This old dog is learning some new tricks, and no, I am not talking about animal husbandry or bestiality. In the past few months I got a MacBook Pro, switched from Windows XP to Windows 7 and now I have a Droid 2 attached to my hip, so technically I am not married to an Android, but it spends more time with me than my wife does!

Why a Droid 2? I believe that the Android based phones will become the most attacked smart phones of all, if they are not already, so I want to be able to research the security issues. It didn’t take long to start finding problems. To begin with, almost as soon as I ordered the Droid my spam increased. In all fairness, it isn’t a problem of the Droid, it is what Verizon Wireless does to new customers. The carrier is a part of the security picture and when I signed up for “My Verizon” I discovered how little they believe in their security capabilities. You know that end user license agreement that nobody reads? I read it.

Let me quote…

Verizon Wireless makes no guarantee that communications or transactions conducted online will be absolutely secure.” Fair enough, there is no absolute security, but in the agreement Verizon does not guarantee that they will make any reasonable efforts to keep things secure. But they go on…

You agree to assume all risk and liability arising from your use of Verizon Wireless online services, including the risk of breach in the security of the communications or transactions you conduct with Verizon Wireless online.

This means that they are trying to establish that if they exercise gross security negligence it is your problem. This may very well not hold up in court, but they can try.

Verizon isn’t done yet, they go on to say “You agree that you are solely responsible for maintaining the confidentiality of your password and/or Personal Identification Number (PIN) code, and you agree that Verizon Wireless has no obligation with regard thereto.” This means that they claim no responsibility to encrypt your password when you send it to them at their request over their network.

It does get better… “For purposes of identification, billing and marketing, you agree to provide Verizon Wireless with current, accurate, complete, and updated information by the registration for Online Bill Presentment/My Verizon, including your legal name, address, telephone number(s), and applicable payment data (e.g., bank account number. You agree to notify Verizon Wireless immediately of any changes in your registration data. Proceeding with the registration process indicates your intent to comply. Please review our PRIVACY STATEMENT.

There are two particularly interesting parts to this. First notice that they include marketing as a reason you must include accurate and complete information. This is to facilitate their efforts to spam people.
Second they ask that you review their privacy statement. It is evidently only a statement, not a policy.

So, getting past the Verizon part, let’s go on to the Android itself. Since I got a new Droid 2 I have Froyo, which is Android version 2.2. It is quite possible some of my experiences may be different than those of people running older operating systems, but probably not.

Android is essentially a Google product so you know that this is not going to be optimized for privacy or security. Defaults tend toward telling the world where you are at all times, so during setup it is essential to pay attention to things like location services. Defaults will copy your Google account information to your Android phone, so if you want to maintain a separation of accounts then you need to get a new Google account for your phone. If you want the synchronization then Google does make that convenient.

The first significant security issue I have come across involves locking the device. With a Blackberry if you enable password protection and lock your phone then it requires a password to unlock it. With an Android if you tell it to use a password and then lock your phone, anyone can unlock it without a password within the password timeout interval you set. Blackberry understands security much better than Google does. The timeout should mean that after a period of inactivity the device is password locked, but if you tell it to lock it now, then it should be password protected right now.

As I learn more about the security of Android devices I will share my discoveries and perceptions. For now, if anyone is wondering how I chose the Droid 2, I’ll share some of the reasons why I chose this device.  First of all it has a physical keyboard. Yes, I know that everyone says you get used to the on-screen keyboard, but that is not true for everyone. If I ever am comfortable with only an on screen keyboard then that is fine, but for the time being I am greatly appreciating the physical keyboard. After narrowing the choice down to those Android devices that have a physical keyboard, then came the more difficult decision. I really would have rather gone with AT&T or T-Mobile since they have GSM devices and Verizon is CDMA. The problem with AT&T is that they do not allow customers to install non-market applications. This is actually a reasonable security approach, but makes them totally unsuitable for research. T-Mobile only has low end devices and that left me with choosing between a low end device that works all over the world or a high end device that only works in the US. As much as I travel the world phone would be more convenient, but I also have a Blackberry so my world communications do not rely upon my Droid 2.

In my nest Droid post I’ll share some information about the application security model and some of the setup choices. For now, I need to try to figure out how to completely opt out of the Verizon spam. The first try obviously didn’t work.

Randy Abrams
Director of Technical Education
ESET LLC