Permissions are used to control a particular application's access to system functions.
Android applications run in a
sandbox,
an isolated area of the system that does not have access to the rest of
the system's resources, unless access permissions are explicitly
granted by the user when the application is installed. Before installing
an application,
Play Store displays all required permissions: a game may need to enable vibration or save data to an
SD card,
for example, but should not need to read SMS messages or access the
phonebook. After reviewing these permissions, the user can choose to
accept or refuse them, installing the application only if they accept.
[153]
The sandboxing and permissions system lessens the impact of
vulnerabilities and bugs in applications, but developer confusion and
limited documentation has resulted in applications routinely requesting
unnecessary permissions, reducing its effectiveness.
[154]
Google has now pushed an update to Android Verify Apps feature, which
will now run in background to detect malicious processes and crack them
down.
[155]
In Android 6.0
Marshmallow, the permissions system was changed
to allow the user to control an application's permissions individually,
to block applications if desired from having access to the device's
contacts, calendar, phone, sensors, SMS, location, microphone and
camera.
[156] Full permission control is only possible with
root access to the device.
[157]
Research from security company
Trend Micro lists premium service abuse as the most common type of Android malware, where text messages are sent from infected phones to
premium-rate telephone numbers without the consent or even knowledge of the user.
[158]
Other malware displays unwanted and intrusive adverts on the device, or
sends personal information to unauthorised third parties.
[158]
Security threats on Android are reportedly growing exponentially;
however, Google engineers have argued that the malware and virus threat
on Android is being
exaggerated by security companies for commercial reasons,
[159][160] and have accused the security industry of playing on fears to sell virus protection software to users.
[159] Google maintains that dangerous malware is actually extremely rare,
[160] and a survey conducted by
F-Secure showed that only 0.5% of Android malware reported had come from the Google Play store.
[161]
Google uses
Google Bouncer malware scanner to watch over and scan applications available in the Google Play Store.
[162] It is intended to flag up suspicious apps and warn users of any potential threat with an application before they download it.
[163] Android version 4.2
Jelly Bean
was released in 2012 with enhanced security features, including a
malware scanner built into the system, which works in combination with
Google Play but can scan apps installed from third party sources as
well, and an alert system which notifies the user when an app tries to
send a premium-rate text message, blocking the message unless the user
explicitly authorises it.
[164] Several security firms, such as
Lookout Mobile Security,
[165] AVG Technologies,
[166] and
McAfee,
[167]
have released antivirus software for Android devices. This software is
ineffective as sandboxing also applies to such applications, limiting
their ability to scan the deeper system for threats.
[168][169]
Android's fragmentation is a problem for security, since patches to
bugs found in the core operating system often do not reach users of
older and lower-price devices.
[170][171]
One set of researchers say that the failure of vendors to support older
devices with patches and updates leaves more than eighty-seven percent
of active devices vulnerable.
[172][173]
However, the open-source nature of Android allows security contractors
to take existing devices and adapt them for highly secure uses. For
example, Samsung has worked with General Dynamics through their
Open Kernel Labs acquisition to rebuild
Jelly Bean on top of their hardened microvisor for the "Knox" project.
[174][175]
Android smartphones have the ability to report the location of
Wi-Fi
access points, encountered as phone users move around, to build
databases containing the physical locations of hundreds of millions of
such access points. These databases form electronic maps to locate
smartphones, allowing them to run apps like
Foursquare,
Google Latitude,
Facebook Places, and to deliver location-based ads.
[176] Third party monitoring software such as TaintDroid,
[177]
an academic research-funded project, can, in some cases, detect when
personal information is being sent from applications to remote servers.
[178]
In August 2013, Google released Android Device Manager (ADM), a
component that allows users to remotely track, locate, and wipe their
Android device through a web interface.
[108][179]
In December 2013, Google released ADM as an Android application on the
Google Play store, where it is available to devices running Android
version 2.2 and higher.
[180][181]
As part of the broader
2013 mass surveillance disclosures it was revealed in September 2013 that the American and British intelligence agencies, the
National Security Agency (NSA) and
Government Communications Headquarters
(GCHQ), respectively, have access to the user data on iPhone,
BlackBerry, and Android devices. They are reportedly able to read almost
all smartphone information, including SMS, location, emails, and notes.
[182] (See also
WARRIOR PRIDE.)
In January 2014, further reports revealed the intelligence agencies'
capabilities to intercept the personal information transmitted across
the Internet by social networks and other popular applications such as
Angry Birds, which collect personal information of their users for advertising and other commercial reasons. GCHQ has, according to
The Guardian, a
wiki-style guide of different apps and advertising networks, and the different data that can be siphoned from each.
[183] Later that week, the Finnish Angry Birds developer
Rovio
announced that it was reconsidering its relationships with its
advertising platforms in the light of these revelations, and called upon
the wider industry to do the same.
[184]
The documents revealed a further effort by the intelligence agencies
to intercept Google Maps searches and queries submitted from Android and
other smartphones to collect location information in bulk.
[183]
The NSA and GCHQ insist their activities are in compliance with all
relevant domestic and international laws, although the Guardian stated
"the latest disclosures could also add to mounting public concern about
how the technology sector collects and uses information, especially for
those outside the US, who enjoy fewer privacy protections than
Americans."
[183]
