Debunking Android security hype

[Mrs.RobPattinson]

"In the past few days and in the wake of the DEF CON security conference, there has been a lot of hype surrounding the security of Android devices. What you need to know about the said hype, is that it is hype. That is all it is, and that is all it ever will be, and I?ll tell you why."
http://www.tomdignan.com/?p=66

 

[Scott allen H]

Yes, I want to know why something simple like wallpaper needs to make telephone calls, determine my location, my credit card number...

 

[miss_natsi]

Nice find dt, good read.

 

[havanesechamp]

+1

Take Care of that Big Bug

 

[TaylorProud]

Nice find, but I've just replied to his blog post explaining why he's wrong. It's awaiting moderation.

In short, it's already been shown that an app can jump from simply requiring "Full Internet Access" to flashing malicious boot loaders and having full SU access to the phone without any interaction from the user at all. It's also possible to entirely bypass the SU app provided with custom ROMs that ask the user's permission to run code as SU.

 

[Steel Lotus]

Really? OK. I also read some discussion after posting this about an app with no permissions being able to set up bidirectional communication using the browser, and "read system log" permission having access to a bunch of sensitive data.

 

[littlebear218]

Well, I commented and the author, Tom Dignan, then contacted me by email. We exchanged a few emails and while we agreed on some points (i.e. that users not bothering to check app permissions when they install apps on Android is possibly the biggest risk), he seemed sceptical about some of my other points. Despite clearly explaining a number of known exploits which have even been demonstrated on the actual Android Market by security researchers, citing my sources and providing supporting links in my emails, and explaining how some of the exploits that exist can still be used today to root some G1s, he has stated he will not be approving my comment.

He didn't give any reason as to why he refused to approve my comment, nor did he challenge anything I said exactly, so I'm a little puzzled. Oh well.

Anyway, I'll post my comment below so that you guys can learn from it if you want...



Edit: He emailed me a second time asking if he could use some of the things I said in my comment in a later post. So all's well that ends well. I was a little peeved for a while.

 

[jimmyjac59]

Nice post, that's why you are the Community Scholar. I always see what permissions the app wants and then decide if I want it on my phone or not.