Nokia X malware fears – are they legit?
Nokia used Android 4.1.2 SDK from AOSP to develop its X platform and though that wasn’t completely unexpected it did raise quite a few brows considering how some of the crucial Android security elements are missing from the new platform.
In a bid to push Android to the back seat in its latest Nokia X smartphones, the Finnish giant created Nokia X platform based on Android Open Source Project (AOSP) and stripped off Google apps, Play Store and almost anything to do with Google.
Some of the pros a Google independent platform, no dependency on Google Play Store, no trace of Google apps and ability to provide a new app store with Nokia branding. Cons? Well some believe that there are quite a few drawbacks of this approach, but the primary concern is security of the platform.
Unavailability of Bouncer
Google’s always-on malware verification system has been one of the key safeguards in keeping away malware bundled apps or apps that may execute malicious code.
Bouncer won’t be available on Nokia X, but that doesn’t mean Nokia will be allowing every tom, dick and harry to publish apps to its store without screening.
Claim Debunked: Nokia has a reputation to keep and with a 100 percent certainty it won’t be wrong to claim that it will put in place an apps approval process, which will be better than an automated mechanism.
Nokia hasn’t provided any details of the apps approval process yet, but it is just a matter of time.
Unavailability of Verify Apps
Nokia’s decision of going for Android 4.1.2 SDK from AOSP is questioned again here considering the lack of Verify Apps feature that is available in Android 4.2 Jelly bean and upwards.
It is a system which checks at the device level whether the apps being installed are malware or not. It is basically a signature based detection mechanism that Google has created to compare new apps with past known signatures.
Claim debunked: It is the lack of manual inspection and verification of apps at Google’s end that has led it to create such a mechanism as a sort of second layer of protection.
Saying that unavailability of Verify Apps will jeopardize the security of Nokia X device and users’ data stored within those phones is mere exaggeration. Nokia notes in its publishing guidelines that apps will go through a QA review process before they are published on the store.
The details are vague, but we believe that Nokia will certainly have ‘security review’ as part of the QA process.
This is by far the best security feature that Google has introduced with Android 4.2. Google put in this added layer of security starting Android 4.2 under which apps are allowed to run with bare minimum privileges. With Android 4.4 Google set the ‘enforcing’ mode as default thereby ensuring that apps can’t request more privileges on the fly beyond the ones it requested in the first place. This feature keeps malicious apps at bay and ensures that they don’t access critical user data.
Claim stands! This is something that is definitely a good measure, which Nokia X will lack. If Nokia has in place strict apps review process that not only emphasizes on QA but also security, it could reduce the risks associated with the absence of SELinux security.
Nokia X is vulnerable right off the bat
Immediate vulnerability because of absence of varying levels of security features
Absence of Bouncer, Verify Apps and SELinux security will put Nokia X in danger of increased malware infections may look true when it comes to writing off the platform, but without knowing Nokia’s measures to ensure user and platform security is something that doesn’t sit down well with me.
Claim debunked: As with all operating platforms, Nokia X will also be updated and with those updates the Finnish giant will include more security features – probably all those listed above. Key is verification of apps – be it automated or manual.
As it stands, Apple’s iOS platform is considered the most secure when it comes to malware-laden apps and the primary reason behind this is manual inspection of apps that Google’s Android lacks. Claiming that Nokia X is vulnerable right off the bat isn’t justifiable for the lack of automated security processes as Nokia could have a more elaborate security testing in place to corner off and address the security concerns.
What’s your take on this?
[Disclaimer: Neither me nor Techie News have been paid by Nokia or Microsoft to write this article. This is out of my own personal interest that I have put together a piece to debunk the myths and to put forward my views about security posture of Nokia X]