Having been to the ABA TechShow and witnessed first hand the anti-fanboyism of iPhone bashing, I must admit it brings me a bit of pleasure to finally bring to the readers of TechnoEsq.com published proof of the Android OS’s security risks and failures. Despite what certain forensics firms spout in what are really their promotional speeches at these conventions, the Android is not only less secure than the iPhone, but is inherently more dangerous for your client’s confidential data than the iPhone. Please note, this is not limited to just certain Android OS phones, but to all phones running the Android operating system.
It has been well documented that the Droid stores Exchange passwords in an unencrypted text file (what forensics examiners call ‘in the clear’), however researchers at Black Hat 2010, a technical security conference, have shown the security problems with the Android is much worse than originally thought. This is because the exploits they have found which allow unfettered access to all of the data in the phone result from the ‘open market-place’ which is the main selling point of all Droids. The openness of the Android marketplace has resulted in apps allowing known exploits to be installed on customer’s phones, including the EVO 4G (on Sprint), Droid X (Verizon), Droid Incredible (Verizon) and older models of Droids. Despite the cell phone carrier’s knowledge of the exploit for over a year, the open marketplace has resulted in free apps utilizing the exploit since no one is on watch.
These malicious apps gain access to passwords, browser history, subscriber ID with the phone carrier, SIM card number and text messages and for this information to be transmitted to the creator of the malicious code without the user even knowing anything has occurred. This is because the permissions given to the app, while disclosed to the user when installed, are very cryptic and most users are not aware of what their response should be. Thus the app can gain complete control of the phone with the user having no idea of the security breach of their Droid. This type of exploit goes above and beyond the alleged exploits in the iPhone because a computer forensics examiner, with years of training and hardware, can recover data off of an iPhone if they have unfettered access to the phone itself. There is no such requirement to even touch a Droid to obtain complete access to both the operating system and the data on the phone. As the company who released the news of the Droid’s vulnerabilities stated when referring to the Droid’s exaggerated security, the free app Jackeey Wallpaper, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages and send them remotely to anyone else.
This certainly should cause any lawyer to have serious concerns about purchasing or using an any Android based phone such as the Droid X or EVO 4G for their business use.