That sub-$100 Android slab you got on Black Friday? RIDDLED with holes, say infosec bods

Cyber Monday shoppers on high alert in light of data breaches
December 1, 2014
Uber’s Database Could Be Tempting for Hackers
December 3, 2014

2 December 2014

Those fighting through hordes of fellow crazed bargain junkies this Black Friday should avoid some of the cheapo Android tablets on offer.

Security researchers at Bluebox Labs bought a dozen Android fondleslabs, each costing less than $100, and tested them for poor patching, dodgy OS installation, and sloppy security practices – and found almost all of them were vulnerable.

“Not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices,” said Andrew Blaich, lead security analyst at Bluebox, in a blog post.

“We recommend avoiding these if you can; otherwise, only use them for low-risk activities like simple gaming, media entertainment, and public web browsing. We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices – if you do, you will be putting your data at risk.”

Android tablet flaws

The worst-performing fondleslab, we’re told, was a Zeki 7” Android handheld from Kohl’s, priced at $50 minus one cent. The tablet runs Android 4.1.1 and is vulnerable to four major ‘droid security vulnerabilities, has USB debugging turned on by default, is signed by the Android Open Source Project test key which makes life easier for trojans to infect, and doesn’t include Google Play – which means users may be more likely to use malware-ridden third-party app stores.

Neither the Zeki, nor the $50 Polaroid tablet from Walgreens, are patched against Heartbleed, and all but two of the twelve were vulnerable to the Fake ID flaw that lets malware impersonate trusted and signed-off apps.

Before everyone panics and rushes down to the stores trying to get their money back (good luck with that, by the way) there’s no suggestion these tablets are being shipped with malware installed. Instead the problems are largely down to sloppy installations of older versions Android and a lack of security bug fixes.

As a contrast, the BlueBox Lab team spent $400 on a new Nexus 9 tab and it scored perfect marks, which is unsurprising considering it’s Google’s latest flagship fondleslab. The only sub-$100 tablet cleared of problems was the Samsung Galaxy Tab 3 Lite, suggesting larger, richer firms take their firmware installation more seriously.

A lot of these issues could be fixed if Google encouraged manufacturers to push out updates to Android faster. The latest Lollipop build, version 5.0, fixes many of the problems found, but lots of devices capable of running the new OS (including all of the ones tested here) didn’t have it yet.

Part of this is the manufacturers’ fault, and if you’re buying a cheap fondleslab it’s likely that the vendor is going to be less good at supporting the hardware than an established player. But Google also needs to do more to solve this long-term problem of fractured update cycles if Android is to lose its reputation of being the mobile malware writer’s OS of choice.

Source – http://www.theregister.co.uk/2014/11/28/black_friday_sub100_android_fondleslabs_riddled_with_security_flaws/