Researcher: Android may not need antivirus software
IDG News Service - Antivirus developer SMobile released software this week to protect users of the G1 Android phone, although one security analyst wondered if people really need it.
Even though Android, the software developed by Google Inc. and running on just one phone sold by T-Mobile USA Inc., is open source, it is unlikely to be more susceptible to malware than other, proprietary mobile operating systems, said Charlie Miller, principal analyst at Independent Security Evaluators LLC and the researcher who found the first Android vulnerability.
While a developer could write a harmful application and distribute it via the Android Market, Google has put up some roadblocks that would make it hard for malware to cause much harm, Miller said. "If you want to do anything dangerous like access personal contacts, you have to specifically say to the virtual machine 'these are things I'm going to have to do,' and the virtual machine will ask the user if that's OK," he said. Android applications run in a Java virtual machine on the phone.
For example, if a user downloads a Scrabble game containing malicious code that tries to gather information from his e-mail account, the phone will ask the user to approve the application's access to the e-mail account. In that case, the user should decline the download, realizing that a Scrabble game shouldn't need to read from an e-mail account, he said.
Just this week, however, hackers discovered a way to install applications natively on the phone instead of using the virtual machine. The capability could open doors to new security threats by letting applications access any phone function. Google said it has developed a fix for the bug and plans to push it out to users soon.
That is the second vulnerability to be discovered in as many weeks. The first, discovered by Miller, resulted from Google using outdated open-source code that didn't include an update already issued that closed the hole. But such vulnerabilities aren't unique to Android or open-source software. "The fact is, you could do that against the iPhone or against the BlackBerry or whatever. All these phones have issues," he said.
SMobile has argued that because Android is open source, it will attract more hackers who will be able to look for holes they can exploit to gather user data for malicious purposes.
While companies such as McAfee, Symantec and F-Secure make antivirus software for smart phones, although not yet for Android, only a few mobile viruses have appeared, and those haven't spread very far. That's partly because of the wide variety of operating systems that run mobile phones. A virus written for one operating system doesn't spread widely because it won't work on phones running different operating systems.
- Review: The T-Mobile G1 'Google phone' is a tweaker's delight
- Video: G1 buyers like 'open' Android software
- John Brandon: T-Mobile G1 -- a real Web 2.0 stunner
- Motorola prepares its Android phone
- The Android fine print: Kill switch and other tidbits
- G1 Android phone is only half 'open,' with T-Mobile lock-in
- Android about advertising, not the enterprise
- Android-Amazon music deal should worry Apple, analyst says
- FAQ: What T-Mobile's Android G1 phone will do for you
- John Brandon: T-Mobile G1 with Google Android is Smartphone 2.0
- Seth Weintraub: Ten areas where Android could make waves vs. iPhone
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts