Improving Android security

One of the defining features of the Android operating system is its freedom to load any application you want. Most people stick to the Google Play store, but sometimes one may want to load a custom app downloaded from another source. This process is called sideloading, and is the reason Android is the only major smartphone OS with any significant amount of malware.

The latest release of Android (4.2) is trying to fix that.

This is undoubtedly a positive development in Android. The new security system automatically checks sideloaded apps against Google’s servers and warns users if the app is either known to be bad or raises any flags.

There’s two caveats in my mind.

First, the system is signature-based. That means they are comparing the code to a known list, and although this is effective at stopping a lot of threats, it will lead malware developers to generate polymorphic code that can avoid signature detection. Now the description of the security system indicates that it will also warn users about apps that don’t fit a signature, but may be harmful anyway. I’m not certain how that is going to be implemented, but if it is overly cautious in warning users, they will end up ignoring those warnings.

The second issue is with Android’s broken update process. Because Android phones go through manufacturer modifications followed by carrier modifications, receiving timely updates to the phone is nigh impossible (apart from the Nexus line, which is never modified from stock Android)
So, even though there is a nice new security enhancement to Android, it will probably be 2-3 years before we can expect to see even half of the installed base running 4.2 or higher.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s