Android has quickly climbed to the top of the mobile OS mountain, and it owes much of its success to being a more open platform than rivals like iOS. However, that openness is a double-edged sword that also exposes Android to potential risk–like the Android Class Loading Hijacking threat discovered by Symantec.
A Symantec spokesperson explains that the Android Class Loading Hijacking threat resembles a Windows DLL hijacking attack. “It relies on the fact that Android provides APIs that allow an app to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked.”
Symantec stresses that the Android Class Loading Hijacking threat is not a vulnerability in the Android OS itself, but a flaw in the way some apps are coded that can be exploited to hijack permissions.
Oliver Lavery, Director of Security and Development for nCircle, explains, “This weakness, and others like it that haven’t been discovered yet, are an unfortunate side-effect of Android’s openness. While open platforms are good, the history of browser vulnerabilities has shown us time and time again how important it is to have effective ‘sandboxing’ for content that comes from the internet.”
Lavery says that Android security is not significantly better or worse than the security of any other completely open computing device, like a desktop or laptop. “The ‘walled garden’ approach iOS uses is almost certainly more secure, but that relative level of additional security comes at the cost of openness and extensibility.”
Randy Abrams, Director of Technical Education for ESET, says that the Symantec research is interesting, but that cyber criminals really don’t have to work that hard. Abrams warns that the liberal permissions Android apps are routinely granted make an attack like stealing a Gmail verification code text message as simple as convincing the user to install an app that has access to text messages.
“Users routinely grant such permissions to applications without a second thought,” laments Abrams. “There is far too much opportunity for cross application pollution by design to invest in the real, but esoteric approaches that Symantec discusses.”
There are always tradeoffs of functionality or flexibility vs. security. Android errs on the side of functionality over security, and that means that app developers have to be more diligent, and users need to be more vigilant to guard against security threats.