

An Update on Android Market Security - atularora
http://googlemobile.blogspot.com/2011/03/update-on-android-market-security.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OfficialGoogleMobileBlog+%28Official+Google+Mobile+Blog%29

======
credo
>> _On Tuesday evening, the Android team was made aware of a number of
malicious applications published to Android Market. Within minutes of becoming
aware, we identified and removed the malicious applications._

As per
[http://www.reddit.com/r/Android/comments/fvepu/someone_just_...](http://www.reddit.com/r/Android/comments/fvepu/someone_just_ripped_off_21_popular_free_apps_from/)
the developer of the original app had been trying to get Google to remove the
offending apps for more than a week.

Google took no action until after a third party reported the problem on
reddit.

The post says that Google acted "within minutes". However, it doesn't even
mention the fact that the problem existed on the market for more than a week.
Posting an update is fine, but it is troubling to see a post that refuses to
acknowledge basic facts.

If they aren't willing to acknowledge a problem, it will be very difficult for
them to prevent this and other problems from recurring.

~~~
trotsky
While I don't want to minimize the pain of having your app copied and
republished, I'd be very surprised if the author had submitted a properly
sworn DMCA takedown notice, which is the correct way to get action on these
matters. I submitted a DMCA notice for the Android market in november, and the
offending application was gone within 24 hours. I'm fairly sure apple requires
a DMCA takedown notice to pull copyrighted content from the app store as well.

[http://www.google.com/support/bin/request.py?contact_type=lr...](http://www.google.com/support/bin/request.py?contact_type=lr_dmca&product=androidmarket)

~~~
credo
To reiterate

(1) The security problem existed for more than a week.

(2) Google's post makes no mention of (1). Instead it talks about how the
issue didn't impact certain Android versions and about how they removed the
malicious apps "within minutes"

Regardless of your views on how many i's you'd like dotted and how many ts
you'd like crossed for a DMCA form, ...... do you think that a "security
update" post should suppress information about the duration of the security
problem and just talk about "Within minutes of becoming aware" ?

~~~
trotsky
I guess I just don't read it the same way. Maybe it's just because I already
knew about the issue, but it seems obvious the security issue existed before
they were informed of it. A security issue that was fixed within minutes of
its creation wouldn't be getting device wiped, cleaners pushed, market changes
made.

When you get security alerts from other vendors, do yours typically include
the first known date of vulnerability or do they include the date it was first
reported, or just the CVE assignment date? When redhat/apple/microsoft push a
security update do they list the sites or programs that were known to be
abusing the bugs? Not that I've seen. Hell it is rare to see anyone even
listing the first date that they were being actively exploited.

All of that would be better, of course, but it hardly seems reasonable to call
google out when they're acting at least as responsibly as all their
competitors.

------
Indyan
Time has come for Google to make serious changes.

This entire saga raises several questions. Obviously, as Android’s popularity
continues to surge, more and more hackers and malware writers will target it.
Unfortunately, it’s clear that Google is simply in no position to mitigate
these attacks before they occur. The “openness” of the Market is becoming
Android’s biggest security weakness. Although most Android users have nothing
but disdain for any app review system, I would welcome a change in the Market
policy, whereby all submitted apps are screened for signs of malicious or
fraudulent activities. Google might also need to give a serious thought to how
it deploys security updates. Apple and Microsoft have full control over
deploying critical system updates, unlike Google, which is at the mercy of
handset manufacturers and carriers. Although the bug that was exploited by
DroidDream was fixed in Android 2.2.2, hundreds of thousands of handsets were
successfully compromised because Android 2.2.2 isn’t yet available for a
substantial number of handsets. Unless Google can reign in the fragmentation
problem, it might have to start deploying hotfixes for different versions of
Android to patch critical security vulnerabilities, i.e. employ a Windows like
model of distributing patches to different OS versions. [The above bit is a
repost from <http://bit.ly/g9xIfg> , which is written by me]

------
russell_h
_We are adding a number of measures to help prevent additional malicious
applications using similar exploits from being distributed through Android
Market_

Am I the only one thinking they might be planning to leverage their recent
acquisition of zynamics on this front? In particular, zynamics seems to have
developed some tools[1] for classifying malware based on (as I understand it)
some sort of static control-flow analysis. I'm far from an expert on the
matter, but that sounds like it has some potential with regards to keeping
malicious apps out of the Android Market.

[1] <http://www.zynamics.com/vxclass.html>

------
zmmmmm
I'm somewhat heartened by this. I really thought they were just going to sweep
it under the carpet and say nothing about it which would have really left the
impression that they just don't care about the market at all. I'm particularly
glad that they are following up with law enforcement - as fruitless as it may
be, the only up front protection that the Android market has is from the
threat that attempts to compromise it will be aggressively followed up. This
should at least ensure there's a first line of defense against basic idiots
who might try to put compromised apps into the market just for sake of it.

------
GeneralMaximus
... and Android turns into Windows. Pre-Win7 Windows, that is. This time the
threat is more serious. Android powers always connected communications devices
that have access to all your email, social network profiles, contact
information etc.

