

Ask HN: how to build trust on the Android Marketplace? - Tichy

So Google gave me a Nexus One at the developer day (thank you, Google!), and I really like it. I am already beginning to worry about the marketplace, though. Potentially my phone carries even more sensitive data than my PC. Installing software from the marketplace seems to be akin to googling for some software, then installing it. The apps are not being reviewed (afaik), so it would be trivial to upload malware to the marketplace.<p>I've just looked up Debian on Wikipedia, which seems to be one model that works (if only for open source software). Apparently you have to prove yourself worthy before being allowed to contribute. Also, they have the unstable and testing distributions.<p>Other than that, I am not sure. I could stick to only installing apps that have been reviewed by some blog I trust, but who says those blogs can't be fooled (if it's not an open source app)?<p>I guess traditionally a commercial software vendor just had too much to lose to spike their software with malware. If they went to the lengths of wrapping their software into boxes and distributing it, risking their reputation was not worth it. But now the hurdle has become <i>very</i> low.<p>Another thing I thought about is web sites: there usually is not that much to fear from visiting random web sites (unless you have dangerous plugins), because HTML, Javascript, JPG, PNG and GIF seem manageable risks. So at least some sandboxing on Android would be desirable?
======
_delirium
Android apps _are_ sandboxed; the security model, assuming there are no holes
in it, shouldn't let apps do crazy things like delete your files or install a
keylogger. See:
[http://developer.android.com/guide/topics/security/security....](http://developer.android.com/guide/topics/security/security.html)

~~~
Tichy
Sure, but most apps seem to request several permissions. I had a Game Of Life
emulator that wanted network access and what not. I decided not to install it,
but in many cases, the permissions don't seem fine grained enough. For example
a lot of apps have legitimate reasons to access the network - how am I to know
that they only use the network for benign things?

