Podcast Transcript

Introduction:
You're listening to the RSA conference podcast where the world talks security.

Kacy Zurkus:
Hello listeners, and welcome to this installment of our RSAC 365 podcast series. We have a great conversation lined up for you today. Thinking about Android, a multi-faceted discussion with Aditi Bhatnagar. Here at RSAC we host podcast twice a month, and I encourage you to subscribe on SoundCloud or your preferred podcast app so you can be notified when new tracks are posted. And now I'd like to ask Aditi to take a moment to introduce herself before we dive into today's topic.

Aditi Bhatnagar:
Thanks for inviting me Kacy. I'm so happy to be here. Hi everyone, I'm Aditi. In chat my direction is that I like making or breaking code. My recruiting currently include intellect security, cloud security and networks. I am going to be working with the cloud team at the product security engineer and was previously with Microsoft working on endpoint security. I liked conducting it because the training, besides my day job, you can find me hanging around in my discord community, which I call it and finding attack talkers and dragging with bunch of interesting people.

Aditi Bhatnagar:
So excited about this conversation. Let's get started, Kacy.

Kacy Zurkus:
Yeah, I'm excited to have you. And I think when we had initially tossed around the idea of doing a podcast, I gauged your interest and the topic of Android was really that you were passionate about it. So I think this is going to be a great conversation. I want you to start us off maybe by explaining to the listeners, what is important about Android as a technology from a techno sociological context?

Aditi Bhatnagar:
Ooh, that's interesting. Well before we get started into that, I'll ask the listeners to take a minute, look around, and it's spot on Android in the surroundings. I am positive that most of you are having them right now around you. And before the iPhone users jumped to say, literally we are not Android people. I do not mean essentially mobile phones. It can be anything.

Aditi Bhatnagar:
It can be a watch. It can be smart TV. On top of a flight away, which is again, based on Android, it can be a touch pad in the car or the smart glasses or Google glasses, or the smart fridge or machine that orders the stuff for you on your behalf. It can be anything. And you see that you're surrounded by Android. And that is not surprising because it is an easy to use open source, video, whatever the next phase OS, but also functionalities that make it easy to create stuff on top of that. And secondly, it's affordable. And if you talk about the developing countries like India, where I am from, I'd say it's a game changer technology because people can access it and like iPhone, all the other technological counterparts. When you talk about particularly the Android mobile, it has changed the way we live our daily life.

Aditi Bhatnagar:
There are a huge number of hybridity amazing apps, obstacle gaps, or other food, listening to music, entertainment, chatting, social media, payments, video calling, online, shopping, so on. Like these have literally redefined our reality and it keeps evolving. The use cases are becoming more and more personalized. I also saw apps recently, which were like, they offer you the convenience to literally book a person to do stuff for you. So the person can buy flowers or book a seat for you, and so on. So the convenience utility that this technology has added to the personal lives of people is remarkable and this has led to creation of new habits on a personal level. That is how people organize their life and at a societal level, as well, and then how groups of people organize themselves, right? It has got duty to the change about how people express themselves, communicate and collaborate.

Aditi Bhatnagar:
Now I'm sure that this is not like Android specific. You might think that technology itself is somewhat doing those kind of things. But the point here is that any tech that is as widely popular as Android shaped how to find these functions. It's not about just the tech. It's about the reachability of technology. What Android has enabled is to make all those technological magical features reach out for the common people. And let me make a point by giving some examples. Like we can talk about a simple feature, like a story, right? And about how it affects the societal conflict. Like, how do we interact? How do we organize how Android affects that? So let's talk about a simple example of the feature called stories. You'll see that in all popular chat apps, it's a common thing, right? Every on every data you can share a story.

