Android Hacking Made Easy - What You Can Do To Limit Your Exposure

Android Hacking Made Easy – What You Can Do To Limit Your Exposure

Android devices are extremely popular.  From phones to tablets, e-readers, netbooks, smart watches and car computer out there.  Over a half billion Android device users are out there with 1.3 million new users added every day [1] . Any technology that is in a lot of hands is a target for hackers.  Why not?  When "you can make $10,000 a month for a basic effort at writing malware - you can get more when you distribute this malware to the contact lists and [build botnets]". [2]  Worried yet?  The statistics are alarming.  In 2012 Android accounted for 79% of all mobile malware, 96% in the last quarter alone according to F-Secure. [3] What's more we bring our own devices to work, school, everywhere we go, exposing not only our networks but other networks we might connect to. McAfee reports malware broke new records in 2012 with the number of new malware to reach 100 million for the year. [4]

There are three types of Android users out there.  Those that hack, those that will be hacked and those that will do something about it!  Don't despair.  Android malware (in the tens of thousands) pale in comparison to Windows malware (over 75 million).  [5]  Here are some things you can do to prevent your Android device from becoming just another statistic.

Trust Google 

Google is well aware of what's going on with Android - the good, the bad and the ugly.  Google has taken serious steps to prevent malware from affecting your device.  Meet the Bouncer.  Hackers, you're next in line.  It's time to give your best story about why you need to get into the club.  This bouncer is good.  It will automatically scan apps uploaded to Google Play (formerly Android Market), Google's application distribution platform for Android developers.  The Bouncer isn't perfect.  The Bouncer will wait and observe your behavior for a predictable period of time - around 5 minutes or so.  If the hacker's app is patient and does not blink during the stare down from the Bouncer it can get in the club.  Google is working on this obvious shortcoming. 

Download from legitimate vendor sites only

Only download apps from reputable sites like Google Play.  Google Play is similar to Apple's App Store.  Beware of unofficial sites where hackers can masquerade original code with their own added "features."  Google has standards in signing and releasing Android apps on Google Play.  Here are some of them:

• APK (Android Package) file signatures are required for all Android developers.  If the APK is not signed it will not install without a signature. 
• Test and debugging tools are included with Android SDK.
• Self-signed certificates are also allowed to sign an APK.  A self-signed certificate is ok for testing purposes.  A certificate from a Certificate Authority (CA) is better if you want to a trusted cert.
• At release time developers must sign their APK with their private key.  Private keys are generated locally and never shared. 

This combination of a file signature and private key signature allow for multiple factors of authenticity.   Certificates add yet another layer of signature options.

Update automatically and often 

Drippler makes your Android even better.  Drippler is a free app you can download today from Google Play.  Drippler will help you with tips and tricks specific to your Android device.  It will automatically detect any software updates and upgrades your Android needs.  Drippler will also keep track of any firmware updates.  People love drippler because it provides helpful, customized and accurate Android news and tips to make your experience more relevant to your lifestyle.  This may be considered a "soft" layer of security - automatic updates for Android and firmware. Its weakness is at the mercy of known vulnerabilities.  What about zero-day vulnerabilities? We don't know what we don't know and vulnerabilities can propagate until discovered and patched.  Even vulnerabilities that reach worldwide attention can go unpatched for years.  Until we can get ahead of known vulnerabilities we need to be working on writing secure code in the first place.  First to market is very big deal in just about every line of business.  Still developers have the responsibility of writing secure code by controlling input to only what is needed and nothing more.  For example a phone number or postcode has a specific number of digits so only allow input to only those digits.  Secure code is the first, and most important, step in the process of any security program.  The problem is developers aren't security experts and most security experts don't write a lot of code that makes it into a product or service.  Remember first to market is everything when rolling out a new app.  Look around Google Play for any app.  What you'll find are pages and pages of similar ideas available in an app for free or for a nominal fee. Business decisions often overrule security.  One reason is the time and cost of writing secure code can be seen as an inhibitor to the next release.  What needs to happen is security needs to assign a dedicated person who works side by side with developers to ensure secure code is part of the process on day one of the project.  Not at the end or in the middle of a project.  Business, for the sake of business, should provide due diligence by ensuring developers receive training and certifications in writing secure code.  One highly recommended certification is the Certified Secure Software Lifecycle Professional managed by International Information Systems Security Certification Consortium (ISC)².  Organizations or individuals that implement a security program effectively, whether at home or at work, will realize security becomes an enabler and an insurance policy.  If security is considered an unnecessary cost or waste of time then the organization (or individual) has already failed. 

