Android and Security

Thursday, February 2, 2012 | 12:03 PM

By Hiroshi Lockheimer, VP of Engineering, Android

The last year has been a phenomenal one for the Android ecosystem. Device activations grew 250% year-on-year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we’re focused on bringing you the best new features and innovations - including in security.

Adding a new layer to Android security
Today we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.

The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

Android malware downloads are decreasing
The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise. While it’s not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market - and we know the rate is declining significantly.

Android makes malware less potent
In addition to using new services to help prevent malware, we designed Android from the beginning to make mobile malware less disruptive. In the PC model, malware has more potential to misuse your information. We learned from this approach, designing Android for Internet-connected devices. Some of Android’s core security features are:
  • Sandboxing: The Android platform uses a technique called “sandboxing” to put virtual walls between applications and other software on the device. So, if you download a malicious application, it can't access data on other parts of your phone and its potential harm is drastically limited.
  • Permissions: Android provides a permission system to help you understand the capabilities of the apps you install, and manage your own preferences. That way, if you see a game unnecessarily requests permission to send SMS, for example, you don’t need to install it.
  • Malware removal: Android is designed to prevent malware from modifying the platform or hiding from you, so it can be easily removed if your device is affected. Android Market also has the capability of remotely removing malware from your phone or tablet, if required.
No security approach is foolproof, and added scrutiny can often lead to important improvements. Our systems are getting better at detecting and eliminating malware every day, and we continue to invite the community to work with us to keep Android safe.

45 comments:

OzGate said...

Bravo

Stephen J Sweeney said...

This is a very welcome move. I would add that I'd like to see one addition to installing Android software that could further prevent people from adding apps that could harm them or their phone.

1) When an app is installed, the permissions are checked as usual.

2) Permissions that might cost the user money or want wider access than normal, are flagged in red.

3) The user cannot click the "OK" button until a certain amount of time has passed, say 10 seconds.

These three steps would work to prevent users to blinding clicking "OK" without first reading the permissions. Since they are unable to install the app until the counter has finished, it is increasingly likely they will read what is displayed on the screen and act accordingly.

Of course, they still might not bother at all, but I think it would be a welcome addition.

Chas. Owens said...

How about letting users deny some permissions, but still install the app. There are some apps I know I never want to talk to the internet, but the app requests that permission (e.g. games that have some leaderboard or other social garbage I could care less about). There is no reason for me to take on the security risk of that permission if I don't want that feature.

TD22057 said...

While this is a nice feature, it would be nicer if the OS had more security features built in. See the root app "LBE Privacy Guard" for a great example of what should be a standard option in Android. This app also allows you to choose which permissions you allow an app to actually use. It can also notify you when an app is accessing some data or the internet which is just as important as knowing that it might.

Paulus said...

What is really still missing is getting complete and verifiable information on the developers who release apps to your market.

1. Get the full credit card information.

2. Device a system to let them register through their phone carriers. At least each developer has a phone, if not credit card.

3. Students may present signed information through their heads etc.

At least there must be some means of knowing the developers, so that if they mess up, you can go after them.

Unknown said...

Chas Owens: because revoking a permission will cause a security exception when the app tries to use the permission and the app will crash.

My app requires Internet permission for network checks. I've had some crash reports lately from people on rooted phones using a permission blocker app to revoke that permission.

Unknown said...

Outstanding move in the right direct; however I'm sure many purveyors of on-device antimalware software are gnashing their teeth in protest. Edge-based, on-device defenses are useful however cannot be relied upon as the total solution due to their reliance on the weakest variable of every security schema: people. A well-designed security architecture must be multilayered, employing antimalware methods at the core (such as this), across the delivery system (network), at storage layers (while at rest) AND at the edge (on-device - preferably at OS level and service/app level).

Before the flaming begins, I don't expect 100% agreement with my professional opinion and welcome constructive criticism and alternatives; however my opinion is not the product of a novice or academic/book-based experience.

I'm a credentialed infosec professional & technology exec with 25+ years experience and prior to putting on the white (or grey) hat explored the 'other side of the infosec fence'.

Kudos to Google's Android teams for addressing this Achille's Heel in the Android ecosystem.

Aaron said...

