SharkLaser writes 
"Fake antivirus scams have plagued Windows and Mac OS X during the last couple of years. Now it seems like such scams have spread to Android. Fake antivirus scams on Android work the same as they do on PC's — a user with an Android phone downloads an application or visits a website that says that the user's device is infected with malware. It will then show a fake scan of the system and return hard-coded 'positives' and gives the option the option to buy antivirus software that will 'remove' the malware on the affected system. Android, which is based on Linux, has been plagued with malware earlier too. According to McAfee, almost all new mobile malware now targets Android. Android app stores, including the official one from Google, has also been hosting hundreds of trojan applications that send premium rate SMSes on behalf of unsuspecting users.
 Early on in development, the core Android development team recognized that a
robust security model was required to enable a vigorous ecosystem of
applications and devices built on and around the Android platform and supported
by cloud services. As a result, through its entire development lifecycle,
Android has been subjected to a professional security program. The Android team
has had the opportunity to observe how other mobile, desktop, and server platforms
prevented and reacted to security issues and built a security
program to address weak points observed in other offerings.
Early on in development, the core Android development team recognized that a
robust security model was required to enable a vigorous ecosystem of
applications and devices built on and around the Android platform and supported
by cloud services. As a result, through its entire development lifecycle,
Android has been subjected to a professional security program. The Android team
has had the opportunity to observe how other mobile, desktop, and server platforms
prevented and reacted to security issues and built a security
program to address weak points observed in other offerings.
The key components of the Android Security Program include:
"Fake antivirus scams have plagued Windows and Mac OS X during the last couple of years. Now it seems like such scams have spread to Android. Fake antivirus scams on Android work the same as they do on PC's — a user with an Android phone downloads an application or visits a website that says that the user's device is infected with malware. It will then show a fake scan of the system and return hard-coded 'positives' and gives the option the option to buy antivirus software that will 'remove' the malware on the affected system. Android, which is based on Linux, has been plagued with malware earlier too. According to McAfee, almost all new mobile malware now targets Android. Android app stores, including the official one from Google, has also been hosting hundreds of trojan applications that send premium rate SMSes on behalf of unsuspecting users.
 Early on in development, the core Android development team recognized that a
robust security model was required to enable a vigorous ecosystem of
applications and devices built on and around the Android platform and supported
by cloud services. As a result, through its entire development lifecycle,
Android has been subjected to a professional security program. The Android team
has had the opportunity to observe how other mobile, desktop, and server platforms
prevented and reacted to security issues and built a security
program to address weak points observed in other offerings.
Early on in development, the core Android development team recognized that a
robust security model was required to enable a vigorous ecosystem of
applications and devices built on and around the Android platform and supported
by cloud services. As a result, through its entire development lifecycle,
Android has been subjected to a professional security program. The Android team
has had the opportunity to observe how other mobile, desktop, and server platforms
prevented and reacted to security issues and built a security
program to address weak points observed in other offerings.The key components of the Android Security Program include:
- Design Review: The Android security process begins early in the development lifecycle with the creation of a rich and configurable security model and design. Each major feature of the platform is reviewed by engineering and security resources, with appropriate security controls integrated into the architecture of the system.
- Penetration Testing and Code Review: During the development of the platform, Android-created and open-source components are subject to vigorous security reviews. These reviews are performed by the Android Security Team, Google’s Information Security Engineering team, and independent security consultants. The goal of these reviews is to identify weaknesses and possible vulnerabilities well before the platform is open-sourced, and to simulate the types of analysis that will be performed by external security experts upon release.
- Open Source and Community Review: The Android Open Source Project enables broad security review by any interested party. Android also uses open source technologies that have undergone significant external security review, such as the Linux kernel. Google Play provides a forum for users and companies to provide information about specific applications directly to users.
- Incident Response: Even with all of these precautions, security issues
may occur after shipping, which is why the Android project has created a
comprehensive security response process. A full-time Android security team
constantly monitors Android-specific and the general security community for
discussion of potential vulnerabilities. Upon the discovery of legitimate
issues, the Android team has a response process that enables the rapid
mitigation of vulnerabilities to ensure that potential risk to all Android
users is minimized.  These cloud-supported responses can include updating the
Android platform (over-the-air updates), removing applications from Google
Play, and removing applications from devices in the field.How Users Understand Third-Party ApplicationsAndroid strives to make it clear to users when they are interacting with third-party applications and inform the user of the capabilities those applications have. Prior to installation of any application, the user is shown a clear message about the different permissions the application is requesting. After install, the user is not prompted again to confirm any permissions.
 There are many reasons to show permissions immediately prior to installation time. This is when user is actively reviewing information about the application, developer, and functionality to determine whether it matches their needs and expectations. It is also important that they have not yet established a mental or financial commitment to the app, and can easily compare the application to other alternative applications.
 Some other platforms use a different approach to user notification, requesting permission at the start of each session or while applications are in use. The vision of Android is to have users switching seamlessly between applications at will. Providing confirmations each time would slow down the user and prevent Android from delivering a great user experience. Having the user review permissions at install time gives the user the option to not install the application if they feel uncomfortable.
  Also, many user interface studies have shown that over-prompting the user
causes the user to start saying "OK" to any dialog that is shown. One of
Android's security goals is to effectively convey important security
information to the user, which cannot be done using dialogs that the user will
be trained to ignore. By presenting the important information once, and only
when it is important, the user is more likely to think about what they are
agreeing to. Also, many user interface studies have shown that over-prompting the user
causes the user to start saying "OK" to any dialog that is shown. One of
Android's security goals is to effectively convey important security
information to the user, which cannot be done using dialogs that the user will
be trained to ignore. By presenting the important information once, and only
when it is important, the user is more likely to think about what they are
agreeing to.
 
 Some platforms choose not to show any information at all about application functionality. That approach prevents users from easily understanding and discussing application capabilities. While it is not possible for all users to always make fully informed decisions, the Android permissions model makes information about applications easily accessible to a wide range of users. For example, unexpected permissions requests can prompt more sophisticated users to ask critical questions about application functionality and share their concerns in places such as Google Play where they are visible to all users.
 
No comments:
Post a Comment