Manufacturers of Android mobile phones are not doing enough to safeguard their users worldwide.
So says Ian Shaw, MD of MWR InfoSecurity, who adds: “Android mobiles are being compromised daily, exposing users to a real security risk.”
He says the increasing lack of security controls on the phones are exposing users to fraud and other criminal activity.
“Manufacturers must spend more time looking to see how they can safeguard users. Many seem to forget that they have a duty of care. The problem is that many users just don't realise how vulnerable they actually are. Criminals can steal personal details like bank passwords and other personal information.”
He says security weaknesses that have been introduced into smartphones by their manufacturers expose users' private information and leave them susceptible when using sensitive online apps such as mobile banking.
MWR previously illustrated this issue, demonstrating how a Palm Web OS and an Android smartphone could be used as a bugging device. Following this, the company showed how a Windows Phone running HTC and Samsung could also be compromised, exposing users' data.
The company has identified more than 10 vulnerabilities specific to Samsung smartphones and tablets and has reported these to the vendor in Korea. “While this is concerning, Samsung has responded to the security vulnerabilities that MWR has identified and is currently in contact with the research team in South Africa to resolve these.”
Harry Grobbelaar, director of MWR InfoSecurity SA, says vendors are responsible for making sure that any OEM software they add to their devices is secure. “Vulnerabilities are often introduced when vendors bypass built-in security mechanisms set by the underlying OS. As the vendor-provided software - such as drivers or applications that ship with the phone - can often not be removed without rooting or jail-breaking, this exposes the end-user to attacks.”
He says while there is anti-virus (AV) for smartphones, it is hardly a silver bullet. “AV essentially runs as an application on a phone, and while it does offer security benefits, it is subject to the same sandboxing rules as all other apps on an Android device.”
Grobbelaar says that, as with PCs, OS vendors such as Microsoft and Apple cannot abdicate the responsibility for security to AV - OS updates form a critical part of the security landscape.
Using the PC AV as an example, he says similar benefits could be realised by mobile security products, if the products provide the right controls.
There are quite a few mobile AVs on the Android market that focus on remote wipe, data encryption and suchlike. “These controls all add to the layered security model, but without security at each layer, a successful attack would be easier to realise.”
Share