Recently, we found that Android’s debugging feature could be used to steal information from apps running on an Android device. We won’t go into the full details of the problem here, but here is the short version: with some effort, an app can be set up on Android to debug another running app. This debugging app would have access to all the information the debugged app has, so items like user names and passwords are trivial to steal.
Before we go any further, however, we need to be clear what versions of Android are affected. This vulnerability is only in version 2.3 (Gingerbread) or earlier. Practically all Android devices sold today run newer versions, as Gingerbread was last updated in September 2011. However, Google’s own numbers indicate that more than half of all Android devices in use still run these potentially older versions of Android.
In a way, this problem serves as a microcosm of the issues surrounding the entire Android ecosystem. Let’s divide the ecosystem into three parties: app developers, Google and telecom companies, and end users. What can each segment do?
In this particular instance, for an app to be vulnerable to being debugged it has to have been set to be debuggable in the first place. In general, debuggable versions of apps should not be released to the public. (Approximately 5% of apps in the Top Free apps list are set to be debuggable, so the risk is not insignificant.)
In general, however, “best practices” for mobile apps may not be as set in stone as they are for desktop applications. It would be a good idea for mobile developers to consider the security of their apps, not just their features and ease-of-use.
As we noted above, newer versions of Android are not vulnerable to this issue. However, Android has problems with updates; many users with perfectly functional devices will never receive an update and leave them potentially at risk.
Of course, all hardware and software becomes obsolete and no longer supported. However, many devices were sold with Gingerbread even into 2012 – and will probably never receive an update to a newer Android version. Again, the lack of a good way to get this fix out to consumers easily highlights how difficult it can be to update Android – it becomes difficult, if not impossible, to deliver “security” updates independent of bigger updates that add features as well.
As we said back then, Google should consider if it is possible to design Android in such a way that older devices can still receive security updates, independent of mobile service providers and device manufacturers.
The message for users is clear: be careful what apps you end up downloading and using on your device. It’s quite possible that the “innocent” app you end up downloading could end up being malicious. It is very easy to mindlessly download an app, but some thought should be given if the app a) is a potential risk, and b) if you really need it in the first place.