Ah, and there we have it: another chapter in the discussion between open and closed when it comes to application stores. A phishing application, masquerading as a banking application from First Tech Credit Union, made its way onto the Android Market. It was removed quickly, but the damage is done.
It’s actually old news, as it dates back to December 22, 2009, but only recently did it get picked up by the web. First Tech Credit Union put a notice on their website, warning users of the fraudulent application, and noting that it had already been removed from the Android Market.
“We recently learned that a fraudster developed a rogue Android Smartphone app,” the bank warned, “It creates a shell of mobile banking apps that tries to gain access to a consumer’s financial information. Droid09 launched this phishing attack from the Android Marketplace and it’s since been removed.”
This is of course very interesting, especially since OSAlert has been harping on Apple’s restrictive application store model from pretty much day one. The Android Market is more open than Apple’s App Store, but as you can see, this has its downsides as well.
The key question here is what Google’s promises are regarding the Android Market. If you read the Terms of Service, you’ll see that Google neatly protects itself from any possible damages that might be caused by non-Google applications. “You agree that Google is not responsible for any Product on the Market that originates from a source other than Google,” the ToS states.
Apple’s Terms and Conditions for the App Store state something similar: “Apple is not responsible for that Third Party Product, the content therein, or any warranties or claims that you or any other party may have relating to that Third Party Product or your use of that Third Party Product.”
This means that despite all the talk of the Android Market or the App Store being a safe place to buy applications from, Apple nor Google is liable for any damages that third party applications may cause. As such, the type of review process is moot when it comes to who is actually responsible: Android or App Store, Google and Apple are safe.
Still, the fact here is that a dangerous application made its way onto the Market, and that’s a very bad thing. Openness comes at a price, and while Apple’s review process may be problematic, it does ensure (at least, so far) that this doesn’t happen.
In the end, though, responsibility is always on the user’s shoulders. I agree with both Apple and Google that they are not responsible for third party applications, review process or no. It might be a good idea for both Google and Apple to place a little more stress on this particular aspect.
For my part, I view this as further proof that the “App Market” model, whether “open” or closed is fundamentally flawed. It creates problems for developers, by forcing them to dance to the tune of some gatekeeper, and severing the direct interaction between software users and software creators, at the same time it gives users a false sense of safety by giving apps sold through such markets a veneer of legitimacy. With traditional computer software, coming from a multiplicity of sources, users have learned to think critically about whether a piece of software might be trustworthy or not (e.g. in the case of a banking client, is this coming from the bank’s website or not?), but in the case of these App Stores, all software is poured into one giant soup, associated with a credible source (Apple or Google) with the wave of a magic wand, and then consumers are left to fend for themselves.
Personally, I consider “App Stores” to be a huge step backwards the the distribution of software. Hopefully they’ll prove to be an aberration in the long run.
So one phishing app ended up on Google’s market.
Yeah it’s a great shame, I feel for the users and perhaps means Google might have to review their policy on accepting banking (and other related) apps.
However it’s hardly worse than expecting users to search the net looking for these apps themselves.
You state that users have learned to think critically – well I’d argue they haven’t:
* people still reply to those stupid scam e-mails (“I am a [insert minority nation] prince…”, “You have one the Mars colony lottery…”, etc)
* people still use Limewire and Bit-torrent to download software,
* and some people still don’t even run virus scanners!
And those that aren’t stupid enough to do any of the above (but still aren’t computer literate like us) still have to differentiate between fake web sites and real ones (where fake sites pretend to be authentic and offer apps to download but said apps contain spyware)
The internet is a bog of scams and malware.
So sometimes it takes a technical eye to tell the difference between ‘safe’ and ‘spyware’ when you’re after popular software.
So stating that millions of users are better off completely out on their own because one app slips through on Google’s market is a touch unfair.
Sure this will be embarissing for Google and a PITA for their customers – but hopefully Google will learn from this and move on.
A “virus scanner” is, IMHO, one of the best example of what a virus is: It makes your computer run slower, with more stupid questions about opening/doing everything, and still doesn’t guarantee anything.
So, no, I don’t run a virus scanner on my XP.
Then I’d suggest that you were perhaps running the wrong virus scanner previously.
<pedantic>
Also, virus scanners aren’t self replicating, so a most they’re trojens rather than viruses.
</pedantic>
From the base, I ran the worst OS :-).
And I’m talking about the antivirus I’ve seen over these years: in my institute, at work, and at friend’s homes.
And yes, maybe It’s more like a trojan, whatever; It would be funny to see a self-replicant antivirus.
Honest question: is there any current Windows AV software that ISN’T a cure worse than the disease?
I used to be a big AVG fan (and reseller), but they’ve been going steadily downhill – I finally uninstalled it from my laptop after the 300th or 400th time I had to kill avgsrx.exe because it was randomly jumping to 95% CPU utilization (not to mention the “link scanner” stupidity in recent versions). Avast has a decent reputation, but I couldn’t stand its interface – looks like something designed to be a prop in one of the CSI shows (and I nearly jumped out my seat the first time I heard the “Virus definitions updated” audio file, thanks to having headphones on at the time).
