BlackSun

Mobile Security Placebo?

Recommended Posts

Sorry for kinda sensationalist-y title, couldn't think of any title that sums up what I'm worried about, explained in the following...

 

Please, do correct me if I'm wrong in any of these points / assumptions:

- Android runs every app in its own sandbox-y environment, including browsers and background services

- Android doesn't have an API to allow intervention / access from one of these to the other or the system

- Android appstore displays all app privileges before the user accepts these for app install

- Android appstore does have very few apps slip through the cracks of malware check

- Thus, most malicious apps get on the device by being side-loaded...

- Which is, since Android 4.2, also being checked by Google AFAIK.

- Any malicious app / update to such gets remotely removed by them.

 

So... for tl;dr-s; skip through for bold text and read where interested.

 

Now. As stated above, each app runs in its own sandbox without access to other apps or the system itself. Including Anti-Virus / Anti-Malware apps! So how do these even do their job, if they don't have any more privileges than any other apps have? They can't interact with the system or other apps, so there is no real-time monitoring of either supposedly compromised system activity, nor that of malicious apps. All they can do is check the names of installed apps for any "bad" ones.

Right / wrong...?

 

Additionally, in 2014 a small study showed that 4 out of 6 tested Anti-Virus apps on Android include surf protection via real-time checks of URLs against a cloud-based service which compromised perfectly safe HTTPS-connections to any website by phoning home for this check, partly or completely including formerly HTTPS-protected parameters of the URLs like passwords and session IDs in plain text, making them vulnerable to everything and anything. Especially Avast and AVG did this in 2014, while both claiming to protect privacy and at the same time either logging, or allowing anyone who wants to listen to log visited websites without the users knowledge.

How does EMS handle this, specifically?

 

Lastly, counterproductively as always, AV-apps might end up giving a false sense of security for side-loading apps more readily, "because the device is protected anyways, right?" Since apps might still be unknown to the AV, it doesn't detect any issues due to lack of real real-time protection like that of AVs on PCs, which users are used to.

That one's a given with any AVs, but holds true especially for mobile ones, doesn't it?

 

 

To me, the most useful feature of EMS seems to be the rating of all installed apps, pointing out which apps have a few previleges too much for what they're doing. But, data-mining aside [you guys make more relieable money with selling the license anyways I'd assume], after looking over what I basically already knew and agreed to once, I don't see much of a use to these kind of apps on mobile devices as of now - devices which are not rooted, either.

Am I missing something? Please, educate me.

Share this post


Link to post
Share on other sites

Hi BlackSun,

 

Thank you for contacting us.

 

Right, there is no real-time monitoring like our Behavior Blocker does in Emsisoft Anti-Malware or Emsisoft Internet Security. It is not really checking names but signatures similar like our File Guard does for example. To answer one of your questions placed later in your text, yes it is true that it is crucial to keep the database up to date as good as possible.

 

As for the Web Security feature in Emsisoft Mobile Security indeed there is a limitation due to Android OSs permission system. If you want to know the exact details let me know - basically Chrome and the default browser is compatible under any Android version, for Android 6+ the supported browsers are Chrome, the default browser, Firefox (and maybe also Opera a time in the future). Traffic can be scanned in these browsers if the Accessibility permission is activated (Android 6.x and higher permission requirement).

 

I hope my reply can be helpful. If I can assist any further please let me know.

  • Upvote 1

Share this post


Link to post
Share on other sites

Your reply is very much appreciated!

 

Right, there is no real-time monitoring like our Behavior Blocker does in Emsisoft Anti-Malware or Emsisoft Internet Security. It is not really checking names but signatures similar like our File Guard does for example. To answer one of your questions placed later in your text, yes it is true that it is crucial to keep the database up to date as good as possible.

 

This'll happen whenever there's a change to an app, like on first install, and subsequent updates, I assume?

And - Signatures, as in information the file / app comes with, like .exe files do / can on Windows, too?

So, we're not talking checksums here, are we?

 

 

As for the Web Security feature in Emsisoft Mobile Security indeed there is a limitation due to Android OSs permission system. If you want to know the exact details let me know - basically Chrome and the default browser is compatible under any Android version, for Android 6+ the supported browsers are Chrome, the default browser, Firefox (and maybe also Opera a time in the future). Traffic can be scanned in these browsers if the Accessibility permission is activated (Android 6.x and higher permission requirement).

 

Indeed I'd like to know the details. :)

I'm not that deep into Android development, granted -  but I'm a software dev myself, and kind of security enthusiast. So of course, these things are very interesting to me.

 

Here's a few more specific questions that came to mind:

1) How does EMS check for potentionally malicious activity / hosts in the browsers traffic, then?

Just the URLs / Domains / IPs, or certain content of traffic itself, too? And, locally against its own regularly updating database, or against a cloud database?

 

2) If so, how is communication being managed with that cloud db, what exactly is being submitted, any URL-parameters included in there, for example?

What about encryption on that traffic, because how else do you guarantee third parties won't be able to peek in there, either? Is it secure?

 

3) Do you guys keep tabs on visited domains or any kind of metadata, yourself? Logging anything?

 

And of course, lastly...

4) What for do you do that? Isn't it kind of the reason why Android runs these apps, including the browsers, in their own sandboxed environments so that even if you visited a bad host, your system itself can't be compromised outside of what you may submit to the webpage yourself [i.e. phishing]?

Share this post


Link to post
Share on other sites

Dear BlackSun,

 

Thank you for your feedback and interest in our security solutions.

 

I'll make sure to discuss your questions with our developer team so that I can get you some statements on these topics as detailed as possible.

 

I'll be back soon, please just let me know if I can assist in the meanwhile.

Share this post


Link to post
Share on other sites

Hello BlackSun,

 

Thank you for your patience.

 

As for when exactly Emsisoft Mobile Security performs automatic scans, it scans on install and on update for every installed app.

 

Signatures, as in information the file / app comes with, like .exe files do / can on Windows, too?

So, we're not talking checksums here, are we?

Malicious apps are identified based on md5 and some info from android manifest, the scan result database is in the cloud.

 

1) How does EMS check for potentionally malicious activity / hosts in the browsers traffic, then?

Just the URLs / Domains / IPs, or certain content of traffic itself, too? And, locally against its own regularly updating database, or against a cloud database?

We are scanning the URLs using the cloud database, we do not scan the contact of the traffic.

 

2) If so, how is communication being managed with that cloud db, what exactly is being submitted, any URL-parameters included in there, for example?

What about encryption on that traffic, because how else do you guarantee third parties won't be able to peek in there, either? Is it secure?

All requests are HTTPS and authenticated and we send the entire URL to the cloud as there might be domains partial infected.

 

3) Do you guys keep tabs on visited domains or any kind of metadata, yourself? Logging anything?

No, there is no logging.

 

4) What for do you do that? Isn't it kind of the reason why Android runs these apps, including the browsers, in their own sandboxed environments so that even if you visited a bad host, your system itself can't be compromised outside of what you may submit to the webpage yourself [i.e. phishing]?

 I'm not sure if I understand the whole question but I guess you named one of the reasons on your own. Also personally I would mean, in general even if my car features an airbag I wouldn't want to miss ESP :)

 

Hope my reply can be helpful for you. Let me know if I can assist any further.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thomas Ott wrote: "Also personally I would mean, in general even if my car features an airbag I wouldn't want to miss ESP"

 

What's "ESP" in this context?

Share this post


Link to post
Share on other sites

Hi JeremyNicoll,

 

Sorry for bringing in more confusion/complexity than necessary.

 

I just wanted to compare it with "security layers" if you want. With ESP (electronic stability program) in this sentence I just meant the feature in cars also called dynamic stability control (DSC).

Share this post


Link to post
Share on other sites

Hello BlackSun,

 

Thank you for your patience.

 

As for when exactly Emsisoft Mobile Security performs automatic scans, it scans on install and on update for every installed app.

 

Malicious apps are identified based on md5 and some info from android manifest, the scan result database is in the cloud.

 

We are scanning the URLs using the cloud database, we do not scan the contact of the traffic.

 

All requests are HTTPS and authenticated and we send the entire URL to the cloud as there might be domains partial infected.

 

No, there is no logging.

 

 I'm not sure if I understand the whole question but I guess you named one of the reasons on your own. Also personally I would mean, in general even if my car features an airbag I wouldn't want to miss ESP :)

 

Hope my reply can be helpful for you. Let me know if I can assist any further.

 

Thanks for the answer!

So, Apps are being checked by checksums, against an up-to-date cloudside DB to check for any known bad apples.

While surfing, not just domain names but complete URLs are being checked against a cloudside DB.

All of this EMS-traffic is utilizing secure HTTPS, and not a bit of data is being logged and collected by you guys.

 

That's what I'm getting from this - that correct so far?

 

Now, while all the cool features in cars are definitely a nice thing, in some cases it has led to reckless driving and underestimation of dangerous situations. That's, of course, up to each individual driver, but what do companies expect if they advertise the "accident-proof car"? That's why I'd rather have the, or at least some, specifics of how things work, what they can and especially what they cannot do - both with cars, and software.

 

Because, what the software cannot do is, doing any real-time monitoring of what an app is doing while it is running. That app won't be able to break free from its sandbox either, though, so that's in Androids hands. From what I've gathered though, it is possible for an app to check on in- and outgoing traffic from other apps (and possibly the system)? So, there are no apps out there that, say, simply don't "support" having their traffic looked into by such "other apps" like EMS, for example?

 

As a customer, I really appreciate companies explaining in detail what their products can do, and why I would want to have that magic working for me. With blanket statements however, I get really suspicious and sometimes, can't resist to dig some more. Just a little piece of feedback, maybe I just didn't see the features of EMS advertised clearly enough somewhere. :)

Share this post


Link to post
Share on other sites

Dear BlackSun,

 

Thank you for your feedback, you are very welcome.

 

What you said is correct, as for real-time monitoring it is not possible because of the Android environment.

 

You cannot do anything more than checking how much is going in or out or if at all, however that is what traffic monitor apps do and wouldn't increase security.

 

If I can assist any further please do not hesitate to contact me.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.