Aditi Bhatnagar:
Now, if you go back in time and try to compare how that sort of combination is different than what we had before. You'll find that story that are very difficult communication. It is not a dialogue. It's not two people interacting. It is not a monologue either. It's not just you talking to yourself. It is somewhere in between. It's like you expressing a part of you that you want people to see, while having the knowledge of the fact that this information might shape their perception of yours. So do you see the complexity? It has gone deeper, right? And that is just one minor aspect of what you're talking about here. Another interesting thing that I noted was the human variable of a digital equation, I call it. With Android, especially, like so many packages, delivery services have increased, right? Like getting goods to your place, getting food to your place.

Aditi Bhatnagar:
And most of it, while it is done by machines, like there are algorithms. That last part, the delivery component is essentiall a human being doing that kind of job. If you see the number of jobs which have been introduced in a society, which is kind of good because it's employment. But if you see the mundaneness of those tasks, it is all something different which technology has introduced. That same kind of job they are essentially putting in at the bottom of the equation, where they fixed the last bit of the equation of delivering the things to another human being or creating that, right. So those kinds of jobs have, and I'm sure they're like so much more to what I've just mentioned. Like these are just a few examples. And if you go from the perspective of a user, as a user what are you seeing more now? Like in comparison to your initial experiences with technology. You'll see that a lot of choices have been built into this. There's a choice paradox. There are many options to pick from.

Aditi Bhatnagar:
Another thing you can see the increasing number of spam or junk calls. Many days it happens, you have no clue on how your number, phone number, your contact number landed up with someone or some ad agency. They like, why are you getting this text message? Why are you getting this call? And you have no clue on what went behind the scene, how this tracing was done, that this is the person I should send the ad to. Then there's a lot of misinformation and then draw. It is in the hands of almost every other person, people are free to create content and circulate it. And the credibility is lost. What is right, what is wrong is lost, and it is one of the major challenges that people are trying to solve in chat apps and on Android platform in general, how do you get rid of this misinformation?

Aditi Bhatnagar:
Another thing, attention gone. Too many notifications, right? And that is something that we'll talk more about, if we have time, that how too many notifications essentially make people distracted. You know? The whole concept of deep work and being able to focus on things like all the apps or all the technology automate in such a way that they take more attention from the user, like is that what's happening? There's like a good debate which is going on in the industry right now. Another thing. Tech addictions, right. This is a really interesting concept that I came around on why gambling is addictive. Like there's a good research which is done and it's over Lebanon internet on like, why is gambling so addictive? There's like something particular in the whole process of gambling. Like you are sitting in front of the machine and waiting for intermittent rewards.

Aditi Bhatnagar:
And if you compare it with mobile, with your experience with Android phone, that is particularly what is happening. Like you get notifications at any time interval, right. And there is like a psychological part of your brain, which is just waiting for that trigger, waiting for that notification. And that is what leads to tech addiction. So there is well done research on that. These are the kinds of things that we are seeing around and impacting society as such. And I feel it already fits very nicely in that impact level, how it impacts people. It is very, very interesting.

Kacy Zurkus:
Yeah. It's interesting and fascinating just how deeply entrenched these technologies have become into our lives in ways that, you know, we don't really necessarily think about. I want to dig a little bit deeper there and ask if you can maybe talk about the impact Android has had on humans in terms of the intentional evolution of it's different features. Let's take digital wellbeing, for example.

Aditi Bhatnagar:
Yeah. So I mean, the time you spend with Android is actually pretty crazy, right? Like I think one of the things which has stayed with you almost all the time, and it actually became a concern in industrious that led to how do you restrict the time you spend, which kind of goes against the whole revenue model. If you think that it is based on attention economy, it goes against that, but it's still, it is a valid concern. And that is why you'll find like major tech leaders like Google itself, coming up with things like digital wellbeing. So essentially it's like a set of tools that you can use to regulate your time is spent on the device. So it gives you features like how much time do you spend on which app, right. And features like time spent watching YouTube, for example, or smoothing notifications are, there's a best time for just put the mobile phone in gray scale mode.

