homepage Welcome to WebmasterWorld Guest from 54.196.63.93
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Smartphone, Wireless, and Mobile Technologies
Forum Library, Charter, Moderators: bakedjake

Smartphone, Wireless, and Mobile Technologies Forum

    
"Google does not vet Android applications"
Security Researcher States Android Market Poses "security risk"
martinibuster

WebmasterWorld Administrator martinibuster us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 10:34 pm on Jan 11, 2010 (gmt 0)

Reported by ComputerWorld [computerworld.com],

BayPort Credit Union of Newport News, Va., posted its alert ... "It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users financial information," said BayPort's warning.

Several banks reported on December 15th of possible malware apps that were stealing customer account information. Researchers could not confirm the reports since the applications were withdrawn before they could be tested, but they warn that the way Google runs the store allows the possibility for the spread of malevolent Android applications.

Unlike Apple... Google does not vet Android applications that appear in its online store. That's a security risk, said Hypponen, but he urged users not to overreact.

 

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 10:53 pm on Jan 11, 2010 (gmt 0)

Why would anyone get a mobile banking application that didn't come directly from their bank?

IMO this isn't a Google vetting situation as much as it is a PAS (People Are Stupid) situation because you should always verify the source of any financial application (bank, tax, stock) that shows up in a download database and follow the source to their download link, not anyone else's.

However, Google needs to take some heat here along with some negligent liability because they created the free-for-all un-vetted environment with the brand name people trust, Google. Then they linked this peril ridden environment to Sprint, Verizon, T-Mobile, etc. and should worry that their various partners don't sue them for allowing their customers to be so easily deceived.

Back to P.A.S., why aren't they just using the browser to access their bank online just like the rest of us instead of looking for apps?

creative craig

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4058679 posted 11:02 pm on Jan 11, 2010 (gmt 0)

Apps are the latest thing and as you say, with a big brand logo such as Googles being shown most people would think they are 100% safe.

I would expect more of these reports untill apps are checked before going live.

mack

WebmasterWorld Administrator mack us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4058679 posted 2:19 am on Jan 12, 2010 (gmt 0)

I think there is huge scope for the bad guys at the Android market. I don't see it being hard to get user id's and passwords, even Google account information simply by getting the app to request it.

There is a disclaimer, but does anyone read it?

I agree with Craig, and would go as far as saying people probably think the aps are from Google.

Mack.

vincevincevince

WebmasterWorld Senior Member vincevincevince us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4058679 posted 11:44 am on Jan 12, 2010 (gmt 0)

caveat emptor ? Nevertheless; the responsibility for security falls on the banks as well - all these packages will have unique footprints as they access the bank - a footprint which can and should be blocked by the bank.

Seb7

5+ Year Member



 
Msg#: 4058679 posted 2:12 pm on Jan 12, 2010 (gmt 0)

I think there is huge scope for the bad guys at the Android market

Yep, Iím just waiting for that to happen. I think the all good market will go bad if left un-vetted. Just a matter of time.

J_RaD

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4058679 posted 2:44 pm on Jan 12, 2010 (gmt 0)


as much as it is a PAS (People Are Stupid) situation because you should always verify the source of any financial application (bank, tax, stock) that shows up in a download database and follow the source to their download link, not anyone else's.

those are the same kinda people that purchase an apple compute cause someone else told them macs don't get viruses.

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4058679 posted 3:38 pm on Jan 12, 2010 (gmt 0)

a footprint which can and should be blocked by the bank

Wrong...these apps would never hit the bank, therefore there is nothing the banks can do except warn their customers against using them.

Similar to a regular phishing page, the apps would simply be setup to look like their bank. Once people enter their login information, the apps would most likely just give them a msg along the lines of "sorry, can't access mobile banking at this time...please try again later" or similar.

