Paranoid About Android: Is Google’s Smartphone Platform Secure?
As Google's Android smartphone software continues to gain market share, it's also gaining attention as a frequent target of malware and hacker attacks. But are recent attacks really an indication that Android phones are inherently more vulnerable than, say, Apple's iPhones?
Among the latest concerns was the discovery last month of the so-called Geinimi Trojan on Android phones, leading to Trend Micro's comments that the Android platform may be more vulnerable than Apple's iOS.
The critical difference between the two is that Android owners can download apps from nearly anywhere on the Internet, while iPhone owners may download only pre-approved apps (unless, of course, they “jailbreak” their phones). This is part of the charm of an open platform such as Android, but also a pitfall in that it allowed Geinimi infections.
Android's perceived vulnerabilities are all the more serious as it looks poised to become the dominant smartphone platform, much in the way Microsoft Windows became the dominant desktop platform and thus made itself a target for hackers.
In the space of three months from September through November 2010, Android's U.S. market share rose from 19.6 percent to 26 percent, surpassing Apple's smartphone numbers, according to the Reston, Va.-based online marketing research firm ComScore.
In the same period, Apple's market growth was nearly stagnant, rising from 24.2 percent to just 25 percent.
Nielsen reported a similar trend, with more than 40 percent of smartphone buyers choosing an Android model in November.
ComScore also noted that smartphone ownership had reached 61.5 million users in the U.S. by the end of November, with 67.1 percent of subscribers sending text messages, 35.3 percent using the phone's Web browser and 33.4 percent downloading apps.
Along with such market penetration has come the increased use of phones for mobile banking, storing personal information and even filing taxes, making security a paramount issue.
But app developers haven't kept up.
"Applications that aggregate financial information offer both tremendous power and tremendous risk if the information is not secured properly," said Andrew Hoog, chief investigative officer at the Chicago-based digital security firm viaForensics.
The company has tested scores of apps on the Android and iPhone platforms and discovered that programs such as Mint, a popular financial-management service, do not encrypt personal-identification-number (PIN) information, leaving bank accounts open to attack.
Furthermore, significant information about a consumer’s purchasing habits and financial accounts (including full account numbers) can be harvested from the transaction details left unencrypted on phones.
Indeed, this is precisely the kind of information Trojans like Geinimi were designed to harvest.
Other applications that leave users vulnerable, according viaForsensics' research, include Groupon for Android, as well as the eBay, BestBuy and TD Ameritrade apps, which do not encrypt all application information on either the Android or iPhone platforms. (A complete list of insecure apps is available at http://viaforensics.com/appwatchdog/.)
"So I don’t believe Android is more vulnerable than iOS; we have uncovered significant vulnerabilities in both platforms," Hoog said.
He believes that eventually Android may become more secure as developers uncover security gaps and make them public in order to fix them.
In the meantime, Research In Motion’s (RIM) BlackBerry platform remains the most secure, with its dedicated data centers and strong encryption polices.
Unfortunately for security purposes, RIM has been steadily losing market share to Apple and Google.
Hoog worries that in the great app rush to get programs to market, there's been insufficient testing, which can lead to serious security lapses.
"Over the next 18 months,” he said, “expect to see an increase in malware directly targeting smartphones (many proof of concepts already exist), which will likely lead to a large and publicly disclosed theft of smartphone data.”