Even more Android security woes as computer scientists discover permissions gap

Computer and mobile device security is a tough business. There's hype and then there are real threats and so far most in mobile have been hype (but see AVG-gate). Still, Android is either an OS with a lot of security vulnerabilities or everyone just likes to pick on it. Either way, between Carrier IQ earlier this week and now this paper from North Carolina State University, the little robot is having a tough time.

Computer scientists at NCSU created an app called 'Woodpecker' that would search for app vulnerabilities in Androids's permission-based security model. In short, when you install an app in Android, it tells you what that app can access e.g. user info, data, geolocation, recording sound, etc. Basically if you don't think a wallpaper app should have access to say, recording sounds, you prevent the app from installing. The problem is this: apps can unknowingly grant permissions to other apps, allowing a seemingly innocuous program to gain access to functions not agreed to by the user.

In the paper (PDF), the researchers looked at eight Android phones: HTC Legend, EVO 4G, Wildfire S; Samsung Epic 4G; Motorola Droid, Droid x and Google Nexus One and S. Only on-board, pre-installed software was analyzed e.g. OEM or carrier software, but not third party apps. In short, they found they could install apps that had access to higher level functions not specifically granted by the user via what is called a "confused deputy attack" where "where one app is tricked by another into improperly exercising its privileges". The culprit? OEM apps that unwittingly revealed their higher level permissions to 'Woodpecker--the more OEM apps, the more vulnerable. This is because, according to the researchers, "...app markets do not report the actual permissions granted to an app. Instead they report only the permissions an app requests or embodied in the manifest file".

As can be seen in the video above, an app is installed with these higher level functions but no warning was issued during installation. The question is this: is this a real threat or potential? Looks to be potential only at this point, but then again who knows. The researchers concluded it does "constitute a tangible security weakness" for Android.

"These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission."

Windows Phone seems to be inoculated against such attacks because, in theory, the apps are vetted. But then again, the AVG app did get by Microsoft meaning perhaps even Windows Phone apps could have similar vulnerabilities (what are called "capability leaks"). That AVG app, according to Justin Angel, improperly used the Geo Location (GeoCoordinateWatcher) in a way not granted by the certification guidelines. One thing working in our favor though is the sand-boxed nature of our OS and apps, meaning deep-level functions cannot be touched (unless you hack and interop-unlock, of course).

Source: NCSU; via The Register

Daniel Rubino

Daniel Rubino is the Editor-in-chief of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft since 2007 when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, laptops, next-gen computing, and for some reason, watches. Before all this tech stuff, he worked on a Ph.D. in linguistics, watched people sleep (for medical purposes!), and ran the projectors at movie theaters because it was fun.

  • Please don't turn into those morons at wmpoweruser. No need to bash other OSes, just enjoy your own choice. There's a fine line between reporting and fanboyism.
  • What "fanboyism"? Did you read the article or jump to conclusions? The Windows Phone-AVG incident is quite relative from a security standpoint on the platform. People have questions about how secure Windows Phone OS is, especially in comparison to others out there. It's a valid question to ask whether or not Windows Phone can (or does) suffer from the same security vulnerabilities as Android, especially in regards to this permission-based system. There was no "bashing" in this article, no hyperbole and no boasting. We stuck to the facts and asked if and how the related to Windows Phone. I make no apologies for the post as I think it is informative for our readers. You are free to disagree. (Incidentally, it is a bit ironic that you ask us to not "bash" another OS yet you bash another blog in the same paragraph).
  • It's pretty important to know what is what.
    If I want to recommend a WP phone to someone, I can now say:
    "WP is more secure because of X,Y,Z"
    this will help my argument, it's good for me to know this, otherwise I might say "ok buy a HTC", it's something WP users should know about also.
  • I did read the entire article and the snippet after the bolder "Windows Phone" is great. I also appreciate the much more neutral approach. I just don't see the need to report on another OS for the sake of making yourself sound better. That just seems like stooping in my opinion. As far as bashing wmpoweruser goes, most of the staff there is excellent. Their admin, however is an extremist fanboy for both HTC and windows phone. I love my phones, but I also accept that they have shortcomings.
  • Excuse me but why are Windows Phone bloggers and sites held to a different standard than anyone else? I've used Android, IOS and webOs. I see other platform bloggers and sites humiliate WP to no end and at least WpCentral makes a fair argument when discussing other platforms issues. Try going to some other sites and telling their writers not to mention other platforms lol. This is a WP site of course it will be biased towards Windows Phone. Duh! Also, a lot of folk who are considering WP are coming from other platforms. So what is wrong with discussing them and their shortcomings especially in the manner in which the writer did?  I'm a WP user but I also have an Evo and so does other members of my household for now anyway. (yeah Sprint where you at with some new Windows Phones?) Oh back on topic. I checked our phones after the read and our Android phones definitely have the IQAgent app. Just one more reason I will be giving up Android!
  • Mamacita I thought you were on Windows Phone already.
  • I am very much so with Tmobile but I have a family plan with Sprint as well and we are desperately waiting for new batches of Windows Phones.  An Evo, Epic, Hero and a Moment are all waiting to be bumped by Windows Phone.  My daughter already has the Arrive but we need bigger screens lol. 
  • The article, in my opinion, was informative and unbiased, not targeting any competing platform unfairly. The author even speculated that, "...perhaps even Windows Phone apps could have similar vulnerabilities." Does that mean that he slighted the Windows Phone OS then? The accusations by z33dev33l are not supported by the actual article. Also, I'm trying to grapple with z33dev33l legislating against any slight of another OS, yet is OK with ripping another blog or another person. Seems like an arbitrary place to draw the line.
    I totally agree with mamacita42 re attacks against other OSes at other blog sites. WPCentral in my opinion is the undisputed Pure White Dove of them all, and I hope it stays that way. Over at Enadget, you'll search long and hard to find a single Win Phone related news article that isn't outright penned in a biased manner or that isn't immediately attacked by a mob of DroidBots/iFans who act like a pack of ravenous and murderous hyenas smelling a dead body. I've stopped visiting them. Kudos to WPCentral and it's authors for keeping things tidy, and the forums separated.
  • I whole-heartedly agree. I just don't want to see my favorite tech blog end up as petty as others. I appreciate the approach and all, I just don't see the necessity in reporting on the jumbled, disease ridden mess that is android. A product so outstanding should sell itself without relying on the shortcomings of others.
  • I hear you. It's unlikely either of us will agree with every single article printed here, but lets both of us continue to support this place, argueably the best Windows Phone news & blog site anywhere.
  • We can certainly agree on that :)