Android leads the pack in mobile malware

Mobile devices have been growing at a rapid scale. Out of the various operating systems powering these devices two of the most popular ones are the Google's Android and the Apple's iOS. According to recent Gartner report on growth of mobile devices worldwide, Android OS accounted for 52.5% of smartphone sales to end users in the third quarter of 2011 doubling its market share of 25.3% from the third quarter of 2010. In the same time period Apple iOS based smartphones lost market share from 16.6% to 15%, though Apple shipped 17 million iPhones, an annual increase of 21 percent.

With the explosive growth has come an unwanted rise in mobile malware and Android is topping this. According to Juniper Global Threat Center post, there has been a 472% increase in Android malware samples since July 2011. In their annual Malicious Mobile Threats Report report, Juniper found a 400% increase in Android malware from 2009 to the summer of 2010. A few months back security firm McAfee quarterly report noted similar findings that Android OS-based malware became the most popular target for mobile malware developers.

Not only the attacks have increased but have also gotten sophisticated, by exploiting the OS vulnerability the malware would gain root access and install even more damaging software packages. This way the attacker gains access to any data on the phone including all communications, location, and other personal identifying information. The mobile malware developers are the same actors who originally wrote malicious code for the legacy platforms of Symbian and older versions of Windows Mobile.

So the key question is how does Android platform fare in terms of security with Apple iOS? There may not be a platform security issue comparing one to the other. The problem lies in how the application stores are managed for Android and iOS. Apple reviews each application and its code before publishing it to Apple application store, this is missing in Android open application store where attackers can easily sneek in their malicious applications without requiring upfront review. Such applications only get removed after the fact that someone discovered and reported the malicious behavior. By that time the attacker has already benefited from its use.

The app store restrictions on Apple hasn't totally kept the malicious apps out, hacker Charlie Miller discovered a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices and demonstrated this by sneaking in an approved malicious app. Apple though quickly reacted to it by removing the bad application, terminating Miller's developer license and fixing the flaw in a software update.

The Android market does provide some free scanners but have been largely unproven and found unreliable. In a test conducted by AV-Test.org the most popular of those is Antivirus Free by Creative Apps with over a million installations but scored a miserable 0% on both the manual and real-time scan, the best one Zoner Antivirus Free scoring a mere 32%.

To get an in-depth technical view into the security approaches of Google's Android and Apple's iOS mobile devices, read the report from earlier this year by security firm Symantec.

Privacy on Kindle Fire's Silk Browser

On September 28, Amazon CEO Jeff Bezos introduced Kindle Fire. A very interesting feature of this device is the Silk browser. Silk is a split browser that runs off of the tablet but the fetching and compilation of the web page happens at the Amazon cloud, known as "cloud acceleration" mode. Based on predictive analytics on where the user is going to navigate next, it can prefetch web pages on the cloud thus providing extremely fast browsing experience as the data is to be fetched from one source (Amazon cloud) which can deliver the content to the tablet using the fast SPDY protocol.

On one hand it seems like the right technological step in the evolution of browsing but on the other hand it raises severe privacy concerns as Amazon acts as the proxy thus being in a unique position to predict consumer patterns.

Electronic Frontier Foundation recently released a report that eases some of these concerns. First and foremost users will be able to turn off the cloud mode easily using the browser settings which will make the Silk browser act as a normal browser thus sending the requests directly to the website without Amazon acting as the middleman. Encrypted (HTTPS) traffic will not be intercepted by Amazon and will be directly routed to the origin server. This is good news as many popular websites including Google are making SSL as the default mode. The persistent SPDY connection that Amazon uses to transfer the content from it's servers to tablet is secured and does not contain any user identifying information. The only information that is stored is URL of the resource being requested, timestamp and session token. The information is only persisted for 30 days. The use of secure SPDY information is seen as a positive development which would thwart snooping on unsecured network.

