Android smartphones: hack me if you can

hacked-android.jpg

Most of us can't live without a smartphone and that huge popularity and growth indicates that mobile phones will become a prime target for cybercriminals. More companies are coming out with smartphone protection against viruses, theft, and even protection from users themselves who lose their smartphones. In the UK, a mobile phone is stolen every 12 seconds. If a person's phone is stolen, it becomes increasingly important to have the ability to locate it or to wipe data from it. Add to that mix a security firm that is so confident of it mobile security software that it issues a dare to hackers everywhere.

Hackers tend to be overly curious individuals who like challenges. It is like issuing a dare when companies label their products as unhackable, hacker-safe, or hack-proof. Can't is rarely in a hacker's vocabulary. In Australia, the Department of Education handed out netbooks that it claimed where "unhackable." That, of course, prompted many student to attempt hacking it.

As soon as someone says you can't hack this, some hacker will become determine to hack it. It might be a very smart marketing ploy because thousands of hackers will try to crack it. Before a company tosses in a prize or prize money to any individual who can hack their product, that company is feeling secure about their security. An example is Wireshark who dared hackers to crack its Firegate security platform, dangled the bait of $24,000 in prize money, and then kept the challenge open for 90 days. "In the end, no one - including former National Security Agency employees who tackled the challenge - was able to claim the prize money."

Now mobile security experts, Blackbelt, are daring hackers to crack its new Android Antitheft product that allows users to lock, wipe, or locate their mobile phone. Blackbelt says, "Entrants must break into the Antitheft-installed devices, which will be hosted online by Perfecto Mobile, and recover several pieces of information in order to prove that they have cracked the lock." However, Blackbelt is so confident of their Antitheft software, the hack me if you can challenge will give away a HTC Desire HD handset prize to the hacker that provides the best feedback, after they have failed to crack the software. Can you beat the Blackbelt?

If you have a smartphone, then you certainly need to install some sort of security solution. The open source Android platform is particularly popular. Gartner research predicts that by 2012, 80% or more of commercial software packages will include open source technology. Google reports that more than 1/3 of users, 36.2%, run the Android operating system called Froyo. According to Google, over 200,000 Android smartphones are activated each day. Google Apps launched new administrative controls to allow enterprise admins to enforce data security policies on phones running the Android 2.2 platform. Administrators can access and push corporate policies like passwords or remotely wipe data from mobile devices.  

Software security firm Coverity, whose scan was originally initiated with the U.S. Department of Homeland Security, downloaded Android code from HTC's developer site, scanned and then analyzed Froyo. This year, Coverity focused on the Android kernel 2.6.32 codenamed Froyo, specifically the HTC Droid Incredible. The 2010 Coverity Scan Open Source Integrity Report uncovered "359 defects in total and of these, 88 of the defects were "high risk", which includes memory corruption, resource and memory leaks, and uninitialized variables."

Android uses the Linux kernel, yet it has a higher defect rate than mainstream Linux. The "Android kernel" defect rate is 0.47 defects per 1,000 lines of code, but it is lower than the industry average of one defect per 1,000 lines. One of the biggest problems seems to be determining whose responsibility it is to fix the defects.

Coverity reported [PDF], "Accountability for Android software integrity is fragmented. The problem is no different with Android than what we see across open source. Android is based on Linux, which has thousands of contributors. Compound that with the Android developers from Google, the contributors to Android from the larger development community, and OEMs that supply components for specific configurations of Android to support different types of devices, and the lines of accountability are quickly blurred."

We all love our smartphones. Whether you might be a developer who could help fix some of the Android security flaws, or a hacker who is compelled to crack software based upon a dare...I encourage you to go forth and conquer. 

Join the discussion
Be the first to comment on this article. Our Commenting Policies