Saturday, February 18, 2012

Five Security Enhancements to Android

Five Security Enhancements to Android.

Kudos to the Android security team for Bouncer.  Hopefully the below features are on your radar and will be delivered soon.

1. Many android app request permissions upon install. Here are a few permissions: being able to read your contact list, send sms or send text messages on your behalf, to reading network state . Often when I read the permissions an app requests , I question if it really needs a given permission. Often, I am tempted to grant the app only some of the permissions and deny other permissions. Alas, Android does not allow selective permission grants.  My only choice is to either not install the app or grant the app all the permissions it requested and suffer.

2. Stop malware infected apps from getting into the marketplace and run all the necessary security checks (white/blacklisting/heuristics) when an app is downloaded to a user's device. The android marketplace needs to further improve developer validation and further limit nefarious apps from getting into the marketplace. Stronger checks, audit and continual checks of the both the app and the developers will help. 

3. Simplify permissions: The model security model replies on Java security model and sandboxing. This model is not suitable for the problem at hand. The permissions encode the resource being protected and the action along with the permission name. The security permissions are runtime permissions are consequently developers don't write defensive code to deal with the scenario where the permissions are not granted to the app. They simply rely on the default runtime failure. With defensive programming, developers will gracefully code for the cases when the functionality is not available because of denied permissions. 

4. Make permissions grant one time and allow permission grants to expire. Often app request permissions that I am hesitant to grant. However I might be ok to grant that permission for the next 1/2 hour or just this once. Just like in real life, I should be able to grant permission just this once, and expire them.

5. App notifications: Many apps send notifications on updates. The app specific settings often include controls for these notifications. I have seen some apps where the control for app specific notification is either missing or inadequately offered in the app specific applications.  A feature to control all notifications, available as the top level android settings would be very useful.

While #5 isn't a security feature, I couldn't resist listing it here since it has been my bete noire of late.

1 comment:

Android app development said...

I like your blog application.This is one of the suitable post.I like your blog creativity.
Android app developer