Although most of the common concerns are addressed the report did highlight some concerns. First is the storing of URLs visited, including search queries, which can sometimes contain identifying information. Second, the content of the EC2 servers' cache might in some instances might contain information that could identify an individual. Other concerns include attractiveness of collective browsing data of Amazon's users for law enforcement agencies.

EFF recommends disabling the cloud acceleration mode to users who are concerned about privacy. I think users could alternately use HTTPS browsing wherever available, like Google Search, Facebook and Twitter.

Secure Google Search

Recently Google announced that its encrypting the search queries and the corresponding results page for users signed into their Google Account. Secured search is not new, in fact Google launched a secured search service at https://encrypted.google.com last year, the difference is this will now become the default behavior.


Why this change? Google says that it is just following the broader industry initiative like those of Twitter and Facebook. Google explains "As search becomes an increasingly customized experience, we recognize the growing importance of protecting the personalized search results we deliver. As a result, we’re enhancing our default search experience for signed-in users." For users who are not signed into Google Account can navigate to https://www.google.com.

How will it impact the users? This will protect the users against unwanted eavesdropping particularly when using unsecured Internet connection in a public setting. Since there is an additional step of encrypting the data, the browsing experience can be slower.

Not everyone is excited about this announcement. The Search Engine Optimization (SEO) industry experts argue that this is Google's attempt to sideline them. By securing the connection, digital marketers will no longer be able to see what search results lead users to a website. This is an important metric for them to improving a website attractiveness. The information however is available to Adwords advertisers who will see this data irrespective of the connection used, giving them the edge over the SEO firms.

As an end user I am very pleased with this announcement. Hopefully it will reduce some of those annoying ads that seem to follow me based on my prior searches.

Online Privacy is a Myth

Online privacy has become a major concern. With the rapid growth of social media and mobile devices people are spending considerable time on the internet. According to comScore Media Metrix average American net surfers spent 32 hours per month in 2010.

According to the recent Nielsen report, 80% of active internet users visit social networks and blogs. Facebook is the most visited U.S. website. Nearly 40% mobile owners use their mobile phones to access social media content.

The norms of privacy have changed over years. A few years back people were scared to have an online presence but now have gotten savvy enough to put frequent status updates. We have become comfortable sharing our geographic location, associations, education, work history and pictures of ourselves and our loved ones. Friendship is not just limited to people but even to brands. Such information is key to online advertisers who can then target customized ads.

In October 2010, Wall Street Journal broke a story on Facebook how most of the popular Facebook apps had been transmitting people's names and in some cases their friends names to at least 25 advertising and data firms that track online activities of users. RapLeaf was one of such tracking companies that compiles and sells information on users online activities. The company had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells.

Wall Street Journal recently reported that Facebook is nearing a settlement with Federal Trade Commission (FTC) if approved would require Facebook to get explicit consent from its 800 million users before making privacy changes. The probe started when Facebook made changes to users account that exposed their names, pictures and other personal information which the user had specifically confined to specific people. As part of the proposed settlement, Facebook would also submit to government reviews of its privacy practices for 20 years.

Google has had similar issues with its soon to be shut down Google Buzz service where they exposed the users contacts to general public through their profile page without consent. Google entered into a similar pact with FTC on the issue.

Klout, a startup, that integrates with Twitter, Facebook, LinkedIn, Instagram, and many more to measure just how effective one's online presence is also ran into a privacy issue. Klout was creating auto-profiles for users including children who never registered for one with them. After the huge uproar Klout is no longer creating auto-profiles for anyone and user can delete existing profiles.

In the age of social networks its hard to keep yourself off of one so it is critical to understand the impact of information you share online. Understand the privacy settings of your online accounts to adopt tighter privacy control. Here's the disheartening part, even with such settings there is no guarantee. Even though you may not disclose personal information, but your online friends may unknowingly do it, referring to your school or employer, gender, location and interests. Computing power has grown exponentially to correlate all this information to produce a social signature of you which can be quite accurate.

The best advice is to realize that your online activities are more public than you may think and so act accordingly.