Android Operating System
1
Google Android OS is breach-able
[Name]
[Level]
[Course]
Android Operating System
2
Abstract
Android is an extremely popular operating system for mobile devices. The end user is
offensively vulnerable to security hacks as Google has left loopholes into security update
systems. The various versions of Android had been of not much capable of handling these issues.
The security of personal, professional and financial data is very important as these are the most
vulnerable factors. The apps based on Android are one big reason of security breaches. There are
millions of apps available in the market. These get installed by the user himself by giving
authorization to access the device. What the user doesn’t know that even those which may have
passed the Google security test can be highly risky.
This paper is a case study analyzing the security concern regarding the Android operating
system. The paper has an introduction section followed by the problems scrutinized in detail and
how Google intends to fight these with a section for proposed cure concluding with what should
be done.
Android Operating System
3
TABLE OF CONTENT
Abstract
2
Introduction
4
Android
5
Reasons
7
The Real Problem
9
What is Google Doing
10
The Cure
15
Conclusion
16
References
17
Android Operating System
4
Google Android
Mobile devices; the hand held gadgets for communication and data storage are the way of
the contemporary world. People spent most of their time with these toys and the paraphernalia.
For almost all of us, mobile devices have turned out to be the most imperative tool they possess.
They include videos, photos, diaries, contacts, emails, employer details, financial contacts and
details and all types of vital and perceptive information. Users keep relying on mobile apps for
working, socializing, banking, shopping, and routine daily chores. With such a large placemet in
a user’s life the mobile devices are not secure.
All these mobile devices and apps need a base to run on and that is called the Operating
System. Hackers have been paying a great deal of attention to mobile phone operating systems at
the present; especially the operating systems that exhibit a greater market share. One such system
is the Google Android Operating System.
The Operating System OS is required to protect itself from security ruptures, for case,
memory-access infringement, the starting of projects with exorbitant benefits, runaway
Android Operating System
5
procedures i.e. foreswearing of administration, stack flood infringement, and innumerable others.
(Cai, 2010) Today prevention of information from being abused and/or stolen is irreplaceable.
Any programmer can change the source code of the system and may utilize email records and
pictures to create hostile substance for instance deceiving social and financial accounts.
(Hopkins, 2015) When something like this happens, the OS are upgraded by the product
engineers and a nonstop check on security breach is kept. (TAN, 2008)
This research report is an endeavor to understand the security flaw built in by Google in
Android Operating System.
Android
Android is a cutting edge portable base that was intended to be really open. Android
applications make utilization of cutting edge equipment and programming, and in addition
neighborhood and served information, uncovered through the platform to convey valuable
innovation to users. The platform must offer an application environment that guarantees the
security of clients, information, applications, the hand held gadget itself and the system to secure
that value. Tough security architecture and thorough security programs are needed for securing
an open platform. Android was planned as a platform for developers and was outlined with
inbuilt multi-layered security walls. The basic perception was to reduce the burden of the
developers. Especially those designers who are less acquainted with security. Android was
designed with end users in mind. Clients are given an insight into how applications function, and
control over those applications. This configuration incorporates the desire that assailants would
endeavor to perform basic assaults, for example, social building assaults to persuade gadget
clients to introduce malware, and assaults on outsider applications on Android. Android was
Android Operating System
6
intended to both lessen the likelihood of these assaults and enormously restrict the effect of the
assault in the occasion it was productive. (Source.android.com, 2015)
A projected 50 million Android phones were left defenseless against the Heartbleed bug
in 2014, and after that the ‘Stagefright’ MMS hack has revealed almost every single Android
phone owner on vulnerable to an absolute invasion of their phone through a text message that
doesn’t even need to be opened. The exposure is scary, but the most frightening thing is that a
good number of these phones will never get patched. These hacks are mostly by means
applications these mobile devices and the users are so fond of. While mobile devices face
numerous dangers, application stores like the Google Play constitute the most serious dangers.
The applications users download, and their following activities, can possibly reveal all data on
the device.
Mobile applications are quick turning out to be a center point of corporate action,
empowering specialists to expend, make, and share data. In 2014, versatile application utilization
represented 86 percent of time spent on mobile devices, up from 80 percent the prior year.
(Perez, 2014) The right mobile applications can make a workforce more profitable and agile. The
wrong ones can put its most important resources at danger. Indeed, even as hackers find better
approaches to trade off this intense device, security of hand held devices stays in its early stages.
Most security department teams can't completely represent—not to mention screen—the
unfathomable cluster of applications that have entry to significant corporate information. For
endeavors with little understanding into security dangers faced by mobile devices—and no real
way to manage customized attacks on mobile devices—apps mean a genuine risk vector. Two
principle platforms manage the mobile market today: Google's Android and Apple iOS.
Android Operating System
7
Reasons:
Ever Increasing Android Malware
There are at present 1,789,941Android applications in the business sector. (Appbrain.com, 2015)
The outcome is the staggering introduction of a tremendous scope of smart phones, even the ones
running on the most recent and most secure form of the operating system, Android Lollipop.
(Titcomb, 2015)
Android Operating System
8
Android mobile devices consolidate location of the user along with individual information,
photographs, and more delicate business information, contacts, and intellectual property. They
likewise provide a target for assaults. A survey of more than 7 million portable applications amid
2014 demonstrated that mobile device users face dangers on numerous fronts including:
• Malicious apps stealing information
• Benign apps created in an apprehensive manner
• Benign apps using insecure or destructive ad libraries
• Malware and aggressive adware passed by Google Play checks and are considered safe
• Apps that facilitate identity theft
• Apps that benefit attackers by calling for-fee texting services and phone numbers.
With Android, apps can act like safe apps. Indeed, even some trusted, understood apps
incorporate uncontrolled adware that assembles a lot of client and gadget information for
targeted ads. One malware classification of importance: Android apps intended to pilfer financial
information. The aggregate rose almost 500 percent in 2013. There were 1,300 special malware
tests in December 2013, as opposed to a mere 260 in June 2013.
The Google Android platform has numerous possibilities that assailants can abuse. May
be the most hazardous is the JavaScript-Binding-Over-HTTP (JBOH) incapacity. A typical
method for stacking web content into an Android application is the JavaScript binding technique
known as the add-Javascript-Interface. Unfortunately this is also insubstantial. At the point when
an Android application conjures the technique and burdens the substance from a web program in
WebView over HTTP, it opens the entryway for attackers to execute code remotely.
Android Operating System
9
Android Adware
Adware is programming that transmit advertisements to profit. While adware is not in
itself hurtful, it frequently forcefully gathers individual data from the mobile devices it's
introduced on: name, date of birth, locale, contacts, serial number, and even the bookmarks in
browsers. Frequently, this information is gathered without clients' assent. Application gadgets,
arcade-amusement applications, and correspondence applications contain adware. That is on
account of they contain rich data around a client's profile and premiums, which makes them
perfect for advertisement focusing on. Push-notice advertisements show ads as a notification
from Android's system. It catches the attention of the user—though they should be rejected and
abstain from irritation.
The real problem…..
A few mistakes made by the Android developers are highlighted here:

If an application wants to access high-privileged APIs or wants to procure user data, that
app has to get authorization from the end user. And somehow the majority of users grant
whatever was asked arbitrarily. Application developer adds need permissions
to AndroidManifest.xml file. As the first step of installation the app prompts the user to
grant or reject explicit permissions as mandatory by the application. The user can also be
effortlessly trapped into de-installing a genuine application and installing a counterfeit,
malware application.

Zones in Solaris style would have been perfect for this. Unfortunately, no frivolous
virtual machines: Solaris zones were put into operation to support more than a few
diverse user identities. For instance one for ordinary use and one for banking
applications.
Android Operating System

10
Surprisingly, Java VM execution is extremely intricate and is an unvarying source of
security problems.

Android operating system is based on Linux kernel which is also very difficult and has
fewer modern security mechanisms. Likewise, a good idea would be the accumulation of
Solaris RBAC. Although, addition of SELinux in version 4.3 was delayed nevertheless
security might improve.
What is Google doing????
According to mobile security experts there are two major security risks in the Android environment has


The Google Play Store
The fragmentation of devices and OS versions
The Google Play Store's risks:
Android is a genuinely open OS, and that makes it dangerous, Unlike Microsoft
Windows Phone or Apple iOS, there is no walled environments, and this prompts potential
security vulnerabilities when not administered soundly. With Google Play, there is a higher rate
of applications that contain malware, or social designing to associate with malware, than
whatever other application store by a request of enormity. It's not a very much policed
environment, and these keep on creating conflict toward more prominent implementation of
Android in the firm. When clients download applications from Google Play, they regularly don't
pay consideration on the degree of authorizations an application can have on their gadget, And as
a general rule, applications request a bigger number of consents than they truly require. The
security vulnerabilities influencing Android gadgets can bring about real execution issues and
information misfortune - not simply minor burdens. Andrew Borg, research chief for big
Android Operating System
11
business portability and joint effort at exploration firm Aberdeen says there are a few appalling
cases that legitimize IT's solid dislike for Android, regardless of its immense likeness among
clients. This is a clarion call that security can't be underestimated; and these [Android security]
issues are exaggerated. (InfoWorld, 2013)
Recently Google launched Google Play administrations 8.3 focused at user identity.
They claim redoing the Sign In with Google APIs to make usage more straightforward and give
clients a streamlined affair. For one thing, the new Google Sign-In no more requires the gadget
accounts consents, a major win. Also, to make marking in less demanding crosswise over
gadgets, whether the client utilizes Google Sign-In or still have secret key based confirmation,
the Smart Lock APIs got some imperative upgrades. They've added another API technique to
demonstrate a dialog that offers your client some assistance with selecting a formerly utilized
email location to pre-fill sign in. On the off chance that the section the client picked matches a
record on the gadget, Google can give a verified email address in the indication, which you can
use to skip email confirmation and validate the client if the system can bolster ID tokens, like
Google Sign-In. For the sake of location determination, Google Play administrations give a
Fused Location Provider (FLP) which abstracts the hidden area sensors, for example, WiFi, GPS,
and the radio sign, into a solitary easy API. Google has made a few changes to the FLP with
regards to clustering. Preceding adaptation 8.3, the group area APIs would permit the FLP to
spare force by combining system movement, yet when an application uprooted a bunching area
ask for, the cluster would be cleared. The user may not need this conduct, so Google has
included an API that can give back any clustered areas quickly. With Google Play
administrations 8.3, Google has overhauled the DataApi to take care of the need of urgency in
Android Operating System
12
syncing the data. Presently, precedence can be added to the data to decide when it ought to be
synced. (Meier, 2015)
Interestingly, Goggle is NOT doing much to save millions of Android OS users.
The risks of Android's fragmentation:
The Android platform likewise endures the issue of fragmentation - there are numerous
variants of Android in the business sector, even on current gadgets. Producers frequently roll out
their own improvements to Android, so they could be behind Google's present reference release.
What's more, manufacturers and carriers may not overhaul their gadgets' Android adaptation
when Google does, or they take months or even years to do as such. Subsequently, numerous
individuals inside of the same association may be utilizing obsolete variants that could be loaded
with security vulnerabilities. Individuals concentrate on malware dangers of Android, however
ostensibly the more serious danger is created by fragmentation resulting in diverse user
experience. This assortment of client encounters makes it difficult to instruct staff at an
organization about how to take efforts to establish safety, on the grounds that the experience on
every gadget is distinctive. Research demonstrates that a larger part of Android device clients
worldwide have mobile devices that are robbed of current and latest versions of the operating
systems. A greater percentage of the mobile devices and operating systems have extremely open
inadequacies on security. In the event that clients have more established forms of Android, which
could mean vulnerabilities are left unpatched and new elements of the operating system won't
contact them. For instance, one can possibly address the security openings for the HTC One,
however that won't not make a difference to a more established Samsung device. The
Android Operating System
13
fragmentation issue increases the surface for attack; along these lines, there's no single security
arrangement that will fit the greater part of variations of Android.
There are a few who trust Android Operating System's security base and accuse the end
users. Android as a working framework is extremely secure. It has different layers of insurance
to keep malware under control, and it requires particular consent of the user to do nearly
anything that could prompt their information or the framework being traded off. On the other
hand, Android is an open framework that trusts the user and its developer community to make
the best decision. On the off chance that one needs to, one can give away a great deal of
authorizations, and even access to more profound parts of the framework if the mobile devices
are rooted. Android tries to shield the user from them self, yet in the event that the user pushes
it, it gives them a chance to have the last say on what to introduce (and from where, similar to
obscure sources and past the consistently managed walls of Google Play) and who to offer
consents to.
Android Operating System
14
The figure shows the different layers of security that makes it an extremely safe operating
system.
This figure portrays the percentage of permission when an app gets installed. While
getting introduced, an application needs to traverse Google Play or an obscure sources cautioning
(on the off chance that it's empowered on the mobile device of the user), and a client who affirms
the establishment. Past that, it needs to move beyond Google's "Confirm Apps" security
highlight, which checks an APK against its own database of malware before it can be introduced
(more on this later). At that point, the application is sandboxed and limited to the consents
conceded to it, and Android's own particular security checks again at whatever point the
application runs. The finishing touch Android has defenses...to protect itself, not your data.
(Henry, 2013)
Android Operating System
15
Recently Blackberry has re-launched with Android as the Operating system. The decision
was long awaited as they needed a secure base and with a few changes for differentiation effect
they believe that Android OS is the safest. (VentureBeat, 2015)
The three improvements that predominantly stand out on the security front:

A secure compound added, which is a unique BlackBerry area of firmware that runs
beneath Android and makes it invulnerable to Android weakness problems and handles
operations such as authenticating the veracity of the Android operating system itself

Confirmed Boot and safe Bootchain, utilizing the embedded keys to authenticate every
layer of the device with the intention of making sure they haven’t been corruptted

To perk up security adaptations were added to harden the Linux kernel with patches and
configuration changes
The Cure:
Harmful applications can take financial details, emails can be duplicated, and VPN
accreditations can be gathered. Adware can gather personal contact details, observe all
applications introduced, and track GPS organizes. What's more, even in non malicious
applications, mistakes may be made. The developers unwittingly compose defective code that
leaves the application open to assault. The major application stores are endeavoring to spot and
reject destructive applications. Yet, aggressors will keep on staying in front of security checks.
Outsider application stores, while offering applications not accessible somewhere else, make a
sheltered harbor for some more noxious applications.
Providers of application store, application developers, users and organizations must better
comprehend the risks they face in mobile devices. In any case, above all else users must give
careful consideration to application practices. Organizations must consider mobile devices a key
endpoint. What's more, both sides must make applications that are comprehensive and secure.
Android Operating System







16
The users should disable app downloads from unidentified sources
Upgrading to Android 3.0 or above is particularly recommended.
Anti-malware apps can also help
Connecting to unsecured, anonymous Wi-Fi networks is not recommended
A remote wipe/lock app should also be installed
Extra encryption layer can keep all sensitive data safe
Chrome browser is recommended
Conclusion
Google has additionally attempted its hands on assurance for all applications paying little
attention to the source. This incorporates an innovation code-named "safety Net" that
distinguishes and ensures against non application based security dangers, for example, system
assaults. Clients who use Verify Apps might likewise transfer applications to Google to enhance
identification of Potentially Harmful Applications from sources outside of Google Play. It is the
obligation of the device creators and carriers. They seem to profit their businesses from Google
giving no attention at all to the security of the users.
It has been declared that organizations like Sony and Samsung, LG and HTC, will be the
ones to send security updates periodically however this will likewise not take care of the issue of
a vast number of clients as the focal issue is different. Such firms will need to hold hands with
one another, relinquishing their competition, and they must work together with the wireless
carriers keeping in mind the end goal to convey security updates to users and making their
mobile devices safe.
Android Operating System
17
References
Appbrain.com,. (2015). Number of available Android applications - AppBrain.
Retrieved 6 November 2015, from http://www.appbrain.com/stats/number-ofandroid-apps
Cai, Y. (2010). Mobile wireless middleware, operating systems, and applications.
Berlin: Springer.
Henry, A. (2013). How Secure Is Android, Really?. Lifehacker. Retrieved 7
November 2015, from http://lifehacker.com/how-secure-is-android-really1446328680
Hopkins, P. (2015). Operating System Security. Engineering & Technology
Reference. http://dx.doi.org/10.1049/etr.2014.0035
InfoWorld,. (2013). A clear-eyed guide to Android's actual security risks. Retrieved 6
November 2015, from http://www.infoworld.com/article/2609338/android/aclear-eyed-guide-to-android-s-actual-security-risks.html
Meier, R. (2015). What’s new in Google Play services 8.3 | Android Developers
Blog. Android-developers.blogspot.com. Retrieved 6 November 2015, from
http://android-developers.blogspot.com/2015/11/whats-new-in-google-playservices-83.html
Perez, S. (2014). Mobile App Usage Increases In 2014, As Mobile Web
Surfing Declines. TechCrunch. Retrieved 6 November 2015, from
http://techcrunch.com/2014/04/01/mobile-app-usage-increases-in-2014-asmobile-web-surfing-declines/
Six, J. (2012). Application security for the Android platform. Sebastopol: O'Reilly
Media.
Source.android.com,. (2015). Security | Android Open Source Project. Retrieved 7
November 2015, from https://source.android.com/security/index.html
TAN, L. (2008). Trusted objects in trusted operating system. Journal Of Computer
Applications, 28(5), 1186-1189. http://dx.doi.org/10.3724/sp.j.1087.2008.01186
Android Operating System
18
VentureBeat,. (2015). BlackBerry talks Priv security, privacy, and why Android now.
Retrieved 7 November 2015, from http://venturebeat.com/2015/11/06/blackberrytalks-priv-security-privacy-and-why-android-now/