Aditi Bhatnagar:
And you'll find that the relation behind all these features of just that you, as the person, is able to manage your time spent with technology in a much more efficient manner. And you're not just there scrolling or sitting around waiting for that next notification. In my opinion, I think it is a good initiative, but how useful it is, is still something that we need to figure out. Because when it comes to use cases like there's a clear-cut motivation to take care of mobile, or there's an inherent wait for intermittent rewards, or whatever. Like the next good thing on mobile that you can find, which makes you come back to your mobile phone. But then how often do you actually see that, hey, I spent this whole house on this app and this is not good. And maybe you'll see it once and we will see that twice.

Aditi Bhatnagar:
But then what happens, like if it is serving a need for you, you go back to the mobile phone and do it any day. So how useful it is, is another question that we can have debate on, but I think it's a good initiative overall and something which was needed at this point in time.

Kacy Zurkus:
And I think that question leads to a really important one about security and our need to really take a look at, not only Android but, all of these different technologies through a security lens. And I'd like you to maybe discuss a little bit how that ecosystem has evolved. Specifically, what kinds of threats are we seeing in the wild and what are some of the challenges that need to be addressed?

Aditi Bhatnagar:
Yes. From Android perspective, things get really interesting in the way that the market segmentation is like the number of versions of operating systems of Android which are out there being used by people.

Aditi Bhatnagar:
It is very diverse, not everyone is using Android 11, not everyone is on Android 10, right. People are still on Android 7, they're still on Android 8 and they are still open security loopholes in those operating systems that can only be banished if you upgrade, right. Or if you have at least enabled any sort of security updates. So the market segmentation of, or the operating system itself makes a very interesting point on how can you secure and devices or how secure is your own Android device? Another thing is that Android is not just Google. Like it's an open source system and so many people have adopted it. So many times, like manufacturers, they add their own custom OEM layers on top of it. Like it's not just pure vanilla Android, it's some layer on top of it. And even if Android is not one layer, you know, that layer might have some security issues that need to be fixed.

Aditi Bhatnagar:
Another thing is the security patches by the vendors themselves, like your mobile device, your Android devices not always supported for security badges. Most of the times, sometimes 10 years, like 3 years or 5 years, like up to the manufacturer, the support, if it stopped and after that, your device is just vulnerable. Right? So all those kinds of things are there, in Android, which makes it interesting that, okay, like how do you decide that your mobile phone is secure right?

Aditi Bhatnagar:
Now talking about the Android Trek landscape. It started in 2010 when we started seeing threats on Android in general and immediate active of side loading from arbitrary websites. And this is still true, like side loading is one of the major ways in which an APK, APKs basically an installable file, like your app. So that is called AP game and you download it and install it. So side loading that APK from arbitrary, that site is something which is a common thing, which leads to most of the threat. Because you can download a file, like you can download an app from Google play store, or you can side load it from some website or some other stores like, like that. So the thing is that you need to know from there you're downloading the APK found that is one of the things we contribute to a lot of threats. And that was when we started seeing it in 2010. The immediate threats I was seeing was a Trojan.

Aditi Bhatnagar:
Now, in 5 years it can still like unsure if you so learn your hacker news or whenever you consume the news from you'll find it. And despite there being a news all the time, and it makes a really interesting case because Android being such a personalized device is five-year makes more sense. Like if someone was to. It's a Android mobile phone makes a perfect target for that because of the amount of information that it has about you. Right? And then if you move forward, company trends to 2011 and 2012, you'll see that again. And unless that keeps on evolving and from Trojans in five years and then ad-wares, right? And then that gets on increasing more and more to financial Trojans, which came around in 2014. And then it meant long like mobile banking ransomware and all that. So these have been particularly their financial Trojans, coin miners, phantom wares have been there.

Aditi Bhatnagar:
Recently, the major complaint I think is ad-wares, which is the app that shows you like a lot of ads and they try to own via that. So that is what it's happening, more or less. People are usually of the opinion that Android is like sandbox, no app talks to each other. So just kind of cool. There are not a lot of security tests, but there are, especially in terms of spyware and then from there, if you look around the apps that have been developed with just to spy on another person, right. Now they can be like the people who are interested can meet anyone. They can be better inclined to look after what they turned around, doing it, trying to inspire them, the student, they can be like spouses trying to spy on each other, can be government trying to spy on a potential threat to the national security, or they can be state sponsored hackers trying to spy on. So, and these have been a lot, either something that we have seen happening in increasing in the market right now.