It would also be nice to tell (before installation) whether an app requires a specific permission for actual functionality or for ads.

Mahrud said...

Do you have any plans for deploying the Android SELinux?

Roshan Shrestha said...

Google could also scan an app right when it is being downloaded from the market, just like how GMail (as well as Yahoo and others) scans an email attachment before being downloaded to the users computer, where it is again scanned by the user’s anti-virus program!

Although Lookout and other anti-malware programs for Android do scan Apps that are downloaded, an extra layer of security by Google couldn’t hurt.

howardb said...

@aaron. So if it tells you this application needs Internet permission for ads, what will you do? Not install the app? Deny the permission? If developers stop getting income from ads because android allows the users to disable that, then do you think the developers will even bother writing free apps anymore? What's the incentive?

Loose To Win - Papa said...

Most HTC preinstalled apps do not have uninstall options and given absolutely ridiculous permissions. Those apps includes some developed by HTC, some by others and some without developer name at all.

Another thing, after I came back from Singapore, I notice 3 Telco apps installed in my phone, also without uninstall options. This shows Android allows drive-by installation too. Very scary.

David Gerbino said...

This is welcome news. Thanks Google.

Simone said...

These all things are really very interesting and also very cool it is one of the best technology it can provide so many dependent and one of the best technology these all things are great to know about it.

Buy photoshop

sreejith A said...

true I too agree

Daniel Martín said...

I don't know why you think it is a good solution to rely the phone security to some obscure page of permissions that as it is now 1) very few people read and 2) very few people understand. Google, the permissions page is not meant to be an EULA, it's supposed to protect the user, but when the majority cannot make an informed decision, I think it is evident that there is a problem that you should tackle sooner than later.

Confused Brit said...

Block anything using notification spam as it's form of advertising. That's a form of malware imo... It runs when the app I installed isn't, i cant turn it off without removing the app I do want, and I don't know if it's there or not before I installed!

I got no problem with a company using ads to pay for free apps but those ads should not be obnoxious. I get enough spam in my email!

Unknown said...

You mean up until now nothing was checking for malware until some people flagged the software? It's great this exists but I'm kind of surprised it wasn't there before.

I would also like to point that the upfront permissions system is a very blunt instrument for users. There should be a way to block or require user intervention after installation. A user has no way of knowing if "Super Mega Organiser" needs to make phone calls for its legitimate purpose or because it is malware.

We need something for a client which allows users to veto some actions or they are faked out. e.g. an app asks for location info but the user has set to deny this and instead it gets some "opt-out" location in the middle of the North Atlantic. Another app wants to send an SMS and the user is prompted before the action is permitted. Something like UAC but perhaps policy based so apps are governed by a policy (e.g. restricted, untrusted, trusted, custom) where each action can be set to deny / fake / ask / allow. Naturally the security can inform the user that restricting permissions may destabilize applications but the option should be there.

Fernando Miguel said...

Did bouncer run an all previously uploaded apps or just newer ones?

Miguel said...

The permissions platform is quite useless from the user perspective. Most of us will simply click "accept", firstly because you don't know beforehand if an app really needs those permissions. And once isntalled, you won't remember which permissions an application asked for.

A more fine grained permission system should be implemented. Mark Murphy wrote an interesting post on it (http://commonsware.com/blog/2011/04/19/suppressing-android-permissions.html).

There should be a way for the user to confirm that he allows the application to go on with that potentially dangerous operation (calling, accessing private data), allowing him to check whether what he choosed must be remembered or not.

philws said...

@Miguel, yes, I think that the current permissions model sucks too.

I much preferred that used in Symbian where the user is asked if they are going to permit the application to perform a given operation requiring permission. If the detail of that operation is presented (e.g. send an SMS to a specified number/shortcode, connect to a specified IP address/URL etc.) the user has some chance of spotting 'iffy' behaviour before it costs them anything.

With Symbian you could choose to withhold permission, grant permission for this invocation or grant permission permanently for the app.

I'd take it one step further and have it such that the grant applies to a specific target for the operation (e.g. the specific shortcode/number for an SMS, the specific URL/IP address for a web connection etc.).

