Canadian TV, Computing and Home Theatre Forums banner

1 - 20 of 26 Posts

·
Registered
Joined
·
3,022 Posts
Discussion Starter #1
From leading security provider Sophos:

The Droid Dream malware ended up getting downloaded over 200,000 times in a very short time span, and and 99% of all Android handsets were vulnerable. A lot of people are citing the lack of scrutiny for app developers and Android Market as the culprit. Put another way, the openness of Android.
Say what you want, but I think the Apple walled-garden approach is very desirable for everyday consumers who just want to feel safe online.
 

·
Member #1
Joined
·
47,683 Posts
Scary stuff. Access to your contact book, possibly private information, plus a WiFi and a cell phone connection.

The reality is that it would cost millions of dollars annually to scrutinize the apps so the question is, Who is going to pay for it?

Google is the answer that most people would say but where is Google going to get the money? Yes Google makes billions every year but should their search business subsidize their Android business forever?


If no one scrutinizes the apps, then it could kill the Android platform. Do you really want a smartphone with a compromised OS?
 

·
Registered
Joined
·
3,255 Posts
How different is this then owning and operating a PC? Smartphones should be regarded as personal computers... Microsoft does not scrutinize any of the software we run on windows.

I think perhaps more awareness is needed and due diligence on the part of smartphone owners.

But i can see how easy it is to just install anything. Its a fast process and when almost everything is free on the market not much effort goes into researching an app before blindly running it.
 

·
Member #1
Joined
·
47,683 Posts
In this case, the Android phone is exactly like a PC so I guess you would need to buy anti-virus software and/or never download apps.

Personally, I don't want another computer to maintain. For me, I will pay extra for the security of knowing that my smartphone is secure.
 

·
Banned
Joined
·
328 Posts
I rather have the openness of Android any day of the week, the closed/ultra tight control Apple has is going to be one of their downfalls. I have had an Android device since day one and I have never had to maintain it or get an antivirus program. On the other hand, iTunes is a lot of work and maintenance, why do I need to download and update this program every few months? My Android phone seems to work great without a 90 MB program to deal with.
 

·
Registered
Joined
·
322 Posts
I don't think Android is like a PC. With Windows Update, Microsoft can put out patches. With Android, unless you have a Google or rooted phone, you might have to wait a while (or never be able) to upgrade to a newer release (e.g., 2.3).
Reports suggest that only Gingerbread (Android 2.3) is not vulnerable which makes 99% of the Android phones potentially affected.
 

·
Member #1
Joined
·
47,683 Posts
For me this is a big issue. Over the last six months, I have often recommended people check out Android and Apple smartphones but this has shaken my faith in Android.

Having to worry about viruses and malware on your computer is bad enough, but your phone? Most "regular" people I talk to want things simple. Unlike folks around here, they just want a phone that works plus some fun apps and some information apps. They don't want to have to hire a systems admin to keep their phone safe.
 

·
Super Moderator
Joined
·
3,996 Posts
So much of this is common sense. Every app has a list of 'permissions' you need to accept before you install it. If a game from a developer you've never heard of needs access to your SMS then it's probably not something you should install. If you see a discount version of a game from a different developer it's also probably a scam.
 

·
Registered
Joined
·
216 Posts
So much of this is common sense. Every app has a list of 'permissions' you need to accept before you install it. If a game from a developer you've never heard of needs access to your SMS then it's probably not something you should install. If you see a discount version of a game from a different developer it's also probably a scam.
I'll assume you didn't read the article.

This isn't just an app doing bad things. The app contains exploits which bypass the Android security and gain root access to the phone.

It doesn't have to ask your permission to do anything, it already owns the phone.
 

·
Member #1
Joined
·
47,683 Posts
TorontoColin, as an experienced and involved user it may be odd to you but how many people simply say yes to every dialog box that pops up?

My guess is most consumers would assume that apps from the Android Market would be safe.

Also, how many times do you think that apps are installed by kids? My guess is many of them would be far less careful.

As retailers, the Android market or webOS market or the app store need to be gatekeepers to ensure that the products they sell are not malicious.

If you buy and install on hacked or jailbroken smartphones from non-approved stores then its buyer beware but for stores such as the Android Market To sell malicious products and then turn around and say, "well the customer shouldn't be buying these apps from us" is pretty ridiculous.
 

·
Registered
Joined
·
216 Posts
I took a quick look at the Android SDK and didn't see anything about NDK (native code) requiring special permissions so perhaps you can correct me if in fact it does.

