Android Security Continues to Challenge Mobile Developers

Ongoing security vulnerabilities on the Android mobile platform are still plaguing developers, and the bad guys are even making inroads on iOS attacks, according to a new report from Trend Micro Inc.

The cloud security company yesterday released its latest quarterly security roundup, including a section devoted to mobile concerns, which indicated that 75 percent of Android users were affected by both the FakeID vulnerability and Android browser flaws, providing "a big challenge to developers."

The Android critical vulnerabilities are complicated by the fragmentation of the Android platform, with released security solutions unavailable for some OS versions, especially the older ones.

"Take, for one, the FakeID vulnerability that allows apps to impersonate legitimate ones," the report stated. "The Same Origin Policy bypass vulnerability also opens up Android's default browser to serious risks: attackers could potentially gather data from users who input their information on legitimate Web sites. Although Google has released patches for these vulnerabilities, these does not always reach the majority of users because mobile patch deployments rely on device manufacturer and telecom providers."

Android OSes affected by FakeID and Android browser vulnerabilities
[Click on image for larger view.]Android OSes affected by FakeID and Android browser vulnerabilities. (source: Trend Micro Inc.)

In addition to the specialized attack vectors, vulnerabilities were also spotted in legitimate apps such as the SDKs for in-app payment systems Google Wallet and Alipay, a Chinese payment platform.

Mainstream apps such as Evernote and Spotify were also found to be vulnerable, although they were promptly fixed by their vendors.

"As more vulnerabilities in Android are discovered and while the Android update fragmentation still [exists], the more likely cybercriminals will use exploits in mobile devices," Trend Micro said.

iOS, on the other hand, though considered to be a safer platform, can also be problematic, as malware called IOS_APPBUYER.A was found to be running on jailbroken devices. "This proves that even though iOS may be considered a secure mobile ecosystem, cybercriminals are still trying to find ways to infiltrate and bypass the iOS security measures," Trend Micro reported.

Trend Micro's Leo Zhang said mobile attacks will continue to be discovered, but the "bad guys" are likely to retaliate through more zero-day attacks. And despite the sometimes lagging response to discovered vulnerabilities in the mobile industry, he has seen progress.

"I have seen some app builders setting up response processes and teams," Zhang said. "Google has made enhancements in releasing patches and hotfixes to help Android users get updates. Some mobile manufacturers are reacting faster than before in releasing OS-related patches."

About the Author

David Ramel is an editor and writer for Converge360.