Welcome to WebmasterWorld Guest from 54.158.51.150

Forum Moderators: bakedjake

Message Too Old, No Replies

"Google does not vet Android applications"

Security Researcher States Android Market Poses "security risk"

     
10:34 pm on Jan 11, 2010 (gmt 0)

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Reported by ComputerWorld [computerworld.com],

BayPort Credit Union of Newport News, Va., posted its alert ... "It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users financial information," said BayPort's warning.

Several banks reported on December 15th of possible malware apps that were stealing customer account information. Researchers could not confirm the reports since the applications were withdrawn before they could be tested, but they warn that the way Google runs the store allows the possibility for the spread of malevolent Android applications.

Unlike Apple... Google does not vet Android applications that appear in its online store. That's a security risk, said Hypponen, but he urged users not to overreact.
10:53 pm on Jan 11, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Why would anyone get a mobile banking application that didn't come directly from their bank?

IMO this isn't a Google vetting situation as much as it is a PAS (People Are Stupid) situation because you should always verify the source of any financial application (bank, tax, stock) that shows up in a download database and follow the source to their download link, not anyone else's.

However, Google needs to take some heat here along with some negligent liability because they created the free-for-all un-vetted environment with the brand name people trust, Google. Then they linked this peril ridden environment to Sprint, Verizon, T-Mobile, etc. and should worry that their various partners don't sue them for allowing their customers to be so easily deceived.

Back to P.A.S., why aren't they just using the browser to access their bank online just like the rest of us instead of looking for apps?

11:02 pm on Jan 11, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Apps are the latest thing and as you say, with a big brand logo such as Googles being shown most people would think they are 100% safe.

I would expect more of these reports untill apps are checked before going live.

2:19 am on Jan 12, 2010 (gmt 0)

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I think there is huge scope for the bad guys at the Android market. I don't see it being hard to get user id's and passwords, even Google account information simply by getting the app to request it.

There is a disclaimer, but does anyone read it?

I agree with Craig, and would go as far as saying people probably think the aps are from Google.

Mack.

11:44 am on Jan 12, 2010 (gmt 0)

WebmasterWorld Senior Member vincevincevince is a WebmasterWorld Top Contributor of All Time 10+ Year Member



caveat emptor ? Nevertheless; the responsibility for security falls on the banks as well - all these packages will have unique footprints as they access the bank - a footprint which can and should be blocked by the bank.
2:12 pm on Jan 12, 2010 (gmt 0)

5+ Year Member



I think there is huge scope for the bad guys at the Android market

Yep, Iím just waiting for that to happen. I think the all good market will go bad if left un-vetted. Just a matter of time.

2:44 pm on Jan 12, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member




as much as it is a PAS (People Are Stupid) situation because you should always verify the source of any financial application (bank, tax, stock) that shows up in a download database and follow the source to their download link, not anyone else's.

those are the same kinda people that purchase an apple compute cause someone else told them macs don't get viruses.

3:38 pm on Jan 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



a footprint which can and should be blocked by the bank

Wrong...these apps would never hit the bank, therefore there is nothing the banks can do except warn their customers against using them.

Similar to a regular phishing page, the apps would simply be setup to look like their bank. Once people enter their login information, the apps would most likely just give them a msg along the lines of "sorry, can't access mobile banking at this time...please try again later" or similar.

6:09 pm on Jan 12, 2010 (gmt 0)

10+ Year Member



Unlike Apple... Google does not vet Android applications that appear in its online store. That's a security risk, said Hypponen, but he urged users not to overreact

Yes, please don't overreact. We don't need Google micromanaging what goes into the market. Then any good idea that Google didn't think of first will suddenly become a "security risk".

It would be sufficient to get strong verification of the identity of sellers in the market. Then if one of them is a malicious hacker, there is plenty of evidence to put them in jail.

Ebay doesn't vet its products either. It doesn't even enforce its own guidelines until someone complains, or the item gets mentioned on CNN. But they are quick to turn any information over to law enforcement just for the asking.

6:30 pm on Jan 12, 2010 (gmt 0)

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Ebay doesn't vet its products either.

Let's compare apples to apples. ;)
Download.com tests every software product for malware and spyware. Google tests websites for malware and trojans before listing them on their SERPs and puts a warning screen up before letting you visit the site.

It makes sense to control the quality of apps offered for the Android set because the user experience is at stake.

9:32 pm on Jan 12, 2010 (gmt 0)

10+ Year Member



Let's compare apples to apples.
Download.com tests every software product for malware and spyware. Google tests websites for malware and trojans before listing them on their SERPs and puts a warning screen up before letting you visit the site.

Fair enough. Would Download.com's process catch these kinds of apps? I'm not sure they would show up in a scan.