Don't grant unnecessary permissions

Many apps will want to you to enable automatic updates or location services.  Ask yourself if you really need a dictionary app, for example, to know your location.  Probably not.  Permissions can change over time.  For example, when you upgrade to a newer version of the software or perhaps reinstall the same software.  Generally speaking software vendors don't deliver strict permissions with their product, regardless of how it is downloaded and installed.  A slip of the finger during installation can result in answering, "yes" rather than "no" allowing for permissions you may not have really wanted.  Slow down during new application installations to review your options.  The permission may not be a configuration item you can change later.  You might have to remove the app and reinstall to answer the question properly. One side effect of automatic updates and location services being enable is most people don't know if they should or shouldn't allow such actions.  When in doubt decline any feature that automatically performs a software change to your Android device.  There are ways to enable and disable some features as needed.  It's not always easy to manually toggle on and off app permissions, especially if you have a lot of apps you use regularly.  However, it is necessary to be vigilant today.  We must take an active role in protecting our own privacy.

Install reputable, award-winning Anti-virus software for Android 

Many vendors like Sophos, Avast, F-Secure, Ikarus, Symantec, Lookout, McAfee and Zoner offer a free or affordable version of their products available for Android today. [6] According to AV-Test.org the number one Anti-virus product you can use for your Android v4.1.2 is TrustGo Mobile Security 1.3 [7]. It scored the highest overall for protection and usability.  However, others closely followed like Antiy AVL v2.2 and Bitdefender Mobile Security v1.2. Installing award-winning, test-proven Anti-virus software can go a long way to further securing your Android device.  Or so it would seem. 

Palo Alto Networks has recently discovered an overwhelming majority of "unknown" malware was delivered via web browsing. [8]  Over a period of three months Wildire Firewall found more than 26,000 samples of unknown files on data collected from over 1,000 of Palo Alto's enterprise customers.  Over 90 percent of the malicious files were delivered via web browsing.  This defies the well-known method of malware delivery via email.  Malware delivery vectors are changing according to Symantec's White Paper.  Cyber criminals are hiding malware in an iframe or obfuscated Javascript where it is invisible to the user browsing a website. [9]  A good rule of thumb - be careful where you go on the web!

Maintain a smaller footprint 

Delete apps you don't use. Apps are a lot of fun and easy to install.  If you share your Android device with other family members or trusted friends your Android may have a lot of apps installed.  If you don't use an app often enough you should remove it.  On the battle field of cyber war smaller targets may often get overlooked for larger, easier targets.  The state of affairs in the world today is we are all at risk for data loss, invasions of privacy and malicious software.  The more we do to minimize our exposure the better we protect ourselves against unwanted incidents.  Many people may not be overly concerned if anyone is able to discover where they go, what they do or sensitive information they may hold on their Android device.  People may feel they have nothing to hide or protect when using their device.  However, let's not volunteer our private or sensitive information.  Let's not make it easy for a stranger to take what is our own.  This just makes it easier for the cyber criminal to continue to take advantage of others.

Get Alerts

Knowing the latest attack vectors will help you realize trends and exposures.  There are many organizations that track security incidents and the latest releases from popular vendors.  You can sign up for free and start receiving alerts today.  Not all alerts will apply to Androids specifically.  Many alerts apply to Adobe and Microsoft.  However, even the best developers and most trusted companies have flaws in their code.  No software company is immune to security flaws.  Keeping track and reacting to the latest vulnerabilities will help keep your Android device more secure.  Closer investigation of alerts often leads to a patch or a work around.