Sierra_Dad

5+ Year Member



 
Msg#: 4058679 posted 6:09 pm on Jan 12, 2010 (gmt 0)

Unlike Apple... Google does not vet Android applications that appear in its online store. That's a security risk, said Hypponen, but he urged users not to overreact

Yes, please don't overreact. We don't need Google micromanaging what goes into the market. Then any good idea that Google didn't think of first will suddenly become a "security risk".

It would be sufficient to get strong verification of the identity of sellers in the market. Then if one of them is a malicious hacker, there is plenty of evidence to put them in jail.

Ebay doesn't vet its products either. It doesn't even enforce its own guidelines until someone complains, or the item gets mentioned on CNN. But they are quick to turn any information over to law enforcement just for the asking.

martinibuster

WebmasterWorld Administrator martinibuster us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 6:30 pm on Jan 12, 2010 (gmt 0)

Ebay doesn't vet its products either.

Let's compare apples to apples. ;)
Download.com tests every software product for malware and spyware. Google tests websites for malware and trojans before listing them on their SERPs and puts a warning screen up before letting you visit the site.

It makes sense to control the quality of apps offered for the Android set because the user experience is at stake.

Sierra_Dad

5+ Year Member



 
Msg#: 4058679 posted 9:32 pm on Jan 12, 2010 (gmt 0)

Let's compare apples to apples.
Download.com tests every software product for malware and spyware. Google tests websites for malware and trojans before listing them on their SERPs and puts a warning screen up before letting you visit the site.

Fair enough. Would Download.com's process catch these kinds of apps? I'm not sure they would show up in a scan.

Knowing Google, they won't want to do this unless it can be automated. (A false positive would probably ban you from the market, adsense, and adwords for life with no explanation ;).

And is the manual review done for the App Store catching these things? That is certainly implied.

And looking at the entire article, it's not even a sure thing that any phishing happened. And yet on the slightest suspicion, Google pulled more than 50 apps from one developer.

FWIW, I think Google should take steps to protect users. But I believe that they are taking the *WRONG* steps in this case. If their procedure for vetting an application is "pull it if it causes us any bad PR", and "destroy all copies so no one can figure it out if it was actually bad", then I don't think that's doing the job.

09Droid could be the true victim for all that anyone knows now.

martinibuster

WebmasterWorld Administrator martinibuster us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 9:49 pm on Jan 12, 2010 (gmt 0)

CNet's download.com software policy is here [cnet.com]. It inspires confidence and trust.

...we prohibit certain types of software and we require that publishers conduct business according to certain standards. We expect publishers to comply with these Software Policies and the spirit of our mission statement.... We test all software products submitted to us against a comprehensive set of criteria. In addition to screening for common viruses and spyware, we also look for other threats that might interfere with our users' security, privacy, and control. We consider publisher Web sites, publisher conduct, and our own experience with a particular product.

It's a comprehensive policy covering activities on the publisher's website, the ability to uninstall the software, the EULA, and will even disapprove a software program if there are other versions of the same software available elsewhere that do not meet their criteria.

I'm shocked there isn't a process for evaluating the software. It's an oversight that carries negative customer experience and PR consequences.

mack

WebmasterWorld Administrator mack us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4058679 posted 10:15 pm on Jan 12, 2010 (gmt 0)

If you uninstall an Android application you have the option to report the app as malicious. Lets be honest though, by them its probably to late. I just hope someone follows up on these reports.

Mack.

Sierra_Dad

5+ Year Member



 
Msg#: 4058679 posted 10:23 pm on Jan 12, 2010 (gmt 0)

CNET's process would probably catch it then, based on that information.

I found some of my software on there, so they must have good stuff ;) Only possible complaint is that it has outdated information that was poorly scraped from another site's listing, but knowing Handango, that could be a problem with their feed.

It would be better to have a process than to pull things based on a possibly unfounded complaint.

It would damage the developer community, though, to have either the perception or reality that Google rejects apps just because they feel like it.

Hugene

10+ Year Member



 
Msg#: 4058679 posted 6:47 pm on Jan 13, 2010 (gmt 0)

Programs on PCs were never vetted and could always come from anywhere.

