Bob Tallent
23rd November 2011
The Android mobile phone is what is termed “open source”, so it’s very easy to build an app which can steal user’s data. I’ve been looking at some security issues with mobile phones. Bit9 of Waltham, Massachusetts has carried some research to identify phones that pose security risks for a number of reasons. Their study, "The Most Vulnerable Smartphones of 2011," which was released on Monday 21st November puts statistics to the chaos and names the top 12 phones most vulnerable to mobile malware. All of them run on the Android operating system. The 12 phones are:
- Samsung Galaxy Mini,
- HTC Desire,
- Sony Ericsson's Xperia X1,
- Sanyo Zio,
- HTC Wildfire,
- Samsung Epic 4G,
- LG's Optimus S,
- Samsung Galaxy S,
- Motorola Droid X,
- LG's Optimus One,
- Motorola Droid 2
- HTC Evo 4G.
In compiling the list, Bit9 researchers identified three criteria:
- the market share of the smartphone,
- what out-of-date and insecure software the model had running on it
- how long it took for the phone to receive updates.
Android is a Google product. "I don't think people realize how chaotic the Android ecosystem is," Harry Sverdlove, Chief Technology Officer for the Massachusetts-based security firm Bit9 said. He referred to Google's complex chain of command which requires mobile carriers — as opposed to Google or phone manufacturers — to push out critical software updates for Android customers.
In gathering information for the study, the researchers were astonished by the state of the Android ecosystem. "What was surprising for us was the extent of the chaos and the fragmentation that exists in the Android ecosystem itself, and the way that the Android smartphones are distributed and more importantly, the way that security updates are done," said Bit9 CTO Harry Sverdlove
In some cases, as with the Samsung Galaxy Mini and the Sanyo Zio, the average time period between when an Android upgrade was announced by Google and when it was finally stabilised and made available by the carrier for that particular model exceeded 300 days.
"56% of Android phones in the marketplace today are running out-of-date and insecure versions of the Android operating system software," Bit9 said in the report.
"If there are vulnerabilities and you're sitting on a phone that has not been updated for six months, that's an eternity for a hacker," Sverdlove said. "All that time, you're that much more at risk of being infected, of having your personal information stolen, of becoming a victim to some sort of malicious activity."
Vulnerabilities are not what make these 12 phones so dangerous, Sverdlove said. "There are vulnerabilities in all software," he says. "Apple and its iOS have as many vulnerabilities in terms of what's been reported as does Android. The challenge is not so much to create perfect software, but to know the vulnerabilities and, more importantly, to be able to update the software, to be able to respond to them quickly," he continued.
He said that an advantage that Apple has over Android is that it can push updates to its software to all its smartphones simultaneously. With Android, on the other hand, the manufacturers and carriers are responsible for pushing out updates. "There's too many cooks in the kitchen," he says.
What the manufacturers don’t understand yet is that smartphones are computers, not just handsets and we as consumers haven’t got it either. "There has to be some changes made to the ecosystem itself," he adds. "The manufacturers and carriers have to start relinquishing control of the operating system to the software vendors."
"Manufacturers release [Android] phones on 12-18 month cycles. They're always focused on the next model, not focused at all on fixing security for existing users," Sverdlove told Security News Daily. "Something has to change in the ecosystem, not the operating system. Google needs to take control of the operating system." Even if you buy a brand new phone, it could have software that has not been updated for 300 days.
Even normal people who are not techies know to be careful about computer security. "Most people know to be wary of strange emails, not to click on strange links, not to download anything in the world just because it has a picture of a cute kitten. I don't think people realize that an Android [phone] is just another computer, and just as vulnerable."
Due to the fact that Android is open source, it’s very easy to build an app to steal peoples data. Many apps on your present phone could be silently spying on you. Apple, on the other hand is closed source.
Neohapsis security researcher Georgia Weidman has said that she holds out hope for Android, and says that with "proper user awareness and more oversight when it comes to apps, I think it could mature into a stronger security model than Apple's closed-source alternative."
Do you have one of these phones? If yes, what do you plan to do? I would start by talking to your line operator.
Copyright © 2011, DPNLIVE – All Rights Reserved