Application Security on Android Mobile Devices

By Rich Campagna, Subbu Iyer, and Ashwin Krishnan from Mobile Device Security For Dummies

Android has a number of security features built into its operating system which help protect your mobile device applications. On Android, by default, no application has the permissions needed to perform operations that impact other apps or the device in general. This arrangement prevents apps from reading information or data stored by other apps, and keeps them from reading the user’s personal data stored on the device.

For one application to share data with any other, it must give explicit permission to the other app to read its data. For example, suppose an app that a user downloads from the Android Market needs permission to know her GPS location. When the user installs such an app, it prompts her for permission to read her GPS location.

Android is based on the Linux Operating System, which has elaborate security mechanisms built in. Each app runs with a distinct system identity (including its Linux User ID and Group name), which is unique for all apps. The Android OS assigns a unique User ID to an app when the app is installed. Linux uses this mechanism to separate apps from each other and protect the system in general.

Even with the security built into the Android OS, users own the ultimate responsibility for protecting their devices. A malicious app in the Android Market could still be written to seek permission to a user’s SMS messages, contacts, or GPS location.

The security built into the OS protects apps from one another, but does not necessarily shield the user’s data from malicious apps. So this security feature is only one piece of the puzzle; it does not preclude the need for mobile security on the Android device.