
Phishing app hits Android market...3 weeks ago - abennett
http://www.itworld.com/operating-systems/92331/phishing-app-hits-android-market3-weeks-ago
======
joshfinnie
There has to be some fault laid on the people who installed this app too. If I
download an Adobe AIR application that is suppose to tie to my bank accounts,
and that app turns out to be a phishing app, who's fault is that?

When you download the Bank of America app, you click on the link on the Bank
of America website and it goes directly to the Android App Market where I can
download the application. That is all the vetting I need.

There is obviously going to be some issues with the Android App Market since
it is completely open, but I would rather take the risk, vet claims myself and
not be limited to the apps I am offered.

~~~
callmeed
Yes, but you (and most of us on HN) are more cautious than the average
consumer–ALL of whom use mobile phones.

You really think everyone is going to visit the Bank of America site first?
People will simply Google "BofA app for droid" ... then they may land on an
unauthorized phishing app.

~~~
theandym
I agree completely. How long will it be before there are many competing apps
with the same branding? For instance, you may soon have 5 different Bank of
America apps, and consumers who are less discerning have a 4 in 5 chance of
selecting the wrong, malicious app. Perhaps the best way to combat this is
taking the approach that Twitter has and "verifying" accounts. Otherwise
certain industries chance at thriving in the Android app community could be
compromised.

------
roc
Perhaps smartphones with app stores need an OS-level keychain of sorts?

You could then teach users to only give passwords via the proper OS interface.
(One which would be able to display some sort of 'trust phrase' established
earlier by the user.)

If the phishing app doesn't collect and retain your usernames/passwords
directly, risk is mitigated.

It wouldn't hurt to prominently display certified sources either. Some sort of
interface cue that the App you're downloading is verified to have been signed
by the same people who run the site it's trying to access.

~~~
buster
I haven't acutally read what those application do in detail, but afaik apps
cannot read data from other apps (that is, it's not possible for a 3rd party
app to read the credit card information you entered in another app, atleast
not without you granting it the permission to do so). So, i suspect those were
apps that pretended to be official (so, yes, phishing apps ;) ). Just wanted
to clarify :)

------
kylec
The choice between the Android store model and Apple App Store model is a
false dichotomy. I see no reason why it wouldn't be possible to combine the
two - provide an open app store like Android, but for critical apps (email,
banking, etc) have some sort of verification process. The computer industry
has done a good job helping users determine if a website is secure (lock icon,
yellow bar in some browsers) and I think the same can be done for the various
app stores by training users to look for a lock or checkmark in the app's
description.

~~~
buster
This. I think it would be very beneficial to have some sort of approval for
critical apps. But, in regard to some stories we've all read about the apple
approval process, i really wouldn't like to see that on android.