Knowing Google, they won't want to do this unless it can be automated. (A false positive would probably ban you from the market, adsense, and adwords for life with no explanation ;).

And is the manual review done for the App Store catching these things? That is certainly implied.

And looking at the entire article, it's not even a sure thing that any phishing happened. And yet on the slightest suspicion, Google pulled more than 50 apps from one developer.

FWIW, I think Google should take steps to protect users. But I believe that they are taking the *WRONG* steps in this case. If their procedure for vetting an application is "pull it if it causes us any bad PR", and "destroy all copies so no one can figure it out if it was actually bad", then I don't think that's doing the job.

09Droid could be the true victim for all that anyone knows now.

9:49 pm on Jan 12, 2010 (gmt 0)

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



CNet's download.com software policy is here [cnet.com]. It inspires confidence and trust.

...we prohibit certain types of software and we require that publishers conduct business according to certain standards. We expect publishers to comply with these Software Policies and the spirit of our mission statement.... We test all software products submitted to us against a comprehensive set of criteria. In addition to screening for common viruses and spyware, we also look for other threats that might interfere with our users' security, privacy, and control. We consider publisher Web sites, publisher conduct, and our own experience with a particular product.

It's a comprehensive policy covering activities on the publisher's website, the ability to uninstall the software, the EULA, and will even disapprove a software program if there are other versions of the same software available elsewhere that do not meet their criteria.

I'm shocked there isn't a process for evaluating the software. It's an oversight that carries negative customer experience and PR consequences.

10:15 pm on Jan 12, 2010 (gmt 0)

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If you uninstall an Android application you have the option to report the app as malicious. Lets be honest though, by them its probably to late. I just hope someone follows up on these reports.

Mack.

10:23 pm on Jan 12, 2010 (gmt 0)

10+ Year Member



CNET's process would probably catch it then, based on that information.

I found some of my software on there, so they must have good stuff ;) Only possible complaint is that it has outdated information that was poorly scraped from another site's listing, but knowing Handango, that could be a problem with their feed.

It would be better to have a process than to pull things based on a possibly unfounded complaint.

It would damage the developer community, though, to have either the perception or reality that Google rejects apps just because they feel like it.

6:47 pm on Jan 13, 2010 (gmt 0)

10+ Year Member



Programs on PCs were never vetted and could always come from anywhere.

Are people getting dumber or what? Why all of a sudden do apps need to be vetted? Nobody vetted Win or Dos apps.

I believe apps shouldn't be vetted, and I also believe that if it comes to courts, there is no responsibility on G side for malicious apps.

If there was, M$ would have been gone for 20 years now.

7:00 pm on Jan 13, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Programs on PCs were never vetted and could always come from anywhere.

That's not even close to being true.

When you bought from MS, Lotus, Adobe, etc. you were always getting QA tested and vetted software.

I believe apps shouldn't be vetted, and I also believe that if it comes to courts, there is no responsibility on G side for malicious apps.

Wrong, oh so wrong.

If Google is allowing the apps to go into their "marketplace" then Google needs to verify they aren't a virus or phishing app at a minimum.

If Google doesn't do this, all the individual cell phone carriers will have to do it because they're presenting this as a safe to use commercial product.

Besides, if you think G has no responsibility for malicious apps then why does G now block you from visiting malicious web pages since they obviously have no responsibility for web sites being hacked.

You can't have it both ways.

7:17 pm on Jan 13, 2010 (gmt 0)

10+ Year Member



When you bought from MS, Lotus, Adobe, etc. you were always getting QA tested and vetted software.

That's not quite the same thing. When you got software developed by Microsoft, you had Microsoft's word that it was trusted by Microsoft, not a third party or publisher. I'm sure Droid09 would be happy to tell the market that he checked his own software and deemed it fit for the market.

Back in the days that people bought software in stores, did those stores even try the software they sold most of the time? Not in my experience.

7:22 pm on Jan 13, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



did those stores even try the software they sold most of the time? Not in my experience.

Many of them probably didn't, but you can bet they weren't carrying software that was "supposed" to be from Microsoft that wasn't. Or "PC Banking" software that actually just grabbed your account information for purposes of theft.

If they did, you can bet the store would be on the hook for damages caused by the fake software it had sold. Google may not be selling the software, but it is the distribution point and as such they are going to have to put in some type of fraud checking into their system or not only will customers be hurt, but Google's on reputation.

8:00 pm on Jan 13, 2010 (gmt 0)

10+ Year Member



Many of them probably didn't, but you can bet they weren't carrying software that was "supposed" to be from Microsoft that wasn't.

And I don't think Google should do this either. But I don't think they do.

In fact, in the example cited here, I'm sure the banking applications were marked in the market as being from "Droid09", not Bank of America, etc. The Market does require applications to be signed by their developer.

