How Google and Android users can make a secure mobile market

One way it has tried to do this has been in taking an "anything goes" approach to screening applications for sale on the Android Market

Android has a lot going for it, but as the last week has shown its approach to selling and distributing applications is going to need some improvement. Ever since launching Android in 2007, Google has gone out of its way to making the mobile operating system the most accessible and app-friendly in the industry.

One way it has tried to do this has been in taking an "anything goes" approach to screening applications for sale on its Android Market. Basically, Google itself doesn't screen any of the apps that go up on its store but rather relies on users to flag potentially malicious apps so they can be removed after they've already posted on the store.

ROUNDUP: 8 must-have Android security apps

While this has led to a wide array of different apps available on the market, it has also predictably created some serious security issues. The most high-profile problem came last week when Google removed around 50 applications from the Android Market that contained malicious code. With so many Android users exposed to risks, is it time for Google to change how it approves and monitors applications on its market?

Scott Webster, the editor in chief for the popular Android Guys blog, says he'd like to see some upgrades to security on the market. "I would love to see them perhaps partner with a company like Lookout, ACG [or] McAfee and have a cleansing process," he says. "Perhaps a slight delay while the app gets approved and scrubbed ahead of hitting the market."

Webster also thinks that after a certain amount of time, Google could create a "white list" for certain developers who have shown to be reliable and whose apps have been entirely free of malware. Developers on this list would then be exempt from any waiting period to get their apps online and could go about their business just as they did before the DroidDream malware struck.

Aaron Gingrich, a writer at Android Police whose article on DroidDream was the first big piece to bring attention to the malware, thinks that it's time for Google to "come up with some sort of high-quality detection algorithm ... that looks for certain clues that an app may be malicious." While he says this will take some additional effort on Google's part, it's nothing compared to the effort put into cleaning up malicious applications after they've already been downloaded by thousands of users.

"Apps that show signs could ... be manually reviewed by somebody who knows what to look for," says Gingrich. "It sounds labor intensive, but when we found DroidDream, it took our developer about 10 minutes total to figure out what the virus was doing. And the better the detection, the less code will have to be reviewed by a person."

But even if Google implements these sorts of suggestions, users still won't be entirely protected from malicious apps. Khoi Nguyen, the group product manager with Symantec's Mobile Security Group, says that IT departments that have adopted Android-based smartphones or tablets should go out of their way to educate their users about the do's and don'ts of buying and installing applications on their mobile devices. The most important thing any users should do when downloading an application, he says, is to closely examine what permissions it is seeking.

"The privileges an app is requiring should be appropriate for its function," explains Nguyen. "So if you're downloading a wallpaper app, that shouldn't have access to your contact information or your location. That's an important part of the security process."

Nguyen says that users should also be encouraged to wade through the reviews written by other users on the Android Market to determine whether or not the application is trustworthy. He also thinks IT departments should utilize mobile security software that will let them prevent users from downloading any third-party applications unless those apps are specifically approved for use by the enterprise.

Adam Powers, the CTO of network security and monitoring firm Lancope, also thinks that end users need to be vigilant to avoid getting malware installed on their devices. In particular, he recommends not installing an application unless it's been downloaded more than 10,000 times and has received at least 100 reviews and comments from users on the Android Market. And like Nguyen, he says that users really need to read through an application's requested permissions before installing it.

"An excellent example of a suspicious app ... is 'Binary Calculator' by author 'John Anderson,'" he explains. "This app showed up on the Android Marketplace today ... has zero reviews and less than 50 downloads. The app's feature description is poorly written and just screams of potential malware. Why would a binary calculator app need to modify or delete SD card contents? Why would this app need to read or write contact data? This app asks for far more permissions than it needs and should be avoided."

Read more about anti-malware in Network World's Anti-malware section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags applicationsNetworkingsecuritywirelessPhonesAndroidsoftwaremobilemobile appsGoogleconsumer electronics

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Brad Reed

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?