Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

That sub-$100 Android slab you got on Black Friday? RIDDLED with holes, say infosec bods

You get what you pay for

Those fighting through hordes of fellow crazed bargain junkies this Black Friday should avoid some of the cheapo Android tablets on offer.

Security researchers at Bluebox Labs bought a dozen Android fondleslabs, each costing less than $100, and tested them for poor patching, dodgy OS installation, and sloppy security practices – and found almost all of them were vulnerable.

"Not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices," said Andrew Blaich, lead security analyst at Bluebox, in a blog post.

"We recommend avoiding these if you can; otherwise, only use them for low-risk activities like simple gaming, media entertainment, and public web browsing. We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices – if you do, you will be putting your data at risk."

Android tablet flaws

The dirty dozen (click to enlarge)

The worst-performing fondleslab, we're told, was a Zeki 7” Android handheld from Kohl's, priced at $50 minus one cent. The tablet runs Android 4.1.1 and is vulnerable to four major 'droid security vulnerabilities, has USB debugging turned on by default, is signed by the Android Open Source Project test key which makes life easier for trojans to infect, and doesn’t include Google Play – which means users may be more likely to use malware-ridden third-party app stores.

Neither the Zeki, nor the $50 Polaroid tablet from Walgreens, are patched against Heartbleed, and all but two of the twelve were vulnerable to the Fake ID flaw that lets malware impersonate trusted and signed-off apps.

Before everyone panics and rushes down to the stores trying to get their money back (good luck with that, by the way) there's no suggestion these tablets are being shipped with malware installed. Instead the problems are largely down to sloppy installations of older versions Android and a lack of security bug fixes.

As a contrast, the BlueBox Lab team spent $400 on a new Nexus 9 tab and it scored perfect marks, which is unsurprising considering it's Google's latest flagship fondleslab. The only sub-$100 tablet cleared of problems was the Samsung Galaxy Tab 3 Lite, suggesting larger, richer firms take their firmware installation more seriously.

A lot of these issues could be fixed if Google encouraged manufacturers to push out updates to Android faster. The latest Lollipop build, version 5.0, fixes many of the problems found, but lots of devices capable of running the new OS (including all of the ones tested here) didn't have it yet.

Part of this is the manufacturers' fault, and if you're buying a cheap fondleslab it's likely that the vendor is going to be less good at supporting the hardware than an established player. But Google also needs to do more to solve this long-term problem of fractured update cycles if Android is to lose its reputation of being the mobile malware writer's OS of choice. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like