Cheap clone Android tablets of the sort that crowd the shelves of many bricks-and-mortar US stores are often riddled with dangerous but hidden security flaws, a test by Bluebox Security has found.
The firm’s motivation for carrying out the test of a dozen popular tablets was to advertise the capabilities of its own Trustable assessment tool, but what it found suggests there is still plenty to worry about.
The problem, of course, is that tablet reviews rarely mention security beyond what comes with Android itself because it's hard to know whats going on at a low level. And yet there are many places where it can fall down badly without the user or buyer realising.
The first and unexpected finding was that having a more recent version of Android isn't necessarily a reliable indication of how secure a tablet is. Sure enough, the top-scoring tablet was the brand new HTC Nexus 9 running Android 5.0 but yet the second-best performer was Samsung’s $100 Galaxy Tab 3 Lite, which scored a creditable 8.6 out of a maximum of ten despite running the aging 4.2.2.
This not only beat the other five tablets running the same version by some distance, but five others running later versions such as 4.4.2. The DigiLand sold by Best Buy was apparently running 4.4.0 but was so poor that it was given no score at all.
Caveat emptor: within the bulk of tablets, the Android version is only a vague indicator of security – the brand and underlying engineering competence is more important.
The full field of tablets is represented in this table (apologies for the size) with their scores and sellers such as Walmart, Staples, Kmart, Fred's, Walgreens, Kohl's, BestBuy and Target. Some of these tablets are unbelievably cheap. For instance the Kmart and Staples’ tablets will set consumers back a ludicrous $40 (£30) while several others can be bought for $50. What can people possibly expect for such small sums?
DigiLand’s poor device suggests not a lot. Its makers had opened it up to potential Trojan attack by signing firmware with an Android Open Source Project (AOSP) test key, while the USB debugging port was running with root privileges. It was also vulnerable to one significant flaw - the Futex vulnerability – although it’s fair to point out that it is not alone in that.
Many other manifested similar engineering weaknesses with a common issue that third-party app downloads were enabled by default. Allowing third-party app stores automatically lowers security protection not least because it makes it possible for dodgy apps that get on to the device to call secondary downloads.
Perhaps worst of all, some came with pre-loaded apps that security programs defined as potentially intrusive for their collection of data.
“Be aware that not all devices are security equals. Bluebox Labs routinely sees a lot of below-average security for bargain Android devices,” said Bluebox’s researchers.
“We recommend that you avoid conducting online banking, making purchases or storing sensitive data on these devices – if you do, you will be putting your data at risk.”
Android smartphone and tablet users can test their own devices against Bluebox by downloading the free app from Google Play. If you happen to own one of the devices mentioned above, prepare to be shocked.