lyncd

I love my Android, but Android Market security is another story

Yesterday, Google revealed that it had used its “security of last resort” remote removal feature this week to wipe 58 malicious applications from user’s devices.

Google also removed the bad apps from the Android Market, contacted law enforcement, and is pushing a security update to protect devices’ identification codes. Needless to say, these are all good moves, and unlike some privacy advocates I’m not going to quibble with Google’s remote app removal power as long as it’s being used conservatively, in a security context, as in this case. Analogous to public health or combatting botnets, Google must be able to wipe malware from people’s phones to protect everyone, not just the infected.

What does bother me about this news is that these applications appeared in the Android Market at all, where they were available for some time before being reported to the Android security team. I’ve owned an Android phone for a couple of months now, so I thought I’d weigh in on one of the sad realities of the experience: I find myself increasingly worried about security, certainly more so than I have been about any personal computing device since the last time I ran a Windows PC 10 years ago.

An attacker’s dream

Think about it from an attacker’s perspective: Any smartphone is a ripe target. Android has built-in APIs for accessing all of my contacts, email, call and text history, credit card and even physical location. That’s information I’ve never even stored on any computer or other device I’ve ever owned, let alone one that’s Internet-attached, and thinking about someone stealing it is pretty freaky.

There are a lot of reasons to hate Apple’s App Store, but having a manual app review process looks pretty good when you think about the security implications, and when you compare the App Store’s security record with Android Market. The way average people use the App Store, browsing and installing things like it’s a shopping mall, is just not safe or smart on the Android Market (which much more resembles a shopping street in a dicier part of town).

Instead, when searching for an Android app, I find myself approaching it with the same fear and trepidation I would when evaluating whether to install a program on my computer from the web, which I try not to do. I make sure it’s from a trusted source, and if it isn’t, I make sure to read about it on a couple of familiar sites to make sure it’s legit. That’s still no guarantee the software is benign, but sometimes it’s the best I can do. When you’re browsing the Android Market, having to step back and do all this background work before tapping “install” is a major pain. Do I enjoy it? No. And I’m sure that the vast majority of people out there don’t bother.

If Google isn’t going to do a seriously good job of security on Android Market, then the market in the end is a huge disservice to users, because you’re getting the Google seal of authenticity and easy one-tap install for things you shouldn’t be installing. You’d be better off with no app market, just browsing the web and deciding what to install on your own — at least then basic intuition (“nope, this looks shady, better ask my techie friend”) and phishing defenses like checking the browser address bar would kick in.

Yes, Google has done a much better job of sandboxing and creating a secure OS. Yes, I still prefer Android (recompiling the kernel, doing any Linux stuff I want, it’s awesome) to the alternatives. Yes, there haven’t been any serious infections in the wild and there isn’t a known propagation model for malware (elective downloads in the Android Market aren’t going to spread anything far before it’s discovered, as in this case). But, threat assessment and vulnerability assessment are two different things: Just because few attackers have bothered so far doesn’t mean the vulnerability isn’t there, and as Android’s install base grows the incentive to devise more ingenious attacks grows as well.

I haven’t put any active-monitoring security software on my phone … yet. But, I probably will, and eventually Google will come around as well. It’ll probably be something along the lines of what Microsoft has done with Windows Defender (signature-based antivirus and memory access monitoring). Encrypting sensitive data (both on disk and in RAM), or all data by default, would be another win. It’s easier said than done, because securely managing the keys is hard to do in a user-friendly way, but worth doing.

Just expecting users to “be careful” isn’t enough.

What next?

The first step is for Google to “fix” the Android Market — to do serious work on its automated app review. Google has the tools — I love Courgette, which does binary diffs of partially disassembled binaries for updating Chrome — so they must be able to figure out a way to red-flag malware like this that is basically 95% a clone of an existing (legitimate) app. That would be an important anti-piracy measure as well. (Who knew you could just copy and republish an existing app the the market?)

I love that Android Market is more permissive than Apple’s App Store — what I don’t want is Apple-style censorship, for instance of apps that compete with Apple products — but a combination of better filtering and improved UI will add security without hurting users or developers. Crowdsourcing app review to users can work, but the bare-bones way Android Market uses and displays this data needs improvement.

Handset and other device manufacturers need to get on board as well, because Android device fragmentation has serious security implications. In this case, Google is pushing a security update to affected devices (Android versions prior to 2.2.2), but how many people with older phones will ever get it? And of those few who do, how long will it take for their handset’s manufacturer and wireless carrier to integrate and push the patch?

Microsoft and PC OEMs figured this out long ago: OEMs may add custom skins, application launchers, demos and other crapware to PCs, but the underlying OS is left alone and talks to Microsoft for updates. And Linux distributions have long since figured how to do the same thing, but on multiple architectures and with decentralized software mirrors — a great model for Android, its OEMs and carriers to follow.

Google and its OEMs need to address these problems sooner rather than later, because they’re playing with borrowed time. If users’ first experiences with Android are bad, they’ll go back to Apple, webOS or Blackberry. Or if attackers hit on the right distribution mechanism — or adapt an old one, like “spam links to malware in the Android Market, take over an address book, and repeat” — the platform could be massively compromised.

For now, Android users like me will just have to be careful