UnSurprising News: Cheap Tablets aren’t just poorly made, they’re also insecure
As Black Friday weekend draws to a close (followed by Cyber Monday, Tech Tuesday, Wearable Wednesday, and on Thursday, bankruptcy court) a new report is circulating which reminds us that cheap Android devices are about as secure as they are expensive.
Security researchers with Bluebox Labs raised the alarm earlier this week, according to an alarmist post over at Gizmodo:
A bunch of the tablets they tested had the malicious app protection — the setting that prevents you from installing apps from unknown sources — turned off by default. That makes it far more likely that the five-year-old you foist the tablet off to will download malware, and your credit card number will be gone before you can say 'suspicious charges from a Siberian minicab firm'.
The worrying discoveries don’t stop there, either. A number of the tablets came rooted out of the box, making them more easily compromised by a lazy hacker; a couple were signed using a test signature for AOSP, a custom version of Android, which would make rolling out a malware-infected system upgrade easy; and Staples' $39 tablet even had some security features painstakingly removed for no good reason.
Not that I want to come across as a know-it-all, but this isn’t surprising news (heck, it hardly qualifies as news) nor is it all that worrisome.
I’ve been using cheap tablets on and off for four years, and I have never had a serious security breach. What’s more, I’ve never heard of anyone having security problems – not from their mobile devices, that is.
While those security researchers do have their facts straight they also have their priorities wrong. Yes, cheap tablets are insecure, but the real threat comes from other channels.
I worry less about my cheap Android tablet being hacked than I do about the services I use with that tablet. Those online services are a much more tempting target, and as Jennifer Lawrence and other celebrities learned the hard way back in August, even Apple’s servers are vulnerable.Okay, Android does have security issues, including botnets (a bunch of them, in fact), but the main security issue with Android devices is the user, not the device. All of the malicious Android hacking incidents I have heard of have involved the user making one of the usual mistakes: installing an Android app from an unsafe source (or, sometimes, Google Play), visiting an unsafe website, or opening a questionable email attachment.
In short, folks, I am worried less about an unsecure device than I am about a service I use being hacked, or doing something dumb and handing my Android device over to a hacker. There’s nothing we can really do about the former, but so long as we follow the usual basic steps to keep ourselves safe online, the latter should not be a serious issue either.
image by ajmexico, *n3wjack’s world in pixels
Jessica November 30, 2014 um 12:26 am
I feel that people like to adapt their fear of something when it best suits them. Pirating stuff is no problem for them, yet Facebook selling their data is. Privacy/vulnerability is definitely a user problem.
These security companies reporting on the "issues" make it worse. Although if someone’s going to buy a more expensive tablet because of this report, then hey, it benefits the bigger manufactures, heh.
Timothy Wilhoit November 30, 2014 um 9:01 am
There’s a bit of malware called the "FBI virus" that’s been infecting a number of Android devices. It’s not a virus, of course, but it’s malware (ransomware) for certain. It doesn’t allow you to gain access to the device until you pay the ransom via MoneyPak. There seems to be a rash of cases on Kindle tablets; they’re being reported on the Kindle Help forum. I don’t believe there is any way to become "infected" with this malware without installing the malevolent .apk. Customers are likely "surfing Pr0n" or the like and are tricked into loading the .apk. I can see a good reason Amazon has the "allow installation from unknown sources" defaulted to NO, if only to protect people from themselves. It’s tricky to remove but if you have the pin code lock screen enabled, entering the wrong code a few times will present the option to reset to factory conditions. It’s drastic, but it does eradicate the malware.
Chris Meadows November 30, 2014 um 1:39 pm
The funny thing is that one of the main things they said makes the tablets "insecure"—allowing installation from unknown sources—is what you pretty much have to do if you buy apps from legitimate sources that don’t happen to be Google. Sure would be nice if I could permit installing apps from Amazon or the Humble Bundle without opening my tablet up to malware from everywhere else. Oh well, maybe in some future version of Android.
Nate Hoffelder November 30, 2014 um 1:41 pm
Yep. Disabling that block is usually the first thing I do with a tablet.
Thomas December 1, 2014 um 4:39 pm
I didn’t even realize that block was there. My tablet didn’t even come with Google Play, so it must have been disabled from the start. I had to put custom firmware on mine just to get the Google stuff. The default appstore was called "King Kong Market". I’ve gotten apps from there, from Amazon, Google, and even a few oddball APKs that I never did know where they came from. I did make sure to scan anything before I sideloaded it.
At least now the cheap tablets now usually have the main appstore.
baochan December 1, 2014 um 3:01 pm
Rooted out of the box and allowing software installation? I count those as features, not bugs. This fear definitely seems misguided.
Nate Hoffelder December 1, 2014 um 3:22 pm
Me, too. I don’t need them on every tablet but it sure is nice for a tablet to come that way.
The Security on Cheap Kids' Tablets Has More Holes Than Swiss Cheese ⋆ Ink, Bits, & Pixels February 25, 2015 um 3:40 pm
[…] shocked no one last November when they revealed that cheap Android tablets came with bonus security problems, and this security firm is back again this week with a report which shows that cheap kid's tablets […]