As an app user I'd far rather have the option to block behaviours whilst using the app instead of having to decide before even installing and trying an app. If the app can't work when I block it, so be it. The app can decide to recover or crash as desired by the developer.

Earlence "The Ripper" Tez said...

Will any technical data on Bouncer be released?

Victor said...

The most recent case I've faced Android trojan was: 1) I've downloaded "good" app from the Market 2) it had in-app advertising (banner) of malicious app. Of course, it was hosted outside of the Market. Yes, some people (most people?) keep "Unknown sources" disabled, but what to do with the others? How Bouncer is going to deal with such cases?

Earlence "The Ripper" Tez said...

Victor,

I guess turning off the unknown sources mechanism is a users choice. he should realize that 3rd party apps could potentially put him at risk. Google is doing whatever it can to ensure security from the point of view of the official android market. Anything after that is the users risk, and they should accept that.

Ian said...

Not impressed. Telcos aka The Dark Side

KUSHTIALINK said...

Thanks For Google +
http://kushtialinkbd.blogspot.com/
http://goldenkushtia.blogspot.com/

Tim McCartney said...

I would like to add that if this feature were *optional* I would also approve of this idea. I'm not a novice user and would be annoyed if this were forced.

herman said...

It is really nice for me to see you and your great hard work again.Every piece of your work look excellent.Looking forward to learning more from you!gold price in dubai

BH INFO said...

Again,sharing another great informative information.Thanks.Mobile Leads

VitoE said...

Keep in mind according to the android docs you are supposed to check for permission before actually using a permission

VitoE said...

In reality the dev can post a dialog saying please enable network permission for ads and if user selects no then close.
Also a permission to separate network to maps network and ads network and wide open network.
I have an app that requires location and network but only uses the network for the maps API. But the user doesn't know this from just looking at the permissions.

Store Daily Mart said...

Hi
Very interesting blog! It provides nice information.
Keep it up.
iPhone 4 Screen

Pete said...

We should be able to audit / log app's that do things that cost us money or access our personal info. That way we can see and question what an app is doing with the permissions we granted.

Rubiapps said...

Very good page, is very interesting.
I invite you to try my first application: SmsClock is an application that can not miss on your mobile. You can download it by clicking here. thank you very much

Jackets said...

North Face UKAll of the evaluation of this is not the same, but still very satisfied overall.north face outlet berkeley

Tharaka C Peiris said...

wowo post like a awesome
im a writer in www.gamedroidlk.com

Unknown said...

Google needs to stop thinking of those that use Android-based phones as part of a community. I've talked to more than a few people that had bad experiences with Android and, as a result, went back to Apple. Android needs to be polished like iOS and done so from the inside. Not based on help from the users who don't really want to be bothered with helping Google make its product better.

Bite the bullet and build a department to review the apps before they hit the Android Market. Not doing this is making people nervous and giving them a reason to jump ship.

EDI VAN said...

India among the few countries to continue with the service Nokia had launched its Ovi Music Store with much hope and fanfare, as a direct competitor to Apple's iTunes. It was known for the free music bundles, restricted to limited number of songs for cheaper Nokia phones and unlimited downloads for a year bundled with the more expensive phones. It seems a lack of response has prompted Nokia to cease the free music bundle in 27 countries. Fortunately, Indians will continue enjoying the free music subscription service.EDI

POS Software said...

Point of sale (POS) also sometimes referred to as Point of purchase (POP) or checkout is the location where a transaction occurs. A "checkout" refers to a POS terminal or more generally to the hardware and software used for checkouts, the equivalent of an electronic cash register.Restaurant Software

shyrgil said...

Free iPhone app >> Dream Talk Recorder Dream Talk Recorder

Nadine R.Ramirez said...

You completed various good points there. I did a search on the matter and found the majority of people will agree with your blog.
Moog Slim Phatty Monophonic Analog Rack/Tabletop Synthesizer

Jason2011 said...

I did a search on the matter and found the majority of people will agree with your blog.GHD Hair Straightener

njut tabi godlove said...

i find the adroid phone an excellent phone and adding more securities to it is simply amazing.

Jackie said...

Happy Valentines' Day!!! Monster Headphones

Razzaq said...

A great achievement by Samsung to introducing Galaxy Tab.


android phone