I tried Microsoft Security Essentials on a few computers, but after a few weeks it started exhibiting the same behaviours as AVG (excessive, unexplained CPU utilization). And I’m not even going to start on Norton and McAfee (only 6891 characters left, after all).
I can find no fault with that classification.
From my personal experience Microsoft One Care is pretty decent in terms of user experience, I’m not so sure about how good it is though as an AV. It let one trojan slip and I had to lose one day to clean my box. I’m giving it another chance though, because I really like the OS integration.
AVG is pretty ok, but again, it let another trojan slip and I had to reinstall the OS.
Avast as you said has a dreadful interface.
I really don’t get it … why can’t the AV people use the standard OS widgets? Do people really think that if an AV looks fancier it works better?
Agreed. That was one of the things that initially drew me to AVG: it was one of the few AV apps with an interface that didn’t look like a Windows Media Player skin.
I can only guess that AV companies let their programmers do interface design.
Security Essentials from Microsoft. Try it out.
Been there, done that:
I’ve not really used Windows much in the last 3 or so years – but back when I did – I used to swear by Avast.
Sure the interface is awful, but I never really needed to load it up. I was just happy leaving the service running in the background as, unlike most AVs, Avast doesn’t have a large foot print.
So I never really needed to worry about the interface much, but I do fully agree that who ever designed that needs to be sacked hehehe.
It depends Google handles the gatekeeper role pretty well, they do not enforce anything, but pull out an app quickly once there are reports of being malware etc…
and unlike Apple google does not force the developers into the app store, every android phone allows to install third party applications directly or from the web (checkbox allow installations from unknown sources in the settings)
So far I am pretty happy in the way google handles everything.
Interesting argument. It would also mean that Linux application hives or what a hell you call them these days are also faulty, since in essence they are app stores or rather app warehouses.
I do agree that centralized installation pools have problems. I don’t however think that issue raised in this news is true problem. Bigger problem is to find anything on those. Look Apple MarketPlace which is filled with clone apps and hoax reviews, rendering it partly useless.
I think major problem with Android store is lack of control, something that this showed. Google should increase control and testing of applications. I still think Android store is best compared to Nazi-Apple Store and Give all Money Microsoft MarketPlace.
I don’t think it’s a big a problem on Linux since the apps on are open source (ie the package maintainers can go in and remove offending code should there be any).
But obviously, even open source is no guarantee as it’s impossible to check all of the source all of the time and furthermore Linux’s repository model wouldn’t work for the iPhone/Android et al as there’s a whole business around the sale of closed binaries on those platforms.
How does this relate to open source exactly? Like Apple couldn’t go in and remove offending code should there be any. And like Apple, open source “vendors” are not liable, nor claiming to be, to possible “bad software” (malware, software with critical security vulnerabilities, etc.) possibly distributed via their channels.
It is about centralized control, which in my opinion is a good thing. And when you remove the jargon and look this from more theoretical point, open source “repositories” and commercial “app stores” are pretty much the same thing.
You’ve blown my comment out of proportion. It wasn’t an attack on Apple nor anyone else.
I’m just stating that in Linux a lot of bugs are captured when the distro devs are packaging for their repositories (as it’s not usually as simple as just adding a file to their catalogue).
So to debug them, they have to go in and amend the source code.
Hence why I suggested that malware could potentially be picked up there too.
The reason I state that this doesn’t apply to Apple is simply because (AFAIK) their iPhones app store just receives binaries that they approve or deny.
So if there’s malware – they can’t amend the binary. They can only decline it.
But obviously the iPhones business model is different hence why I couldn’t see Linux style repositories working on the iPhone (else Google wouldn’t have gone down the closed source option as well with their Android app store)
I’m not trying to state that either business model is better nor that Linux will catch all malware (just that there’s a potential for Linux to capture some before it hits the users much like how Apple strictly test their 3rd party iPhone apps before publishing them)
I 100% agree and I never, at any point, claimed otherwise.
In fact, all of the points I’ve made re repositories have stated just this (though sometimes more inferred than literally stated)
Only the more literate users have learned to think critically in this way. If it were the case that ALL users were actually paying attention to what they were installing instead of just double clicking on ‘angelina_jolie_nude.jpg.exe’, Windows would be the most secure OS on the market
We need BOTH trusted and open app markets.
A bit like Linux package repositories … “fully tested for 2 years”, and “untrusted cutting edge, egde of legal media codecs and players for linux”
Then it’s up to you, the customer, to choose your appetite for risk.
I’m 90 % happy with what Apple are doing. It’s just the haphazard application of their methodology that fails to ensure quality and/or adherence. Even then, they refunded the money to those who bought the “I’m Rich” application and have after the fact removed one developer’s over 1000 applications from the catalogue due to copying.
Someone has to watch the gate, even if it’s a magazine editor reviewing the software. As has been said, people fall for scams all the time and many people know as little about technology as possible.
It would be nice to have the company responsible for the platform watching, along with trusted, impartial users checking software before the general public uses it. That way, the rules are applied in a consistent way and larger development companies aren’t given special treatment.