Are people getting dumber or what? Why all of a sudden do apps need to be vetted? Nobody vetted Win or Dos apps.

I believe apps shouldn't be vetted, and I also believe that if it comes to courts, there is no responsibility on G side for malicious apps.

If there was, M$ would have been gone for 20 years now.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 7:00 pm on Jan 13, 2010 (gmt 0)

Programs on PCs were never vetted and could always come from anywhere.

That's not even close to being true.

When you bought from MS, Lotus, Adobe, etc. you were always getting QA tested and vetted software.

I believe apps shouldn't be vetted, and I also believe that if it comes to courts, there is no responsibility on G side for malicious apps.

Wrong, oh so wrong.

If Google is allowing the apps to go into their "marketplace" then Google needs to verify they aren't a virus or phishing app at a minimum.

If Google doesn't do this, all the individual cell phone carriers will have to do it because they're presenting this as a safe to use commercial product.

Besides, if you think G has no responsibility for malicious apps then why does G now block you from visiting malicious web pages since they obviously have no responsibility for web sites being hacked.

You can't have it both ways.

Sierra_Dad

5+ Year Member



 
Msg#: 4058679 posted 7:17 pm on Jan 13, 2010 (gmt 0)

When you bought from MS, Lotus, Adobe, etc. you were always getting QA tested and vetted software.

That's not quite the same thing. When you got software developed by Microsoft, you had Microsoft's word that it was trusted by Microsoft, not a third party or publisher. I'm sure Droid09 would be happy to tell the market that he checked his own software and deemed it fit for the market.

Back in the days that people bought software in stores, did those stores even try the software they sold most of the time? Not in my experience.

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4058679 posted 7:22 pm on Jan 13, 2010 (gmt 0)

did those stores even try the software they sold most of the time? Not in my experience.

Many of them probably didn't, but you can bet they weren't carrying software that was "supposed" to be from Microsoft that wasn't. Or "PC Banking" software that actually just grabbed your account information for purposes of theft.

If they did, you can bet the store would be on the hook for damages caused by the fake software it had sold. Google may not be selling the software, but it is the distribution point and as such they are going to have to put in some type of fraud checking into their system or not only will customers be hurt, but Google's on reputation.

Sierra_Dad

5+ Year Member



 
Msg#: 4058679 posted 8:00 pm on Jan 13, 2010 (gmt 0)

Many of them probably didn't, but you can bet they weren't carrying software that was "supposed" to be from Microsoft that wasn't.

And I don't think Google should do this either. But I don't think they do.

In fact, in the example cited here, I'm sure the banking applications were marked in the market as being from "Droid09", not Bank of America, etc. The Market does require applications to be signed by their developer.

Apparently, many people decided to trust Droid09, who may be an honest, though relatively unknown, developer.

Google may get more mileage out of "vetting" their developers than manually reviewing each application. Many of us have had to go through some identity verification for accepting credit cards or getting a secure certificate. Would hackers be motivated to steal data if they can be quickly traced and jailed?

If it comes to having a few months for a manual review process by Google before your application shows up in the market, that is unacceptable. Yes, I know IPhone does that and still has a large number of apps, but you hope that with some competition there is some variety as well.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 2:14 am on Jan 14, 2010 (gmt 0)

Google may not be selling the software,

Wrong, Google *IS* selling the software unless it's marked free.

That's the whole point of the marketplace, Google connects the apps to the cell company billing.

Not only that, Google provides advertising for these Apps:
[android.com...]

Better yet, they charge App developers a $25 FEE to be in the marketplace!
Before you can publish software on the Android Market, you must do three things:

* Create a developer profile
* Pay a registration fee ($25.00) with your credit card (using Google Checkout)
* Agree to the Android Market Developer Distribution Agreement

No liability?

They actually charge the developer a FEE to go Phishing!

Google may get more mileage out of "vetting" their developers than manually reviewing each application.

