In his runaway Android has broken all records. More timid experiment seven years ago, it has evolved into the most popular operating systems installed more than a billion copies, more than a million applications, a wide range of supported devices, covering and “smart” watches and laptops. And thanks for the success to be including liberal principles, according to which the platform is built. It is a free code, inherited from Linux. This is a relatively large leeway for developers and partners, which do not limit the terms of what to write, how to write, what are supplied. And, of course, modern security system: applications run inside the “sandbox” and only have access to the system resources permit access to which the user has given himself.
The problem is that the same principles, which provided the explosive expansion of Android – eliminating the need for Windows Mobile and iOS – are now the platform has grown, headache. About Android fragmentation is said a lot, but over the past year or two, drew sore perhaps more serious. The same permission.
From a purely technical point of view, the concept permits a simple, elegant and effective. Before you install a new application, the user is reading a list of rights that the program needs, and either denies it, then installation is interrupted or agrees to provide them in full – and then the program has been successfully installed on the device. This scheme is simpler and more democratic polite used a major competitor (in iOS each application is subject to a rigid pre-screening, bordering on censorship, but the user about anything do not ask). However, there is the human factor …
Every platform who crossed an imaginary line recognition becomes a desirable target for attackers. Android is no exception and even more than that – it is much more attractive to criminal circles than they were at the time MS-DOS and MS Windows: because it controls the mobile device, which guides the user anytime, anywhere and therefore capable of generating more valuable data stream. Anti-virus vendors are trying to attract attention to the exponential growth of malicious software for Android, and though Google disputing their claims, insisting not impartial (antivirus developers, of course, fed from the sale of anti-virus), there is a problem and this problem is the inability of the user to control the application in Android.
In fact, once the program is given “good” for access to certain system resources (the camera network interface, GPS and so on.), the user can only blindly believe that the program will not be used provided it powers to harm. But how justified this faith? Modern applications do not require all the conceivable shun permits, because of which the list is obtained so long that it is difficult even to run his eyes. Meanwhile, virtually every item can be turned against the user: through the chamber to conduct covert filming, from the list of contacts to steal your email address, send an SMS to premium numbers, etc. etc.
Until recently, the best way to avoid problems with Malvar for Android Google has been proposed recipe: avoid the “Left” ann-Sided. Last week, however, there is evidence exposing the situation in a new light. They concern, however, only one aspect of a system of permits, namely the right of access to the web, but it’s a lot – because access to the Internet, after all, require almost any malicious application. So that’s what I mean: a group of French researchers specializing in information security, has set a simple experience. They took mediocre Android-smartphone, connect to the Internet and began to watch to what sites he goes to the installation and use of a variety of applications (has been tested hundreds of the newest and most popular appov hundred in each of the 25 categories of the store Google Play). The result seems to be surprised even the authors of the experiment.
It was found that the application of the official APP Sided Google are very active “sex life”: they set due to the tens and hundreds of Internet sites, what the user does not know and is not notified. Every tenth application connects to more than 500 nodes, and many – to an even greater number, up to two thousand. The most common applications are accessing related website advertising (including those owned by Google), which, in principle, the more you can understand and forgive: frimialnaya model steers the mobile universe, and advertising need to get somewhere.
However, the list of lit and Internet sites, help monitor the user: many applications (including developers, trusted public) do not disdain such activity. Finally, there were also applications that establish a connection to the address associated with obvious malicious content. Naturally, the user does all this do not know, he was asked whether the application can use the Internet, he replied in the affirmative. At best, he will notice some sluggishness smartphone and home Internet, and at worst will not notice anything at all.
The French, seeing the problem, offer a solution: they are preparing to release an application with the telling name «NSA», which will allow individual inspect Any network activity Android-program. However, this is not a universal solution, not an original and hardly effective. Google, too, know what is happening and has long been practiced similar methods. In recent years, Android has been built malware-scanner function App Ops for inspection and routine enable / disable permissions for each installed application. But if the scanner was (now hiding under the function “Check application” in the tab “Security” System Settings), access to the App Ops simple user blocked – and they have done is absolutely correct, because the average user does not have enough knowledge or experience to to use such a tool. French NSA issue is also not correct: someone may use it to find out something useful, but for the majority of owners of Android-devices still remain the same.
It is necessary to hope that a complete solution will be found at all? No, if you remember the story. Android is clearly turning into account the third monarch of the digital world – having the board in MS-DOS and Windows, which have suffered from the same ailments, but never cured. Worse, the task of monitoring applications in mobile OS more difficult as the need for resources is often trivial and obvious. You can not just disable the program to access GPS, contacts, or use the network camera – because of all this, there are legitimate use: download advertising, store data in the “cloud” on the user’s avatar to photograph and so on. And so on.
Perhaps the permit system can be made more informative, understandable. Perhaps you can still give the user the right in its sole discretion to selectively restrict access to application resources (something similar has already been implemented in the Blackberry). Obviously, it is necessary to make more rigorous checks before skipping applications in App-Store. But the complete solution to the problem will require modification of the entire ecosystem of Android. Until then, the user will have to accept and tolerate.
PS The paper used illustration Steve Emry.