Kacy Zurkus:
And so given the past number of threats and you know, that evolution of spyware, ad-ware, ransomware and the other threats that you mentioned, you know, the point that you make, that these devices have a lot of information about us. One thing I wanted to talk about in this conversation today is privacy. I'd love it if you could explain to our listeners the crucial role Android plays when it comes to data protection.

Aditi Bhatnagar:
So that is one of my existing like one of the things I find the most interesting about Android, which is the privacy aspect, the data aspect. Because Android has 2.8 billion active users, they keep on growing. That's the last I remember, but Android has so many active users that it makes sense. Like if you want to get data about people, I think Android becomes the best target for that.

Aditi Bhatnagar:
It has a global market shift and the 5% speaks of how much data are we talking about when we say Android site. It's not just technology, right? It is the most personalized device it can be for a human being. I look a real option for that. And for Android, I think the site and the sensors matters. So this is something we touched upon previously that it's the thing that stays with you, right? So it's not like if you have bought Android and if you talk about the time that you spend with that mobile phone. It is very significant. And we both show that people spend four to five hours on an average. And if you'd like sleeping with a device next to you, then it becomes 24 hours because it's, it's like an extended body part. It's no more like a gadget that you're using, like a laptop that you open and close that fixed amount of times, used a fixed amount of times, right?

Aditi Bhatnagar:
So it stays with you all the time. And the problem is that it's not just a device that is staying with you. It's a device which is full of receivers and censors. It's going to see you sending those signals. It has to listen. It has a GPS to track location. It has a camera to see what you are seeing. It can integrate with other devices almost seamlessly. So it's not just Android, it's Android talking to other devices in your network, right. Focuses to capture and how you're interacting over the delays, a keyboard to capture whatever you're typing. It's like a common keyboard across all the apps that you use. And it has like bunch of motion, position sensors, which helps collect information through the activation physical position of the device, temperature, pressure, humidity, and whatnot. Like I remember writing a dummy app for Android just to see what all I can extract from the device without taking any permission from the user, and it was really interesting. Like the app can literally tell when we wake up next and that's because it can get the context of your alarm. When have you set the alarm. It can read, without any permissions, the last text that was there on the clipboard.

Aditi Bhatnagar:
Specifically might be in a use case like some app without information, it's reading everything that you are, you know, copy pasting. And you do it a lot. If you want to send a link from somewhere to your, some person in the chat, you'll just copy paste the link, you share your LinkedIn profile. And then that is copy pasted. And now some random app can just get it and it can associate that, okay, this is all the data that I collected, and this is the person I can attribute it to.

Aditi Bhatnagar:
So those kind of things were there and they were very interesting to see that kind of collection can easily happen. This is not an unknown problem. You can see that there's a lot of client-side collusion of information. And just like a lot of apps can collect information and things like permission re delegation come into picture. So what is that in common? And like a basic explanation of that would be one app takes permission to say, did your INI information and another optics permission to say, take your GPS location. Now you can have the control on the person wants to give it permission to do that or not, but the two apps can then interact with each other and then share that information as well. Right? How do you take that? How do you degrade that this is not happening? And the thing that easily happens the apps are built in the same libraries, right?

Aditi Bhatnagar:
So there are common libraries that you can use, especially if they're like ad libraries, they can collect a lot of information, also exchange it among the apps and collect all the information possible from any device and about you. So I see a problem to file there too, and that is there. And as we talked about spywares. Spywares are like the, they like the biggest kind of harm which can happen to any human being. If I read it and saw like they can track device location, they can get your nearby cell tower info, social media account passwords, the card, or use calls, you know, screen recording device, fingerprinting emails or whatever. So they can do a lot of stuff. In fact, there's a really fascinating thing in Android, which is called an accessibility service, and that allows the developer to see whatever you're doing on the screen, whatever comes on your screen, right?

