How Google and Android users can make a secure mobile market

One way it has tried to do this has been in taking an "anything goes" approach to screening applications for sale on the Android Market

Android has a lot going for it, but as the last week has shown its approach to selling and distributing applications is going to need some improvement. Ever since launching Android in 2007, Google has gone out of its way to making the mobile operating system the most accessible and app-friendly in the industry.

One way it has tried to do this has been in taking an "anything goes" approach to screening applications for sale on its Android Market. Basically, Google itself doesn't screen any of the apps that go up on its store but rather relies on users to flag potentially malicious apps so they can be removed after they've already posted on the store.

ROUNDUP: 8 must-have Android security apps

While this has led to a wide array of different apps available on the market, it has also predictably created some serious security issues. The most high-profile problem came last week when Google removed around 50 applications from the Android Market that contained malicious code. With so many Android users exposed to risks, is it time for Google to change how it approves and monitors applications on its market?

Scott Webster, the editor in chief for the popular Android Guys blog, says he'd like to see some upgrades to security on the market. "I would love to see them perhaps partner with a company like Lookout, ACG [or] McAfee and have a cleansing process," he says. "Perhaps a slight delay while the app gets approved and scrubbed ahead of hitting the market."

Webster also thinks that after a certain amount of time, Google could create a "white list" for certain developers who have shown to be reliable and whose apps have been entirely free of malware. Developers on this list would then be exempt from any waiting period to get their apps online and could go about their business just as they did before the DroidDream malware struck.

Aaron Gingrich, a writer at Android Police whose article on DroidDream was the first big piece to bring attention to the malware, thinks that it's time for Google to "come up with some sort of high-quality detection algorithm ... that looks for certain clues that an app may be malicious." While he says this will take some additional effort on Google's part, it's nothing compared to the effort put into cleaning up malicious applications after they've already been downloaded by thousands of users.

"Apps that show signs could ... be manually reviewed by somebody who knows what to look for," says Gingrich. "It sounds labor intensive, but when we found DroidDream, it took our developer about 10 minutes total to figure out what the virus was doing. And the better the detection, the less code will have to be reviewed by a person."

But even if Google implements these sorts of suggestions, users still won't be entirely protected from malicious apps. Khoi Nguyen, the group product manager with Symantec's Mobile Security Group, says that IT departments that have adopted Android-based smartphones or tablets should go out of their way to educate their users about the do's and don'ts of buying and installing applications on their mobile devices. The most important thing any users should do when downloading an application, he says, is to closely examine what permissions it is seeking.

"The privileges an app is requiring should be appropriate for its function," explains Nguyen. "So if you're downloading a wallpaper app, that shouldn't have access to your contact information or your location. That's an important part of the security process."

Nguyen says that users should also be encouraged to wade through the reviews written by other users on the Android Market to determine whether or not the application is trustworthy. He also thinks IT departments should utilize mobile security software that will let them prevent users from downloading any third-party applications unless those apps are specifically approved for use by the enterprise.

Adam Powers, the CTO of network security and monitoring firm Lancope, also thinks that end users need to be vigilant to avoid getting malware installed on their devices. In particular, he recommends not installing an application unless it's been downloaded more than 10,000 times and has received at least 100 reviews and comments from users on the Android Market. And like Nguyen, he says that users really need to read through an application's requested permissions before installing it.

"An excellent example of a suspicious app ... is 'Binary Calculator' by author 'John Anderson,'" he explains. "This app showed up on the Android Marketplace today ... has zero reviews and less than 50 downloads. The app's feature description is poorly written and just screams of potential malware. Why would a binary calculator app need to modify or delete SD card contents? Why would this app need to read or write contact data? This app asks for far more permissions than it needs and should be avoided."

Read more about anti-malware in Network World's Anti-malware section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags applicationsNetworkingsecuritywirelessPhonesAndroidsoftwaremobilemobile appsGoogleconsumer electronics

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Brad Reed

Network World
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles


PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?