Wednesday, 24 October 2012

How much can you trust your Android Phone?

In the last years the Android's phone sales growth a lot.
Surely, one of the key success factors of this platform is the possibility to have a touch operating system with hundred thousand of apps available and runnable on smartphone with a starting price of 99$.

So, what's the problem? The big problem
It's huge users base make android a fertile ground in which online thief put their efforts to gain access to:
  • user accounts
  • private data
  • credit card numbers
The webkit engine is used from the browser and from some apps for web page rendering and it is one of the most attacked module on the platform, maybe, because it is easier to find a known bug and obtain access to data.

A platform with no bugs doesn't exist and never exist but anyone who make you pay for a phone should garantee you to have a system repairable e upgradable.

Google can garantee this, Android can't... why?

Generally, for my experience the only phones that receive system update are Nexus phone, made by phone manufactures for Google.
If you have an Android phone .. you should have Jelly Bean now, lastest version of Android.

That's how it should there a system update? and your phone have to receive it.

Other hardware manufactures doesn't generally update their phone.. after you have bought their phone, they ignore you, they leave you , they leave you with an insecure system that can be compromised with a simple link received from a social network, or scanning a qrcode(link) or by NFC(link).

Most of the problems found on a module like webkit are commons to IOS, because also apple product use Webkit for web rendering, but on the Iphone the OS insecurity is limited to people who doesn't want to make a system update.
The problem on IOS are solved in some days.

The solutions
Here they are some solutions:
  • buy another phone
  • buy a nexus phone (new will be available soon)
  • use a custom rom: you can flash your phone with a rom made by someone like cyanogenmod  (how can I trust them? I don't know.. but it is opensource and better than a stock buggy rom)
  • don't buy an android phone
Keep your apps updated and pay attention to what you install too
This is an article about a security problem on Google Drive and DropBox of some days ago:
You can immagine how many other app can have security problem... so don't just "yes install accept accept accept yes do what you want with my phone".
And this is another recent article about how apps are generally insecure when handle HTTPS connection (for example when you want to watch your bank account from your phone).

If you have not seen this yet.. watch this android bug and... think that the only android platform not affected.. is jelly bean.