Is this a story about Android or a scene from a Hitchcock movie?
Last month, the results of a static source code analysis of Android were published, exposing more than 350 vulnerabilities. A static analyzer can find roughly 10% of the bugs in general-purpose software (an automated analyzer simply cannot grok semantic flaws). Thus, it is safe to assume there are thousands more latent bugs throughout Android, on top of the thousands in Android's underlying Linux kernel.
The analysis was followed days later by disclosure of the Angry Birds hack in which an Android app, which happens to be a spoof on the popular Angry Birds game, exploited a serious vulnerability in Android, allowing the downloaded app to install other arbitrary (and malicious) apps from the Android app store without the user's permission.
These are not thefirst serious security problems for Android, and no different from iOS or WP7, we know there will be a steady stream of such reports in the future. Android's woes once again highlight the inadequacy of general-purpose operating systems for managing high-value resources exposed to sophisticated attackers. For example, corporations or governments that permit smartphone access into their sensitive intranets must assume that determined hackers will exploit OS vulnerabilities to get in.
The good news is that despite the infeasibility of securing Android itself, Android-based smartphones can be made secure for critical functions like corporate network access, financial transactions, and electronic medical records (EMR) management. The answer lies in virtualizing Android with a secure hypervisor that can strongly isolate critical components beyond the reach of Android's vulnerabilities, malware, and external attacks. Critical components may include cryptographic algorithms and keys, DRM subsystems, network security protocols, anti-malware virtual appliances, and even separate virtualized instances of Android. Recent advances in mobile SoC technology have made this approach practical with respect to performance, maintainability, and cost. The security kernel/hypervisor is an immensely powerful yet mostly hidden (to the end user) layer of software goodness. We don't make the smartphones you buy; we make the smartphones you buy better.
Surprisingly, VMware made it known this month that it has deep sixed its Type-1 hypervisor for mobile devices, going instead with the Type-2 approach it has been marketing for laptops and desktops. VMware is making silly security claims about this, but to no surprise: back on June 2, 2008, VMware announced that its virtualization products could now be used for “sensitive, government environments that demand the strictest security”. On June 5, just three days later, severe vulnerabilities in these “secure” hypervisors were posted to the National Vulnerability Database. Among other pitfalls, the vulnerabilities “allow guest operating system users to execute arbitrary code.”
A Type-2 approach is fundamentally flawed when it comes to security because VM isolation is dependent upon a general purpose OS (e.g. Android). Is there a market for Type-2 hypervisors in smartphones? Yes–software reuse is an obvious win. Should you trust it to protect high value resources? Not unless you want more Angry Bird Poo.
Dave Kleidermacher is CTO of Green Hills Software. He writes about security issues, sharing his insights on techniques to improve the security of software for highly critical embedded systems.