Securing Android on nextgen embedded IoT & mobile apps
For a Linux OS distribution that originally had few of the real-time and deterministic features that embedded applications need, the Android platform has moved far beyond its traditional home in smartphones. It is now the centerpiece in embedded designs developed for automobiles, medical devices, and robotics, a variety of wireless sensor networks, and even for access to the smart grid.
And now with the enthusiasm for the Internet of Things - especially in consumer applications – Android is being used in devices such as smart wearable watches and as gateways or central control units by which users can wirelessly connect to devices in a home automation network or to wearable devices in our clothing.
But with this wealth of opportunities also comes a surfeit of security vulnerabilities that seem to be getting worse. According to a recent malware report from Alcatel-Lucent, more than 11.6 million mobile devices are infected worldwide, and 60% of them are Android smartphones. Even more concerning is that in 2013 alone, the number of Android malware samples collected for Alcatel's database ballooned by 20 times.
Making the situation even more dangerous for developers are the numbers and types of malware incidents. In a recent report out of North Carolina State University based on about 1,200 malware samples collected over a year, 1083 of them (or 86.0%) were repackaged versions of legitimate applications with malicious payloads. About one third (36.7%) of the collected malware samples leveraged root-level exploits to fully compromise the Android security and more than 90% turned the compromised phones into botnets controlled through network or short messages.
Although a lot of work has already been done to make those platforms and the apps that run on them more secure, it’s clear that if embedded developers are going to incorporate Android further into their applications, much more work remains to be done. Included in this week's Tech Focus newsletter are a sampling of some of recent articles and papers on Embedded.com dealing with Android security issues. My Editor's Top Picks include:
Countermeasures for security vulnerabilities in Androids. Ipta Thakur and Shaily Jain of Chitkara University describe a permission based security analysis technique that does a close inspection of the behavior of the Android operating system call invocations, including IPC and RPC interactions..
Two Vulnerabilities in Android OS Kernel, by Xiali Hei, Xiaojiang Du and Shan Lin, Temple University. The authors reveal new security pitfalls in Android's memory management that can cause severe errors and system failures
Security issues in the Android cross-layer architecture. Alessandro Armando, Alessio Merlo and Luca Verderame look at the set of cross-layers security mechanisms that collectively constitute the Android Security Framework (ASF) and describe a vulnerability that allows a malicious application to force the system to fork an unbounded number of processes thereby making the device to be unresponsive. .
Another resource you will find useful is UBM Technologies' BlackHat USA 2014, to be held August 2 to 7 in Las Vegas, Nev. It will have many training classes, briefings and workshops on the security problems facing developers in a variety of connected environments. Several relating to Android issues that caught my attention include:
Abusing Performance Optimization Weaknesses to Bypass ASLR by Byoungyoung Lee, Yeongjin Jang and Tielei Wang, who take a critical look at the security problems inherent in the Zygote process creation model which Android uses to speed up application launches. They will demonstrate two different address space layout randomization (ASLR) bypass attacks using real applications - Google Chrome and VLC Media Player.
Android FakeID Vulnerability Walkthrough presented by Jeff Forristal who will take attendees through a new flaw in Android application handling, allowing malicious applications to escape the normal application sandbox and get special security privileges without any user notification.
Researching Android Security with a Droid Army presented by Joshua Drake, who will describe the fragmentation problem presented by the diversity and sheer number of devices in the Android ecosystem, representing a significant challenge to security researchers. He will show how to create a heterogenous cluster of Androids in a test bed to quickly extract specific security information from each device.
Static Detection of Intent Message Vulnerabilities in Android Apps by Daniele Gallingani . She will describe how to use a static analyzer to automatically detect a set of vulnerabilities that come from incorrect use of Android's Inter-Component Communication.
Reflections on Trusting TrustZone by Dan Rosenberg. Rosenberg will take a technical dive into the inner workings of a major vendor's TrustZone kernel, which is currently deployed on millions of Android devices. He will describe a previously unpublished vulnerability in this TrustZone implementation, and provide details on steps taken to deal with it.
In spite of all the resources available to developers to address Android’s security issues, I am doubtful about the future potential of the platform in consumer IoT and wearable apps and more so about its use in traditional embedded apps. Although the Linux and Android communities have done a lot to make those platforms much more secure, security still depends on the vendor building the Android and the developer of the apps that run on it.
Here’s why: The Android platform's basic flaw is that Google produces a baseline version and makes it freely available in the form of the Android Open Source Project (AOSP). Manufacturers and carriers are then free to build upon this, adding custom features to differentiate their products.
In a market environment focused on near-term profit and losses, the cost of adding the security needed to forestall future problems is far down on the priority +list of any maker of an Android platform. The result? One evaluation recently showed that more than 81.78% of pre-loaded apps on stock Android devices were vendor customizations and were responsible for the bulk of the security problems suffered by each device.
While Google and the Android open source community it supports have done a lot to make the environment more secure and to provide tools to make it so, it has not yet faced the moment of truth that Microsoft did in the mid-1990s, when its Windows Operating System became the target of weekly hacks and penetrations. Since then Microsoft has provided ongoing security updates to each and every user of its OS, and each new version has yet another set of security enhancements added.
Nothing in the Android environment matches that intense attention to OS security. Until Google faces up to the seriousness of the problem and comes down harder on developers using Android, the future growth of the platform will be less pervasive than optimists think it will be.
Embedded.com Site Editor Bernard Cole is also editor of the twice-a-week Embedded.com newsletters as well as a partner in the TechRite Associates editorial services consultancy. He welcomes your feedback. Send an email to firstname.lastname@example.org, or call 928-525-9087.