How Google and Android Users Can Make Secure Mobile Market
Android has a lot going for it, but as the last week has shown its approach to selling and distributing applications is going to need some improvement. Ever since launching Android in 2007, Google has gone out of its way to making the mobile operating system the most accessible and app-friendly in the industry.
One way it has tried to do this has been in taking an "anything goes" approach to screening applications for sale on its Android Market. Basically, Google itself doesn't screen any of the apps that go up on its store but rather relies on users to flag potentially malicious apps so they can be removed after they've already posted on the store.
ROUNDUP: 8 must-have Android security apps
While this has led to a wide array of different apps available on the market, it has also predictably created some serious security issues. The most high-profile problem came last week when Google removed around 50 applications from the Android Market that contained malicious code. With so many Android users exposed to risks, is it time for Google to change how it approves and monitors applications on its market?
Scott Webster, the editor in chief for the popular Android Guys blog, says he'd like to see some upgrades to security on the market. "I would love to see them perhaps partner with a company like Lookout, ACG [or] McAfee and have a cleansing process," he says. "Perhaps a slight delay while the app gets approved and scrubbed ahead of hitting the market."
Webster also thinks that after a certain amount of time, Google could create a "white list" for certain developers who have shown to be reliable and whose apps have been entirely free of malware. Developers on this list would then be exempt from any waiting period to get their apps online and could go about their business just as they did before the DroidDream malware struck.
Aaron Gingrich, a writer at Android Police whose article on DroidDream was the first big piece to bring attention to the malware, thinks that it's time for Google to "come up with some sort of high-quality detection algorithm ... that looks for certain clues that an app may be malicious." While he says this will take some additional effort on Google's part, it's nothing compared to the effort put into cleaning up malicious applications after they've already been downloaded by thousands of users.
"Apps that show signs could ... be manually reviewed by somebody who knows what to look for," says Gingrich. "It sounds labor intensive, but when we found DroidDream, it took our developer about 10 minutes total to figure out what the virus was doing. And the better the detection, the less code will have to be reviewed by a person."
But even if Google implements these sorts of suggestions, users still won't be entirely protected from malicious apps. Khoi Nguyen, the group product manager with Symantec's Mobile Security Group, says that IT departments that have adopted Android-based smartphones or tablets should go out of their way to educate their users about the do's and don'ts of buying and installing applications on their mobile devices. The most important thing any users should do when downloading an application, he says, is to closely examine what permissions it is seeking.
"The privileges an app is requiring should be appropriate for its function," explains Nguyen. "So if you're downloading a wallpaper app, that shouldn't have access to your contact information or your location. That's an important part of the security process."
Nguyen says that users should also be encouraged to wade through the reviews written by other users on the Android Market to determine whether or not the application is trustworthy. He also thinks IT departments should utilize mobile security software that will let them prevent users from downloading any third-party applications unless those apps are specifically approved for use by the enterprise.
Adam Powers, the CTO of network security and monitoring firm Lancope, also thinks that end users need to be vigilant to avoid getting malware installed on their devices. In particular, he recommends not installing an application unless it's been downloaded more than 10,000 times and has received at least 100 reviews and comments from users on the Android Market. And like Nguyen, he says that users really need to read through an application's requested permissions before installing it.
"An excellent example of a suspicious app ... is 'Binary Calculator' by author 'John Anderson,'" he explains. "This app showed up on the Android Marketplace today ... has zero reviews and less than 50 downloads. The app's feature description is poorly written and just screams of potential malware. Why would a binary calculator app need to modify or delete SD card contents? Why would this app need to read or write contact data? This app asks for far more permissions than it needs and should be avoided."
Read more about anti-malware in Network World's Anti-malware section.