According to a researcher at North Carolina State University (who’s been quite prodigious when it comes to Google Android security issues), Android’s application verification in JellyBean — aka, Android 4.2 — is a welcome feature but also lacking when it comes to mobile security. But, he appears to foresee an improvement. For the time being, it looks like third party mobile security programs are still necessary on the world’s most popular mobile platform.
What is Application Verification?
Google’s application verification (app verification) is a security enhancement that “can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation” (andoid.com).
How does it work? According to Dr. Jiang at NCSU,
When an app is being installed (Step 1), the service, if turned on, will be invoked (Step 2) to collect and send information about the app (e.g., the app name, size, SHA1 value, version, and the URL associated with it) as well as information about the device (e.g., the device ID and IP address) back to the Google cloud (Step 3). After that, the Google cloud will respond with a detection result (Step 4). If the app is not safe, the user is then shown a warning popup (Step 5) flagging the app as either dangerous or potentially dangerous. Dangerous apps are blocked from being installed, while potentially dangerous ones instead alert users and provide an option to either continue or abort the installation (Step 6) with a warning popup. [ncsu.edu]
The original site has a helpful diagram.
Does it Work?
According to the Dr. Jiang, it does but has an error detection rate of 15 percent when run against malware samples obtained via the Android Malware Genome Project. If the figure appears to be low, you’d be right. When a separate test was run using randomly selected malware, the detection rates for third party security tools ranged from 51% to 100%, whereas Google’s app verification detected 20% of the malware.
One of the problems appears to be how Google’s app verification detects malware signatures:
our study indicates that the app verification service mainly uses an app’s SHA1 value and the package name to determine whether it is dangerous or potentially dangerous. This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). [ncsu.edu]
Another problem: Google’s set of known malware: “it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names).”
For the time being, it looks like users of Android devices should give a good, hard look at what they’re installing and consider the use of security apps, including those that come with AlertBoot’s MDM software for Android and iPhone.
Related Articles and Sites: