Oxymoron of the day: Amusing ringtones - Evil Doc Spinola
|
|
|
Android security is in question after malware surge
SOFTWARE DEVELOPER Google has been caught out by lax security design in its Android operating system as highly aggressive malware has been discovered on the Android Market.
At least 21 applications were found to have malware that rooted Android devices without the user's consent, sent IMEI and IMSI numbers, product IDs, model, partner, language, country and user IDs. Most worrying of all was the ability for the rogue applications to download code and run it.
Google has since removed the offending applications from the Android Market, but only after they had been downloaded 50,000 to 250,000 times in the past four days. Google also automatically removed the offending applications from Android devices remotely, however given that the applications can download code, there's no word on whether Google can completely remove that downloaded malware remotely.
The ability to 'sideload' code is an embarrassment for Google and that makes a mockery of its so-called sandboxing of Android applications that run as byte-code under its Dalvik regime, which Google claims is similar to but not derived from Java.
Given that the firm does not pre-approve applications prior to their appearance on the Android Market, a move that Google says encourages innovation, the onus is on Google to make sure that Android's internal security is up to scratch. But, with the discovery of these Android malware applications, the giant search engine, ad broker and software development firm has seemingly failed both spectacularly and catastrophically.
Since Android applications are able to gain root, or administrator, access to Android devices, steal information and even remotely download and execute code without explicit user authorisation, Google might well have to step back and reassess its security architecture for its Android mobile operating system. At the very least, it might have to implement further precautions if it wants to keep its rapidly expanding Android operating system secure, along with its reputation for providing reliable, safe software.
Such vulnerabilities will not only put Android in a very bad light but they will encourage users to choose closed, proprietary software, such as that deployed by Apple and even Microsoft. While Google's open attitude toward Android is commendable, it must realise that as the number of Android devices grows, it will become a target for malware coders. It should also acknowledge that it should have designed appropriate security safeguards for users into its Android operating system from the very outset, that not to have done so was a grave security failure, and that it needs to redress and resolve that if it hopes to deserve the trust of its users.
Developers and users will have to wait and see what steps Google will take in order to secure its Android operating system against similar attacks.
Google was unavailable for comment at press time. µ
Tags: Google
Share this:
Share
Given that Apple probably removes about 10 times as many apps from its store as Google does, makes you wonder which group of users needs more protecting from their developers...
The security of any device is really dependent on the good judgement of its owner to be wise when selecting which apps to install. This is a tough balance between usability and security and why I don't believe online banking should be conducted on devices that are not tightly controlled.
For some additional recommendations on Android Security settings not directly related to app choice check out this link: http://informationsecurityhq.com/android-security/
What about the operators? How thrilled will they be when some malware runs up thousands on someone's account and then they refuse to pay/attempt to terminate the contract?
If I have a pocket computer that also does phone calls, then I want to be able to do some simple development on that device and generally have control of the machine.
If I am an end user buying some app, then I want to have confidence that it is not malware.
If I want to run some freebie app, then I'm going to be a lot happier building from source etc.
No system will ever be completely secure, but I would say any freebie should be distributed as source and any paid for app should be checked, just like Apple do.
"The apps in question here were OKed by the users who installed"
This is actually a "safety" mechanism put in place by Google. Users can "OK" an app. The reasoning behind this is that if some users download an app and find it OK, then it should be good.
The problem is that, a clever malware author can create multiple google accounts, and then use a rooted phone (because unrooted-stock phones don't allow you to log in and log out to different google accounts) to download the app from each account an then "OK" it. In other words approve his own app!
So, this makes users even more vulnerable, because they think the app has been "approved" by someone. Add in the fact that it comes from an app store owned by a reliable company (Google) and they won't think it twice.
The fact that most users aren't computer skilly enough to tell if something is spyware, and you 've got an IE6-esque security thread waiting.
tl;dr Google App Store is turning into BrotherSoft For Mobiles
I can't believe people still use this excuse to say that the spy ware is OK:
"The apps in question here were OKed by the users who installed"
There is no flag beside the program in the market telling it is spy-ware.
In fact they do everything to make sure you will think that it is safe.
So stop using that excuse it makes you look stupid or look like marketing boy of Android.
Whatever the free software advocates say, Google's decision to have a free-for-all appstore (everyone can set up some multiple accounts and with the help of a rooted phone approve his own app) isn't working to the benefit of the user (and no, i won't pretend to care about the benefit of the developer).
The reason app stores get a cut from every sale is because they are supposed to review every app and see if it's malicious, otherwise there would be not reason to take that cut.
And don't try to blame this on the users. I can see why users downloading apps from the wild wild web are stupid, but the reason an appstore exists is because it's supposed to be a controlled environment. People see an appstore, and they expect it to have pre-reviewed apps. They don't care the slightest bit about Google's policies, and how they try to recoup the cost of making Android by taking a cut from every sale on the appstore (yes, Google takes a cut from every app sale), but don't do any app audit.
PS: None of Apple store's "malicious" apps were actually malicious, just useless.
Unfortunately, Morely, your comments aren't true. Apple, for a long time, was the *only* purveyor of software that could be downloadable for phones, and was thus should have been the #1 de facto target for malware.
Yet, while malware did happen, it was very, very, very small.
The argument from Windows proponents against the Mac is that the Mac is no more secure and it is only due to Windows wide acceptance that viruses are written for it. Android is repeating this line, yet completely failing to take into account the very small amount of actual viruses and malware that happened.
This was because of curation. Curation is a good thing.
And if you are so stupid as to believe that curation is a bad thing because Apple takes 30% of the revenue, please realize that this 30% is actually an industry "standard". If you are developing a Mac application or a Windows application, and use a service like "eSellerate" or "kagi" to provide licensing such that your app isn't stolen, YOU GIVE THEM UP TO 30%!
What Apple is doing is no more or less EVIL than what any other licensing company does. So using it as a sledgehammer to promote "open" access is just ignorant.
Yes, it would be better for developers if Apple charged 25%, or 20%, or 10%, or 5%, but what they are doing isn't some kind of money grab. I tis how software publishing works.
Android is a friggin' disaster. "Open" is only true in the vaguest of sense. It is "open" because Google itself doesn't view Android as a way to generate revenue for itself. Does Google open up its "page rank" algorithms? Of course not. That is closed because it is how they make money.
Lawrence, you can have either a totally-open OS design that allows anyone to publish apps for the OS (like Windows) or a totally-closed OS that requires developers to submit to a rigorous and expensive app review before the OS owner graciously allows the app to be published in the single-point-of-failure store (for a nice 30% cut of gross sales), like Apple's iOS.
The apps in question here were OKed by the users who installed them and sandboxing would not have prevented them from doing that.
Furthermore, there have been credible reports of malicious software in the Apple store as far back as early February, 2010.
This is not a Google nor Android problem; it's a problem with idiot users on *any* platform.
...and see the need for a secure sandbox. I really can't imagine a reason against it.
Would a Ford/Chevy/Dodge/etc fanboi argue against seatbelts?