The solutions that SRG has devised for Android's security flaws align with Android's security model. With Android, the developer bears the security onus. In the mobile arena this burden is particularly weighty.

Android allows a user to write data to "external storage". External storage includes removable storage media like an SD card and internal storage. Characterize external storage by what it allows, rather than by where it's located. These files are world-readable, they can be modified in USB mass storage mode, and we're explicitly informed "there's no security enforced upon files you save to external storage".

External storage users claim this is appropriate for large non-private data sets, like ringtones or wallpapers. Clearly it is inappropriate for the password used by your mobile banking application. Consider your organization's confidential information, which you received via corporate e-mail on your enterprise-supported Android phone. Such data should not reside in external storage. Fortify's solution alerts the software developer when the application could send your privileged information to this unprivileged place. When sensitive data never reaches unsecured storage, the threat of data theft as described earlier diminishes.

A malicious application on your mobile device will run roughshod over and across your device's software, as it would on your desktop machine. Android provides a mechanism to pen malicious applications, but fails to exercise it. Android demands that an application request permissions at install-time. The user can install or not based on these requested permissions. Certainly a wallpaper program should not request text messaging permission. These promiscuous applications exist. Fortify's solution advises the developer that dangerous permissions are requested, so that developers can create software with a least-permissive set.

For the first time, Fortify's Security Research Group investigated platforms and applications in the mobile space. In an upcoming post, SRG summer intern turned Ph.D. candidate Clint Gibler will detail his foray into iOS. Here we consider general security issues with mobile. We will go on to discuss how these vulnerabilities manifest in Google's Android operating system and applications.

The foremost security flaw with mobile is that you will lose your hardware. You may lose it to theft, you may hand your phone to a nefarious airport personnel for a few minutes as you walk through the metal detector. Moving away from the sinister side of the spectrum, you may inadvertently leave your phone in a bar. You may innocently recycle your phone when you upgrade to the newer model. Regardless of scenario, losing control of your multi-hundred dollar hardware hands over access to gigabytes of your valuable data: your contacts, your stored passwords, sensitive documents riding along as e-mail attachments.

We acknowledge this problem is endemic to mobile. Any data storage platform is a target for theft: a desktop machine, a laptop, thumb drive, or smartphone; even a manila folder. The risk of loss grows as the device size shrinks. Also, the target's value increases in proportion to its capacity. Thirdly, as a device performs more functions, there exist more types of information on it. A mobile phone contains a list of phone numbers, but a web-enabled mobile computing platform can contain this and bank account information and sensitive documents. Hence we believe that a mobile device like an Android-enabled phone lives in an attacker's sweet spot.

No software solution will prevent losing your phone. Fortify's Security Research Group addressed the resultant data loss by ensuring that sensitive data is not written to an unprotected location in Android. As your phone gains more of the functionality of you computer, you must protect it as such. For example, Android provides full support for SQLite databases that an application may use for structured storage. Mostly full, that is; SQLite mostly mitigates your fears of SQL injection, mostly. Analogous to your desktop, your mobile platform opens itself to attack through its software. These security issues - data loss and malware - exist for the Android platform.

Turns out that your average Joe wants technology convenience more than he wants privacy. Make mine a double. If I can trade a little privacy for sensors in the roadways that allow my car to drive me to work hands free, count me in. Come to think of it, I can't think of a single technological advance that didn't involve some privacy concession.

Speaking of conceding privacy, I'll be in the big apple (NYC) on the 30th for two days if you want to get together and talk security, Fortify or software development. You can reach me at jherrington at fortify dot com.