Android Security Chief: Mobile-phone Attacks Coming
As smartphones become more popular, they're going to get some unwanted attention from criminals, Google's head of Android security said Wednesday.
"The smartphone OS will become a major security target," said Android Security Leader Rich Cannings, speaking at the Usenix Security Symposium. Attackers can already hit millions of victims with a smartphone attack, and soon that number will be even larger. "Personally I think this will become an epiphany to malware authors," he said.
Microsoft's Windows operating system is the prime target of criminal attacks today, and hackers have generally steered clear of mobile devices. Security experts say that this is because mobile phones haven't traditionally stored a lot of sensitive data, and because there are so many different devices to attack, it's hard to create a single virus that can infect a large number of users.
That may be changing as more and more people start using iPhones, BlackBerries, and -- Google hopes -- Android-based phones such as the Samsung I7500.
Google was late to market with an iPhone competitor -- the first Android system shipped in October 2008 -- but the company hopes to make up ground by making its platform more open and appealing to developers. Android uses open-source components, and Google places fewer restrictions on device makers and application developers than Apple.
For example, Apple must first approve any application before it can be featured in the iPhone store. Google applies no such restrictions in its Android Market.
This open approach to security is further reflected in the fact that Cannings was even allowed to talk about Android security in the first place. Mobile-phone makers are traditionally tight-lipped about their security strategies.
Google's openness gives developers more freedom to innovate, but it can also be misused. "We wanted developers to be able to upload their applications without anyone stopping them from doing that," Cannings said. "Unfortunately this opens us up to malware."
Google runs an application honeypot -- a computer set up with test versions of Android -- to check Android Market programs, but it has also made changes to the way Android's Linux operating system runs applications in order to make things safer. Each application runs within what Cannings calls an "application sandbox," a virtual-machine environment where the program is unable to mess with other programs on the phone.
Applications are given access to the parts of the system that they need, but they're blocked off from other parts of the system.
Android has a media server process, for example, that can write to the phone's display and use the sound card, but it can't do things like access the phone's browser or Bluetooth connection.
That approach paid off last February, when security researcher Charlie Miller found a bug in the way Android played MP3 files, Cannings said. On many other operating systems this kind of bug could be used to run unauthorized software on the computer, but Android's application sandbox limited what could go wrong, Cannings said.
Miller recently discovered a serious flaw in the way both the iPhone and Android processed SMS (Short Message Service) messages, but the vulnerability's consequences were not as serious on Android, the security researcher said.
However, the iPhone has some important security features that are lacking in Android, Miller added. Apple's sophisticated memory protection system and its requirement that iPhone code must be digitally signed are both powerful security features. But Android's sandboxing "makes life harder on a hacker for sure," he said.
When he took a close look at Android back in February, Miller didn't find it any more secure than the iPhone, but some security experts think that Google has an edge.
"Google is ahead in the security game even if Apple is head in market share," said Alex Halderman, assistant professor of electrical engineering and computer science at the University of Michigan. He believes that Google's more open approach will give the company a "major competitive advantage," and will give Android an edge if Apple is forced to open up its platform.
"The Google system is designed so that an application that is broken can do less harm," he said.
