Manage Learn to apply best practices and optimize your operations.

Do rogue mobile apps threaten Android device security?

Michael Cobb discusses how an Android device security flaw may open the door for rouge mobile apps.

I read about rogue applications that can disable passwords and other locks on Android devices and leave the device vulnerable to attacks. What can my enterprise do to keep these devices safe?

Android devices can be locked and unlocked in a variety of ways, including PIN locks, passwords, gestures and facial recognition. Before a user can change these settings, the device asks for confirmation of the previous lock. For example, if a user wants to change the PIN or remove it, he or she must first enter the existing PIN. However, IT security firm Curesec has released two proof-of-concept apps that execute the code required to remove any device lock without needing to get permission from the user. The issue, described as a permission bypass design error, means that a rogue Android app could be used to disable a device's security lock, leaving it vulnerable to future attacks.

The flaw, CVE-2013-6271, is present in Android OS 4.2 (Jelly Bean) and can be found in the com.android.settings.ChooseLockGeneric class. This class allows the user to modify the type of lock mechanism the device should use, but the intended program flow can be circumvented, enabling an attacker to bypass the confirmation stage. While Google has included a fix for the vulnerability in Android 4.4 (KitKat), Google estimates that more than 97% of existing Android devices are running on an older operating system and therefore still susceptible to attack from a rogue mobile application.

Fortunately, exploitation of this Android device security vulnerability requires a highly targeted attack. A user would have to be tricked into installing a malicious app to turn off the locking mechanism, and then the attacker would have to physically steal the device. While this probably isn't a likely scenario for most users, there are a number of measures that all mobile users should adopt to ensure mobile security.

All devices should have data encryption turned on and a remote wipe option enabled. In the enterprise, end-user training should emphasize information asset ownership and physical security awareness to reduce the risk of theft or misuse. Given the amount of data most users have on their smartphones, setting them to automatically lock when not in use should be covered in an enterprise bring your own device/mobile device security policy.

A mobile device management product can also help enforce BYOD policies and block the installation of new, potentially malicious apps. Security awareness training can also stress the dangers of downloading apps that haven't been vetted and approved by the IT department, particularly as malicious apps are becoming more and more common both outside and inside the Google Play store.

Ask the Expert!
Have a question about application security? Send it via email today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on BYOD and mobile device security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.