Apparently, many people decided to trust Droid09, who may be an honest, though relatively unknown, developer.

Google may get more mileage out of "vetting" their developers than manually reviewing each application. Many of us have had to go through some identity verification for accepting credit cards or getting a secure certificate. Would hackers be motivated to steal data if they can be quickly traced and jailed?

If it comes to having a few months for a manual review process by Google before your application shows up in the market, that is unacceptable. Yes, I know IPhone does that and still has a large number of apps, but you hope that with some competition there is some variety as well.

2:14 am on Jan 14, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Google may not be selling the software,

Wrong, Google *IS* selling the software unless it's marked free.

That's the whole point of the marketplace, Google connects the apps to the cell company billing.

Not only that, Google provides advertising for these Apps:
[android.com...]

Better yet, they charge App developers a $25 FEE to be in the marketplace!

Before you can publish software on the Android Market, you must do three things:

* Create a developer profile
* Pay a registration fee ($25.00) with your credit card (using Google Checkout)
* Agree to the Android Market Developer Distribution Agreement

No liability?

They actually charge the developer a FEE to go Phishing!

Google may get more mileage out of "vetting" their developers than manually reviewing each application.

Won't work.

One rogue programmer in one "vetted" developer dropping a few lines of code can start doing things they shouldn't, you can't trust anyone, you have to test every time.

It also has nothing to do with vetting the developer because the developer can be squeaky clean but the botnet code the virus scanners can't detect that found it's way onto his machine could infect those Apps.

You must check those Apps every time they're published, there is no other way to go unless you want to get your phones hacked, phished, or worse.

Back in the days that people bought software in stores, did those stores even try the software they sold most of the time?

Didn't need to when you bought it from a trusted vendor which is how Google has positioned itself so it's up to Google to make sure those Apps are safe or take them down.

5:36 am on Jan 14, 2010 (gmt 0)

10+ Year Member



So nothing short of a exhaustive manual review process will save the Android Market?

I'm not convinced it will catch everything if these hackers are as sophisticated as you say. Will they also hold all apps for 90 days in case a trojan is dormant in them for 90 days?

I predict Google won't do it unless they can automate it, as they are not good with manual stuff.

But I can also predict a message to the effect of "This software is by developer Droid09. If you do not trust this developer, do not continue install" to start showing up so Google can further escape responsibility.
That's where it has gone on Windows.

But you could be right, and Google could agree and become a closed system like IPhone. Just because it would suck for developers to wait six months to publish apps in the Market doesn't mean it won't happen.

7:53 pm on Jan 15, 2010 (gmt 0)

10+ Year Member



Programs on PCs were never vetted and could always come from anywhere.

I didn't mean the boxed software you bought at stores. I meant the software you download as freeware, tryware of even paid on the Internet, for burning DVD, making backups, defragmenting, playing music, playing movies, etc...

Be it on Tucows, download.com, cnet or on the developer's website, you never really know what it comes with. You always have to read reviews, forums, run an anti-virus scan.

So what has changed? Because it's an "app" and not a "software"? Well it is still a software. Because it runs on a "mobile" and not a "PC"? Well a mobile is a PC.

Nothing has changed. G only needs to make it perfectly clear that they offer no warranties and that's it. If I was them I would be more careful obviously. Vetting would be preferable, but then we enter the territory of dictatorship that Apple is in. The line is very thin and easily cross-able once you see the power you have.

8:42 pm on Jan 15, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



So what has changed? Because it's an "app" and not a "software"? Well it is still a software. Because it runs on a "mobile" and not a "PC"? Well a mobile is a PC.

Comparing apples and oranges, or Apples and Androids in this case.

The difference is shareware doesn't have a big MarketPlace icon right there on your desktop to search and download the software.

You're being led to the MarketPlace as a trusted location with no caveats whatsoever with Google both charging developers to join, connecting cell carrier billing, and promoting the Apps.

Since Apple does due diligence on their AppStore the Android users expect the same and should get nothing less.

Even Firefox checks out the add-ons before they can be be downloaded from the Firefox site so it's not a big deal, just needs to be done.

Vetting would be preferable, but then we enter the territory of dictatorship that Apple is in.

Huge difference between vetting for malicious content or bad software vs picking and choosing based pure bias.

5:10 pm on Jan 17, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



I didn't mean the boxed software you bought at stores. I meant the software you download as freeware, tryware of even paid on the Internet, for burning DVD, making backups, defragmenting, playing music, playing movies, etc.

Software in Linux distros repos (and the *BSDs) is also a free download and they have a pretty good track record of keeping anything bad out. Given that there is a single point of control, it similar to what Google is doing.

I know someone will claim Android is a bigger target. Well, some Linux distros are also good targets because of the number of corporate systems (especially servers) that malware could get on through them.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month