If this particular instance acts odd then that just might be because the author was sloppy. If I can execute native code on a linux system with unpatched vulnerabilities ( One of the vulns exploited is almost 2 years old ) then who's to say that this isn't just the first person who's been caught doing it.

This isn't an iOS vs Android argument either. People who jailbreak their phones/download pirated iOS apps are in just as much risk, the difference is that those people probably don't have the assumption that someone is looking out for them as people who download from the google marketplace do.
 

·
Registered
Joined
·
3,022 Posts
Discussion Starter #14
This isn't an iOS vs Android argument either.
Which brings us back to the original point...there's little doubt in my mind that your typical DHC reader would be more tech sophisticated than your average guy off the street, but my original point was about the general consumer.

I'm betting that your typical consumer will opt for Apple's highly curated ecosphere because they want all the functionality without the fear and/or burden of having to ward off malware a la Windows OS.

This is a big deal because the market will be driven by general consumers, not nerds like us that are niggling over dual core processors and SD ports. If Google screws this up, then we all stand to lose because the post-PC era will be dominated by one company. We know how that turned out for PC era and I don't think anyone wants history to repeat itself.
 

·
Registered
Joined
·
1,491 Posts
There are multiple free and pay security programs for the android os, which was one of the first things I downloaded for my phone. I have been using lookout security and I have never had an issue with downloading anything so far. I think this is a paramount thing to do with any type of computer, even apple products, because sooner or later someone is going to expose a vulnerability.
 

·
Member #1
Joined
·
47,683 Posts
Anyone making this an Android vs. iOS thing is way off base.

This is an Android security issue only. Android manufacturers have to ensure that your "typical" consumer has absolutely nothing to worry about.

Android Market has to ensure that the products it sells are safe.

Personally, I think that the manufacturers need to say "hey, we'll contribute $5 or $10 a phone" to creating a robust and safe marketplace for our phones where apps are scrutinized before they are put on sale.
 

·
Super Moderator
Joined
·
3,996 Posts
I took a quick look at the Android SDK and didn't see anything about NDK (native code) requiring special permissions so perhaps you can correct me if in fact it does.
When you install an app, before you can actually install the app, the market will bring up a list of 'permissions' the app needs; basically a list of functions things the app will have access to, in both technical terms and plain english. For example Google Maps has access to "Your personal information (read contact data, write contact data)" and "Services that cost you money (directly call phone numbers)", among others. When an app has access to things it shouldn't need, you shouldn't install it.

I think manufacturers would be far better served by investing that $5-10 in keeping phones up to date and (hopefully) more secure. Even if they work to keep the market clean things would still occasionally slip by (they even do in Apple's rigorous testing) and they can't prevent third party markets or web exploits anyway.
 

·
Registered
Joined
·
216 Posts
When you install an app, before you can actually install the app, the market will bring up a list of 'permissions' the app needs; basically a list of functions things the app will have access to, in both technical terms and plain english. For example Google Maps has access to "Your personal information (read contact data, write contact data)" and "Services that cost you money (directly call phone numbers)", among others. When an app has access to things it shouldn't need, you shouldn't install it.
Right. But no requirement for an app that includes native code to ask for permissions if the thing it's exploiting isn't in the list. At most to use the one exploit cited in the article you would ask for access to the internet, that probably wouldn't set of any alarm bells for most games that now have scoreboards and such.

Once you execute the exploit you no longer need to have permission to do anything, you have administrative root access to the phone, you can access information in every application. This person was sloppy, its quite possible this exploit methodology has been operating unnoticed in the android marketplace for some time. Much like people who use trojans to build networks of drone pc's I can see people thinking the value of doing the same with smart phones.

It's pretty irresponsible for google to be shipping a linux kernel with old known exploits, they have enough money to attract someone who could keep on top of these things.
 

·
Banned
Joined
·
328 Posts
Apple fans seem to think that malware will never effect the iOs platform because their apps are closely monitored by Apple.


Stonesoft: Apple’s iOS will see malware in 2011
By: Geoff Duncan *•January 17, 2011

For years security firms have been predicting that Apple operating systems’ run of luck avoiding almost all malware and spyware would be coming to an abrupt end…and, although it hasn’t happened yet, network security firm Stonesoft is joining McAfee in forecasting 2011 will bring serious threats to Apple’s iOS mobile operating system. But, like all security firms, Stonesoft doesn’t think iOS will be the only security story in 2011: the firm also forecasts more sophisticated malware, increased targeting of smartphone platforms, and an increase in politically motivated attacks.
http://www.digitaltrends.com/mobile/stonesoft-apples-ios-will-see-malware-in-2011/
 
1 - 20 of 26 Posts
Top