Google Glass may be coming to a face near you very soon, and it has gotten a lot of attention as a new way to interact with the world and, to be sure, as a device with significant privacy implications. Less has been said about security, but there are good reasons to put that concern high on the list.
In June, Juniper Networks published its “Third Annual Mobile Threats Report,” painting a grim picture of a mobile-security landscape in which, Juniper says, “the threat of mobile malware is growing exponentially.” The alarming level of growth is borne out by the specifics: In the year since Juniper released its 2012 report, total malware in the mobile sphere had grown by 614 percent. That increase followed a jump of 155 percent in the previous year.
Where the Malware Is
The news may be bad for mobile devices as a whole, but the worst news is reserved for devices that are part of the Android universe. Android is the target for 92 percent of all malware aimed at mobile devices, a significant increase from its 47 percent share in 2012 and its 24 percent share in 2011.
Android’s large share is hardly surprising. Malware, after all, goes where the market is, and more than two-thirds of smartphones shipped in 2012 were Android phones. By 2017, analysts expect annual shipments of Android phones to reach 1 billion.
Perhaps Android is paying the price for its relative openness, and users are willing to accept the trade-offs as inevitable. Although iOS has its own significant vulnerabilities, Apple lives in a world that is much less open, and the company says little about security issues. It does, however, take full charge of iOS security. At the very least, iOS is a target that takes more effort to penetrate, and malware authors tend to prefer the quickest and simplest routes. Android gives them a line of least resistance.
In addition to their popularity, two other factors make Android devices vulnerable, and both are related to the risks inherent in a relatively open system.
The first factor stems from the nature of Android attacks. Some 96 percent of all attacks arrive in just three forms. SMS Trojans, a category that includes programs that send hidden text messages to premium services, account for 48 percent of all attacks. Fake installs make up 29 percent of those attacks and Trojan spyware makes up 19 percent. In all, SMS-based malware accounts for 77 percent of Android attacks.
These facts have not escaped Google’s notice. The company’s latest version of Android, Android 4.2 or “Jelly Bean,” deals with the SMS threat. More than six months after its release, however, it is running on only 4 percent of all Android devices.
In other words, 77 percent of all threats would be mitigated if users upgraded their operating systems.
Even if users faithfully updated their devices, however, that might not be enough. There are multitudes of Android devices produced by many manufacturers, and each of those manufacturers must adopt each update, adapt it to their own hardware and, only then, push it to their users.
The Application Marketplace
Apple’s App Store has earned its share of criticism, taken to task for arbitrarily pulling legitimate apps from time to time, but, compared to the Android marketplace, Apple runs a tight ship. It has set relatively high barriers to entry, and it scans apps for malware before they’re published.
The Android marketplace is less controlled. Even within Google Play, a developer need submit only a Google account credential and a small registration fee before releasing an app onto the world. Only after the app is published does Google scan for malware, and one study, based on 2012 research from North Carolina State University, reported that Google’s scanning tool detected malware at a rate between 15 percent and 20 percent.
That’s hardly comforting for users, but at least Google is said to act quickly once a problem is found. However, Google Play is only a small part of the Android ecosystem. Outside official channels, according to Juniper, malware can be found at more than 500 Android app stores run by third-parties.
The Glass Frontier
Where does this leave Google Glass? It is, after all, another iteration of the Android system. As a result, it’s likely to have the vulnerabilities that attach to any Android device. Its particular issue stems from the sheer quantity of information it captures and the nature of that information. Its front-facing camera, after all, has access to everything you see, including not only a first-person view of your latest motorcycle adventure but a first-person view of your fingers pushing buttons at the local ATM.
Google Glass is not yet popular enough to have become a specific vector for malware attacks, but it stands to reason that users can protect themselves by paying attention to the same principles that apply to Android in general.
An up-to-date operating system is a start, and keeping current may be a little easier when users are not dealing with multiple manufacturers.
It also makes sense to be mindful of the source of applications. When even Google Play is vulnerable, third-party sources will always have the potential for greater risk. At the same time, the system’s openness has advantages, even in terms of security. Users should take advantage of the security software that’s readily available throughout the Android ecosystem.
Beyond that, the usual caveats apply. Protect yourself with passwords, and make those passwords strong. Since the bad guys are more than happy to use them for you, disable services you’re not using yourself.
None of these words of warning are new, but they represent the sort of precautions users are often willing to ignore. Perhaps the realization of the remarkable information-gathering potential of Google Glass will make users more attentive to security concerns, but we've all seen users happily ignore even the simplest precautions in the past. Only time will tell if a new interface brings with it a new mindset that makes security a routine part of everyday life on the technological frontier.
Interested in malware mitigation? Check out our reverse engineering malware training class! For mobile security, check out our mobile application security course. This article is brought to you by Advanced Security, a cyber training leader.