Microsoft's Windows operating system spent close to two decades as the 'problem child' of the IT world - ubiquitous, buggy and easy to hack. But this week brought more evidence that Google and its Android mobile operating system may be taking that mantle from the Redmond, Washington, software giant.
Two stories this week highlighted Android's mounting security problems. First, researchers at Kaspersky Lab reported evidence that unknown assailants had used an Android application as bait in a targeted attack on Tibetan and Uyghur activists. Those communities have been the target of frequent, sophisticated attacks, which are believed to have the backing of the Chinese government.
Writing on Tuesday, Kaspersky researchers Costin Raiu, Kurt Baumgartner and Denis Maslennikov reported that a malicious, information-stealing Android application was pushed to attendees at the World Uyghur Conference in Geneva, Switzerland. The application, which was delivered in e-mail as an APK-format file, masqueraded as a conference-specific Android application, but pilfered information from infected phones, including the victim's contacts, call logs, SMS messages, geolocation and phone information.
The attacks were launched from the e-mail account of a Tibetan activist who had been hacked, and relied solely on social engineering to compromise victims. Kaspersky said it was the first example known of a targeted attack using a mobile phone application as bait, though there has long been evidence that cybercriminal and nation-backed groups were experimenting with such attacks. Android is a natural choice for this type of attack, given the more open application ecosystem that allows application installs outside of Google's official Google Play application store.
The other bad news for Android users came by way of ViaForensics, which published an analysis of a popular Android scheduling and task management application, Any.DO. That app has more than one million downloads from Google Play, and 50,000 reviews.
The application also has serious and exploitable security holes including a vulnerability that would allow an attacker to conduct a "man in the middle" attack on Any.DO users. ViaForensics said their analysis of the application revealed that the Android version of Any.Do failed to properly validate SSL (Secure Socket Layer) communications, leaving users vulnerable to Man-in-the-middle attacks. The application was also found to store user passwords in plain text, along with other sensitive data including: usernames, tasks, dates, times, emails and task data. The security holes present a "significant security risk to users," said Andrew Hoog, ViaForensics' CEO in the blog post.
Contacted by ITworld, Hoog said that the man-in-the-middle vulnerability in the Any.DO application should be a concern to organizations, not just Any.DO's users.
"People reuse user names and passwords. There are lot of unprotected wifi networks that an attacker can use to set up a man in the middle attack. And this is the kind of application that's used by non-technical consumers. They're not going to be sitting there worry about security,'" he said.
Sign up for CIO Asia eNewsletters.