“What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011.” A study by The Global Threat Center over at Juniper Networks details mobile attacks that are increasing both in numbers and sophistication. This contrasts to the iPhone, more secure in part due to Apple’s proprietary hold over the platform through its review process.
https://plus.google.com/114765095157367281222/posts/ZqPvFwdDLPv
Funny that most people have problems by installing all the junk there is out there, sometimes even outside the market without researching what they are installing.
As always the problem is the users.
Yup, you can’t protect some people from their ignorance and stupidity.
moondevil,
“Funny that most people have problems by installing all the junk there is out there, sometimes even outside the market without researching what they are installing.
As always the problem is the users.”
That’s inherently true, but I think you’ll agree it’s not helpful. Typical users have no way of knowing the good from the bad.
I don’t actually know much about the android app store acceptance policies. But I think google should have two repositories, one that is certified/vetted/tested and another one that is more relaxed/less tested. This way, people who want to stray from the certified apps can do so easily, but do so at their own risk.
Stick to the Android Market – as 99% of users do – and there is no virus problem. It’s just your typical FUD.
Thom Holwerda,
“Stick to the Android Market – as 99% of users do – and there is no virus problem. It’s just your typical FUD.”
The article gives the impression that the malware was found in the respective app stores.
Having reviewed vs untested repositories would at least help users make more informed choices, IMO. And it wouldn’t have to impose a totalitarian grip ala-apple.
I have a business idea for you right here: open an app shop, guarantee malware screening and take a little fee, e. g. 1$/month. Considering how popular subscriber AVS are on MS Windows, I think that could work. You can thank me later
Thom…
http://blog.trendmicro.com/droiddreamlight-variant-pretends-to-mana…
That was on the official Android market and it’s not the only time it happened.
I am not saying that Google should make rooting tougher (it should be easier, it would help with debugging NDK code), or that it should not be possible to have other markets, etc…
I am saying that paying more attention to their own store could help. I do not think that they have the will to dedicate enough resources to policing it a bit more Apple-style not to produce huge delays between submission and publication. Still, the sense of Android being an understaffed and underfunded project (I do not know why Google is treating such a cash cow like this) is still there… especially when I visit the Tools page.
Edited 2011-11-21 10:31 UTC
I would argue that even this sort of rigidity isn’t necessary. Even on my Windows partitions, I cannot remember the last time I encountered a virus on my machine; it’s been many, many years. And it’s not like all the applications installed came from a closed, heavily-regulated distribution channel.
The key is I don’t install software from sources I don’t trust. I don’t go installing cracked commercial software from warez sites (surely a person who distributes cracked software wouldn’t possibly pull anything shady). I don’t go installing some random software from http://www.free-software-really-good-stuff-free-free-free.com.org.net.ru. I don’t go blindly installing some software my friend who purports to be “computer savvy” tells me I have to try without doing a little research, and I sure as hell don’t let ANYONE go installing stuff on my machines.
If I install GIMP, Ardour, LibreOffice, etc., I don’t go grabbing a binary from some strange corner of the Internet. I get it from the repo of a well-established software distribution, or I go directly to the source itself.
It’s all about common sense. Even if an app store claims to have thorough, strict review policies, take a long, hard look at what you’re about to install. Does it have plenty of history behind it? How many people are using it, and what are their experiences? Who makes it: do you know them? What does the app say it needs access to; can you figure out a good justification they might have for needing those permissions? These questions might not save you every time, but it will definitely reduce the risk by an enormous factor.
Critical thinking: it’s the bee’s knees.
sparkyERTW,
“The key is I don’t install software from sources I don’t trust….”
You are trusting software based on WHO is providing it rather than on what the software DOES. This shouldn’t be the primary goal of platform security. Keep in mind this is exactly how ActiveX worked, and that was a nightmare. Now one could argue that it’s the user’s fault for installing controls from “untrusted sources”, but what reasonable approach can a normal user take to determine the trustworthiness of a website running a technology that was meant to be ubiquitous?
The other issue is that even trustworthy sources can contain exploits and rootkits.
Clearly identity based solutions aren’t a good substitute for good sandbox designs. You generally can run java/javascript from any arbitrary website using a recent web browser with fair confidence that it can’t take over your machine.
We should take some responsibility by making operating systems that can securely contain nefarious apps.
I don’t disagree with single one of these points. My aim was simply to point out that taking a critical eye to your source can go a long way to safeguarding yourself (which of course is not foolproof, as you point out, and shouldn’t be relied on exclusively). Likewise, while sandboxes are excellent at providing security, they should not be blindly thought of as 100% secure (which I don’t think Tom was suggesting either, but it’s worth saying).
In short: trust nothing, question everything
Users are only half the problem, an insecure OS is the other half. If this article were about Windows malware, there would be a line around the building pointing that out. But since it’s about Android, people are conveniently ignoring the fact.
The irony is that Android which is supposed to be so great, is totally unsecure, while Windows which is supposed to be unsecure, is rock solid these days.
*chuckle*
From a security standpoint, I would even trust the Microsoft of the 90s more than an OS vendor who bans security researchers from its platform.
Remember all the silly vulnerabilities that Windows encountered during these days ? Root access from the web browser, WMF images, or even office documents (through macros) ? Well, imagine the kind of impact that they would have had if they were never publicly known.
People have managed to jailbreak iOS, which implies running arbitrary code as root, using stuff as silly as a PDF file. That says something about the security of the platform, and that’s only the disclosed tip of the vulnerability iceberg.
Oh, well, but having unqualified Apple employees run software for five minutes to check that it apparently works as advertised is perfectly secure, right ?
Truth is, all current mobile OSs are blatantly insecure, and not to be trusted for any secret information storage unless vendors realize that putting a touchscreen on a computer does not void the need for a solid security infrastructure.
Edited 2011-11-21 17:16 UTC
Funny – I submitted this – Only to have it being removed. Now it shows up here. Odd.
I think the argument “its not the model thats broken its the users that are stupid” is quite a non-argument for arguing there isn’t a problem. Its the typical techno-enthousiasts/zealot argumentation, blaming someone else and sticking ones head in the sand for it. This attitude never solves anything.
Ignoring that a certain security model is not effective relative to its user base – isn’t every adequate security model relative towards its intended application after all… – isn’t an good way forward in making sure devices are safe to use. Not fixing this were it matters will just lead to half-baked bandaid solutions that render smartphones as overcomplicated and inconvenient to use than their desktop PC counterparts.
Android phones are mass market. You can’t reasonably expect every user to come to grips with all security aspects of something as commoditized like a phone. Doing so shovels a lot of the complexity and worrying in the users hands, while technology is meant as an extension of the abilities of humans and thus should be safe to use and be as maintenance free as possible. When technology fails at doing so, it merely ends up as another item to worry about in peoples lives and I think users deserve better than having to worry about their devices.
If there is anything to learn from the PC market, we know now you can’t leave it up to the user to make a malware-free platform happen. The millions of PC drones testify to this each day when they are used for internet scams and spam runs. Even Microsoft is constantly trying to fix Windows’ broken legacy model with new ways, so why Android insists in using a broken one, in a new and emerging platform, is beyond me.