unlock a stolen phone. Even if your phone does end up getting stolen, Google has strengthened the Android kill switch feature, as suggested by the Secure Our Smartphone initiative, to further protect the data on stolen phones from falling into the wrong hands and to prevent the device from being factory reset and resold.
Android for Work
Besides making it simpler for users to control their privacy settings by grouping them all in a central place under Universal Data Controls, Google also announced Android for Work, which will bring more security to enterprise users of Android smartphones. In order to achieve this, Samsung’s security platform Knox will be rolled out to all Android devices, allowing for data separation. This brings encrypted containers with strong authentication to the device and allows for container policies. Administrators can implement companywide guidelines and control the flow of information between the container and the rest of the device.
With the greater degree of automation that comes with wearable devices, there also comes an increased risk that the device could be tricked into performing an undesired action from the background. This was demonstrated last year by the QR code vulnerability and, more recently, by the seemingly harmless Xbox One commercial that demoed some of the console’s voice control features and caused people’s consoles to actually turn on; luckily that was all it did. However, the coalescence of the different devices in the Internet of Things (IoT) is a definite trend. Therefore, it is no surprise that the IoT is piquing the interest of cybercriminals who are constantly looking for new ways to make money. Currently, most of the attacks are harmless proofs of concepts showing what could be possible. However, new apps with new features will increase the risk for data leaks, malware, unauthorized access, and lost devices.
There is no easy solution to this dilemma. On one hand users want to be able to order a pizza in twenty seconds and immediately pay for it with one click from their watch. On the other hand companies must ensure that a malicious app cannot trick the user into paying for something they don’t want using fake pop-up messages on the same watch.
Gmail APIs and Android Fit
It wouldn’t be a bad idea to keep an eye on some other features that were also introduced. For example, the newly introduced Gmail APIs, which allow authenticated apps to perform actions on your email account, have the potential to be misused by scammers through social engineering tricks.
Android Fit, Google’s approach to the quantified-self market, is also worth mentioning. Similar to Apple’s HealthKit , Google’s Android Fit will offer a central location where life-metric tracking devices and apps can store their data. This is a welcome addition because some of the quantified-self apps do not have a focus on security and users should be able to verify which services can access their aggregated data.
We recommend that users of any new devices, including smartwatches, smartphones, TVs, and cars:
- Ensure that software is up-to-date and update any passwords or other authentication features from their factory settings
- Verify privacy settings and understand what is happening to your data
- Verify before installing new applications that they are downloaded from a trusted source and that the requested permissions make sense