資料二:
Android手機安全性成難題
二月中旬,一個未透露姓名的開發者在谷歌的安卓(Android)市場上投放了大量專用於安卓智能手機的應用程序,如保齡球時刻(Bowling Time)、超級吉他秀(Super Guitar Solo)、骰子游戲(Dice Roller)等等。
兩周後,某博主發現這些應用程序其實是特洛伊木馬病毒——它們包括名為DroidDream的惡意代碼,意在感染用戶的安卓手機。這種攻擊行為會創造一個進入智能手機的後門,允許黑客安裝更多的惡意軟件。
3月1號,谷歌清除了這些特洛伊木馬,發現含有DroidDream惡意軟件的共有58個應用程序。谷歌還表示已確定大約有26萬安卓手機受到感染,所幸沒有用戶的個人信息遭到洩露。隨後谷歌利用內置在安卓系統的可遠程刪除惡意軟件的應用程序清除了感染手機上的病毒。
然而直到現在,還有一半的安卓手機用戶對DroidDream制造的一個軟件漏洞無法抵抗。「谷歌清除了制造這一漏洞的軟件包,但沒有解決潛在的漏洞,」移動安全公司Lookout的首席技術官凱文·馬哈菲(Mahaffey)表示。Lookout公司曾分析過DroidDream惡意軟件。
與安卓合作的每家手機制造商都按照自己的方式整合安卓操作系統,以便擁有自己的用戶界面、算法和標識。雖然谷歌發現軟件漏洞後很快對安卓系統進行了更新升級,但安卓開發者網站的數據顯示,至少42%的安卓手機沒有及時更新,依然面臨著病毒威脅。
消除這些手機的漏洞要求手機制造商適當地對硬件進行更新,然後再聯合谷歌的軟件更新。他們測試過更新程序後會將之傳遞給手機的網絡服務提供商,經過再一次的測試之後才會提供給用戶。安卓手機的應用程序,包括谷歌開發的程序,都可以通過安卓市場完成升級。但系統軟件的升級必須經過網絡提供商的信道。
「這絕對是個問題——時間根本不夠,」移動安全服務公司Intrepidus Group的安全顧問扎克·拉尼爾(Zach Lanier)說。拉尼爾還說很多智能手機可能從未升級過,原因是善於規避風險的網絡提供商擔心通過網絡推入軟件補丁會對自身有不利影響。手機制造商也需要面對幾十種不同的手機模型,對各類手機進行軟件測試需要耗費大量的人手。谷歌不願對安卓的安全性進行評論,但表示正在與手機制造商和網絡服務商進行磋商,以求解決這一問題。
在個人計算機領域,軟件開發商通常會及時地發布軟件補丁。軟件自動更新功能已成為各種應用程序和操作系統的必備,且一般情況下使用較為頻繁。因此,個人電腦和蘋果電腦用戶的一般期望是在一個月內解決他們的各種系統問題,安全公司Qualys表示。
黑客們正在轉而使用其他的方法進行攻擊,這些方法最初是用於允許手機用戶避開網絡提供商設置的種種限制。這種被稱為「越獄」的做法可以使iPhone和安卓用戶的手機增添一項新功能——比如進入一個移動無線網絡熱點,而不需額外付錢。「我們眼裡的成熟可靠的檢測代碼成為了人們用於手機越獄的漏洞,」克洛斯說。「這些檢測代碼可用於惡意攻擊。」
心得:
隨著智慧型手機的普及,在透漏自身資訊方面,可以說是除透過電腦外,最大的一宗設備了,看完文章後,再結合自身寫Android軟體的經驗,可以淺談一下手機可能洩漏的隱私 權。首先是最簡單的目前位置,賜福於GOOGLE強大的API,只要稍微懂得寫手機程式的 人,可以輕鬆在幾分鐘內完成這個程式,安裝在手機上後,自動背景執行,輕而易舉隨時掌握你的行蹤,讓捉姦行動、變態尾隨,變得更加輕鬆簡單了。
現代人拿手機不只通話,更是使用手機來談生意、寄發EMAIL、拍裸照,於是駭客把眼光放到了手機上了,尤其是Android手機,如同文章講的,GOOGLE並沒有檢測過GOOGLE PLAY架上的軟體,因此駭客能較容易透過病毒來入侵你手機,取得他需要的資訊,無論你的簡訊內容、通訊錄、照片、等等手機上的資訊,現在不只是使用電腦時隱私要注意不洩漏,連同使用手機也是一樣的,不要以為駭客要你的資訊也沒用,現在手機程式撰寫上手容易,認識你的人,寫一支有針對性的軟體不難,駭客對你不感興趣,可周遭的人說不定感興趣,因為自身資工系,只要設備能連上網路,我就不敢信任,因此養成重要資訊,都不放在能連上網路的設備上的習慣。也佩服老師常宣導和維護自己隱私這方面事情的情操。
cc-by
cc-by
沒有留言:
張貼留言