Install a Firewall 

DroidWall is a Firewall for your Android device.  Did you know you could restrict which apps can access the network from your Android?  Yes, another layer of security you can add to your device. Installation is easy.   Root is required to configure DroidWall.  If you are familiar with Linux operating systems (of which Android is based on) then you will be familiar with "iptables" and the rules you can configure to allow or deny apps connectivity to the network.  DroidWall users will enjoy the benefits of limiting apps to the network if they have a limited data plan.  DroidWall also helps improve battery life.  What if you don't want a firewall that does not require root privileges?   Mobiwol claims to be the only non-root required firewall also available on Google Play.   Mobiwol shares many of the same benefits as DroidWall and then some.  Mobiwol will alert you when apps access the Internet giving you control and the knowledge of what apps are doing behind the scenes.

Encrypt Your Android Device 

Google Play has myriad encryption apps to choose from. [10] Many for free or for a nominal fee.  These encryption apps offer military-grade, strong encryption algorithms like AES, RC6, Blowfish, Serpent, Twofish and GOST.  Most come with a standard 256 bit encryption algorithm.  At this time it would take 50 supercomputers operating at 20 Peta-FLOPS  an estimated 3×10⁵¹ years to discover the entire 256 bit key space.  Encrypt any of your files, photos, contacts, passwords, messages, notes, text and even entire folders.  Encryption should come standard with any native operating system.  One of the very first things you should do when you get your Android device out of the box is to install and configure an encryption app.

Healthy Habits of An Android User

Now that you now know several ways to secure your Android device using software, let's look at what you can do to live a more secure lifestyle.  Next topic, changing your habits to become even more secure.  There is no, one piece of software that will solve all of your potential malware problems with your Android device.  A more effective approach in addition to the previous section will make you more secure, physical security.  This is where Android security takes a manual approach to disrupt, delay and deter further exposure.  The more you make he following tips part of your Android lifestyle the better.

1. Don't connect to just any wireless network or computer with your Android.  Don't allow automatic connections to unknown networks.
2. Power off when you are not using your Android.
3. Randomize network usage.  Don't stay connected to wireless if you aren't using it.
4. Never root (aka RootKit) your Android.  Never allow an app to run as root.
5. Never leave your Android device on a table in a restaurant, halfway in your back pocket, or loosely held when in public places. When not in use keep the device out of sight.
6. Password protect your Android.  Change your password regularly.
7. Configure your phone to be wiped clean or reset to factory default if too many unsuccessful attempts have been made to login.  If you have kids you might reconsider this. 
8. Minimize.  Only run the apps you absolutely need and use regularly.
9. Don't allow others to shoulder surf to discover your login password.
10. Purchase a case to protect and secure your phone.

In summary there are many ways you can further protect your Android device from unnecessary exposure to malware (and other threats).  Set aside some time in your busy schedule to harden your Android with the software and solutions mentioned here. Two themes were presented; using software solutions to secure your Android device and physical lifestyle choices you can make today to be more secure.  Security is an individual responsibility that will collectively lead to a more secure world.  Vigilance and due diligence are required to achieve a smaller target in today's highly connected and integrated Internet society.

1.  "Google: 500 million Android devices activated". September 12, 2012
2.  Modular Android Malware Dev Kit To Be Released.  August 3, 2012
3.  Android Account for 79% Of All Mobile Malware in 2012, 96% In Q4 Alone, Says F-Secure. Thursday March 7th, 2013.
4.  McAfee:  Malware breaking records, again.  September 5, 2012
5.  Is Google Helpless To Stop The Scourge Of Android Malware, December 29, 2012
6.  Best Anti-Malware Scanner For Android Devices.  November 23, 2012
7. AV-Test Mobile Devices Android Most Recent Test Results.  January 2013 
8. New study finds malware variant skirting AV, mostly delivered via web.  March 27, 2013 
9. Symantec White Paper - Malware Security Report:  Protecting Your Business, Customers and the Bottom Line.  September 2011
10. Encryption Apps available on Google Play.  April 3, 2013

About the Author

John Lear, CISSP, has worked in IT for over 18 years as a system and security engineer and most recently as a DevOps Engineer.  Ten of those years he was involved with building a security program from the ground up.  He is a subject matter expert in the areas of hardening operating systems and applications.  John is founder of Oomba Security LLC where he provides security as a service, automating compliance solutions, training and vulnerability management. His current project includes writing secure code in Ruby on Rails to scan and ensure system compliance.  When he's not working he enjoys spending time with his family and biking.