Security Things About Android Things

Today, Google released a developer preview of Android Things. Android Things, roughly speaking, is “usually-headless Android”, designed to run on embedded hardware, with an eye towards “the Internet of Things” (IoT) use cases. There have been many developers over the years attempting to do this sort of thing using stock Android, and so I would imagine that Android Things will have reasonable success.

However, in the security space, the most polite term for IoT seems to be “the Internet of Really Insecure Things”. Names go downhill rapidly from there, frequently involving profanity.

This is not an idle concern. The Mirai botnet is powered by IoT devices and took down chunks of the Internet earlier this year through an attack on Dyn’s DNS servers. Mirai is not alone in exploiting poorly-secured IoT devices, and I expect that Dyn-caliber attacks will become all too common.

With Android Things, now you get to add to the Internet of Really Insecure Things.

IoT devices usually need some sort of a control interface, so owners can tell the devices what to do and how to behave. Sometimes, those control interfaces will be purely local (e.g., Bluetooth via an app on a phone or tablet). Sometimes, you will want those control interfaces to be over the Internet, or at least over a local network. In those cases, sometimes you will tie into an existing framework, such as Google’s proprietary Weave, and sometimes you will try to roll your own.

We rarely host control interfaces, such as embedded Web servers, on phones and tablets, which is why this concern has not been at the forefront of security issues for Android app developers.

If you elect to roll your own network-based control interface:

  • You and your organization need to take security very, very seriously

  • You and your organization need a good legal defense fund, in case you fail in your attempt to secure that control interface

Android Things offers a lot of promise to make IoT development easier. That is a double-edged sword, as “easier” all too often means “sloppier” in software development. Sloppy UIs, sloppy threading, and sloppy storage may make users unhappy. Sloppy IoT security, like pollution, is what economists call an “externality”, where the costs of sloppiness are paid by society. Where there are externalities, lawsuits and regulation follow, as society pushes back against the sloppiness.

Make security a priority in your Android Things projects. Please.