Aditi Bhatnagar:
It can be screenshot, it can read whatever you are seeing so that it felt, and it came to capture all the events, all the actions that the user takes. So there are things like that they're meant for different things, a different purpose. They are meant for providing support to people who need support while reading or other things like not special needs, but they're often misused and not other used in malicious intent, like spywares or other, other thoughts. That is why I think privacy is like, it becomes really challenging problems when it comes to Android.

Kacy Zurkus:
And I don't even think it's exclusively Android, right? It's Linux, it's iOS, it's any of these operating systems that these apps can sit on and operate on and then communicate with each other. And given that it is this massive issue of data protection, how do privacy policies need to evolve? And what are some upcoming changes that will provide Android users with better privacy control?

Aditi Bhatnagar:
I mean a really good point on like, these things can happen on iOS as well. But I think the major difference that comes up is Android is like very open. People know how to mess with it because the code is there and a lot of knowledge out there, like even if a malicious person wants to create things, there are a lot of resources that they can find. I think it's just my personal opinion, but it's very difficult to do that for IOS and you can play around with Android a lot in that respect, just because it's very open. And it's very that little sliver out there. I'm not talking about the privacy policies, honestly Android 11, if you haven't checked out what improvements have been made it is having a look at what privacy things Android has introduced a lot of issues that have been there for years and they have done it well, I would say.

Aditi Bhatnagar:
So if you are on Android 11 and you start noticing that the permission model has changed. It gives you a good dollar box now that whether you want this permission to be always allow or just allow it only while using the app and things like that. So it gives you that level of control, which needs to be there for the user to decide on when can that app use information, which is regulated by permission site. Is it always? Are you getting my location always, even though I am not using your app? Or is it only when I'm using the app that you're getting information? Or is it like I give to permission every time I want to look the app? So those kind of controls having interviews, which becomes really good. Another thing is that scoped storage enforcement, which have happened because eventually, how does the storage work in Android, right?

Aditi Bhatnagar:
And what quality can be an app access. So that has happened and location genes have changed. The background location access has changed, then package facilities and other things which has changed, which is an interesting thing because previously any app can actually query work on the other apps which are sitting on your device site? It was just a simple call which you can make and can know that, okay, these are the apps which are sitting on the device and they're having a good papers around how those apps can also be used to profile the person. Right? Because if you're having apps like suppose some bank app, BBC dance using having the banks up, the likelihood that you're using that bank is very high. Like if you are having a dating app or some golfing app, like that kind of helps me understand what kind of building you are, what fees you might be in, what, what's your agenda, what's your country and those things like that.

Aditi Bhatnagar:
So a package with abilities, another thing which has been put beside a permission in Android 11, like not every app can query what are the other packages on Android? Those kind of things can happen and I am confident that we are moving the right direction and these are a good set of changes which have been introduced and I'm looking forward to the next version of Android and see what all comes up.

Kacy Zurkus:
And seeing what you can break. Aditi, this has been a really great conversation. Thank you so much. Before we wrap up, do you have any closing words for our listeners?

Aditi Bhatnagar:
Just thank you for listening. And it has been a pleasure to talk to you, Kacy. And to all the listeners watch out for Android to speed. I mean, a lot is happening and I'm sure that a lot of things need to be addressed, especially around data and privacy aspects of Android. So that is something that I'll definitely watch out for. And I'd be good if you do too.

Kacy Zurkus:
Yeah. And definitely we'd love to talk to you again as you see those important pieces of data privacy and data collection and protection evolving and changing, and anything that needs to be shared with our audience, we'd love to have another conversation with you. So thank you so much for joining us today. Listeners, thank you for tuning in. A reminder that here at RSAC we host podcast twice a month and I encourage you to subscribe on SoundCloud, or your preferred podcast app, so you can be notified when new tracks are posted. Interested in being a guest on our podcast? Visit RSA conference.com forward slash become a contributor to learn more. Thank you.