Won't work.

One rogue programmer in one "vetted" developer dropping a few lines of code can start doing things they shouldn't, you can't trust anyone, you have to test every time.

It also has nothing to do with vetting the developer because the developer can be squeaky clean but the botnet code the virus scanners can't detect that found it's way onto his machine could infect those Apps.

You must check those Apps every time they're published, there is no other way to go unless you want to get your phones hacked, phished, or worse.

Back in the days that people bought software in stores, did those stores even try the software they sold most of the time?

Didn't need to when you bought it from a trusted vendor which is how Google has positioned itself so it's up to Google to make sure those Apps are safe or take them down.

Sierra_Dad

5+ Year Member



 
Msg#: 4058679 posted 5:36 am on Jan 14, 2010 (gmt 0)

So nothing short of a exhaustive manual review process will save the Android Market?

I'm not convinced it will catch everything if these hackers are as sophisticated as you say. Will they also hold all apps for 90 days in case a trojan is dormant in them for 90 days?

I predict Google won't do it unless they can automate it, as they are not good with manual stuff.

But I can also predict a message to the effect of "This software is by developer Droid09. If you do not trust this developer, do not continue install" to start showing up so Google can further escape responsibility.
That's where it has gone on Windows.

But you could be right, and Google could agree and become a closed system like IPhone. Just because it would suck for developers to wait six months to publish apps in the Market doesn't mean it won't happen.


Hugene

10+ Year Member



 
Msg#: 4058679 posted 7:53 pm on Jan 15, 2010 (gmt 0)

Programs on PCs were never vetted and could always come from anywhere.

I didn't mean the boxed software you bought at stores. I meant the software you download as freeware, tryware of even paid on the Internet, for burning DVD, making backups, defragmenting, playing music, playing movies, etc...

Be it on Tucows, download.com, cnet or on the developer's website, you never really know what it comes with. You always have to read reviews, forums, run an anti-virus scan.

So what has changed? Because it's an "app" and not a "software"? Well it is still a software. Because it runs on a "mobile" and not a "PC"? Well a mobile is a PC.

Nothing has changed. G only needs to make it perfectly clear that they offer no warranties and that's it. If I was them I would be more careful obviously. Vetting would be preferable, but then we enter the territory of dictatorship that Apple is in. The line is very thin and easily cross-able once you see the power you have.

incrediBILL

WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4058679 posted 8:42 pm on Jan 15, 2010 (gmt 0)

So what has changed? Because it's an "app" and not a "software"? Well it is still a software. Because it runs on a "mobile" and not a "PC"? Well a mobile is a PC.

Comparing apples and oranges, or Apples and Androids in this case.

The difference is shareware doesn't have a big MarketPlace icon right there on your desktop to search and download the software.

You're being led to the MarketPlace as a trusted location with no caveats whatsoever with Google both charging developers to join, connecting cell carrier billing, and promoting the Apps.

Since Apple does due diligence on their AppStore the Android users expect the same and should get nothing less.

Even Firefox checks out the add-ons before they can be be downloaded from the Firefox site so it's not a big deal, just needs to be done.

Vetting would be preferable, but then we enter the territory of dictatorship that Apple is in.

Huge difference between vetting for malicious content or bad software vs picking and choosing based pure bias.

graeme_p

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4058679 posted 5:10 pm on Jan 17, 2010 (gmt 0)

I didn't mean the boxed software you bought at stores. I meant the software you download as freeware, tryware of even paid on the Internet, for burning DVD, making backups, defragmenting, playing music, playing movies, etc.

Software in Linux distros repos (and the *BSDs) is also a free download and they have a pretty good track record of keeping anything bad out. Given that there is a single point of control, it similar to what Google is doing.

I know someone will claim Android is a bigger target. Well, some Linux distros are also good targets because of the number of corporate systems (especially servers) that malware could get on through them.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Smartphone, Wireless, and Mobile Technologies
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved