Droid Smartphone – Not So Safe For Lawyers

Michael Lynn presenting a briefing in 2005
Image via Wikipedia

It has been well documented that the Droid stores Exchange passwords in an unencrypted text file (what forensics examiners call ?in the clear?), however researchers at Black Hat 2010, a technical security conference, have shown the security problems with the Android is much worse than originally thought. This is because the exploits they have found which allow unfettered access to all of the data in the phone result from the ?open market-place? which is the main selling point of all Droids. The openness of the Android marketplace has resulted in apps allowing known exploits to be installed on customer?s phones, including the EVO 4G (on Sprint), Droid X (Verizon), Droid Incredible (Verizon) and older models of Droids. Despite the cell phone carrier?s knowledge of the exploit for over a year, the open marketplace has resulted in free apps utilizing the exploit since no one is on watch.

These malicious apps gain access to passwords, browser history, subscriber ID with the phone carrier, SIM card number and text messages and for this information to be transmitted to the creator of the malicious code without the user even knowing anything has occurred. This is because the permissions given to the app, while disclosed to the user when installed, are very cryptic and most users are not aware of what their response should be. Thus the app can gain complete control of the phone with the user having no idea of the security breach of their Droid. This type of exploit goes above and beyond the alleged exploits in the iPhone because a computer forensics examiner, with years of training and hardware, can recover data off of an iPhone if they have unfettered access to the phone itself. There is no such requirement to even touch a Droid to obtain complete access to both the operating system and the data on the phone. As the company who released the news of the Droid?s vulnerabilities stated when referring to the Droid?s exaggerated security, the free app Jackeey Wallpaper, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages and send them remotely to anyone else.

Enhanced by Zemanta