Slashdot Mirror
Google Remotely Nukes Apps From Android Phones
itwbennett writes "Google disclosed in a blog post on Thursday that it remotely removed two applications from Android phones that ran contrary to the terms of the Android Market. From the post: 'Recently, we became aware of two free applications built by a security researcher for research purposes. These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission.INTERNET. As the applications were practically useless, most users uninstalled the applications shortly after downloading them. After the researcher voluntarily removed these applications from Android Market, we decided, per the Android Market Terms of Service, to exercise our remote application removal feature on the remaining installed copies to complete the cleanup.' The blog post comes a day after security vendor SMobile Systems published a report saying that 20% of Android apps provide access to sensitive information."
Update: 06/25 16:44 GMT by S : Clarified last sentence, which incorrectly suggested that 20% of Android apps were malicious. According to the report (PDF, which we discussed recently), "a majority of these applications were developed with the best of intentions and the user data will likely not be compromised.
security vendor SMobile Systems published a report saying that 20% of Android apps are malicious.
No, the report said that 20% of apps require access to sensitive data (ie your address book) or functionality to perform their job. You'd think people would have noticed by now if 1 in 5 Android apps were "malicious".
which is totally what she said
Yes, and you'd think that "itwbennett," the submitter would know that, since he is affiliated with itworld (check his home page), the publisher of the linked articles.
Odd, that although he references a slashdot article from a few days ago, instead of linking to that article, or the article that links to (on CNET), or to the source of the report, or even to the report itself, he links to a rehash on itworld.
Tagged as a slashvertisement for self-promotion.
"National Security is the chief cause of national insecurity." - Celine's First Law
Just to clarify; Google nuked two applications that had been distributed via Android Market, which they explicitly reserve the right to do via their Terms Of Service (see section 2.4).
However, if you don't like these terms there is nothing that stops you from downloading applications from alternative sources and installing them on your Android device - there are a number of alternate Android application stores like SlideMe and AndAppStore for example, not to mention downloading .apk files directly to your phone and installing that way bypassing Android Market altogether.
Besides, what are they supposed to do if there are malicious applications on Android Market? Pull them and leave affected users with crap on their devices?
Oh well, I'm perfectly happy with my HTC Magic running Cyanogenmod 5.0.8 downloaded and installed via Clockworkmod ROM Manager, which itself was downloaded from Android Market.
Life is like a sewer; what you get out of it depends on what you put into it...
It's a pocket-sized computer, so why don't we have pocket-sized operating systems instead of glorified firmware on them?
Two reasons:
1. Drivers. Many are still closed source.
2. The baseband image (i.e. the bit that talks to the mobile network). This is *always* closed source, and there's no way manufacturers are going to release the documentation for it...
Apparently Google are going to try to separate the UI from the base system better in future so upgrades will be easier. I'll believe it when I see it though.
Android Market TOS
Furthermore, having done it, they informed you.
From Google's blog:
"National Security is the chief cause of national insecurity." - Celine's First Law
You can run any app you want. Just don't get it from the marketplace or you will be subject to the T&Cs of the marketplace.
And 20% malicious apps? As if there weren't enough problems getting iphone 4s as it is....
That figure refers to apps that ask for permissions they don't need, not malicious apps. Android has a finegrained permission model and some apps ask for more things than they require, things that could potentially be used for malicious purposes. Personally I think the model is sound but the implementation could do with more safeguards, possibly something akin to UAC in Windows for certain operations so that the user is always aware of what apps are doing.
On and Android Phone there is an application called 'Market' this application allow you to browse all applications on the google android market, install the ones you like, uninstall what you don't want any more, etc. In addition this application periodically checks with the server to see if there are new versions of your installed apps and offers to update those.
I suppose the market did check for the offending apps and found that they had the 'remove' flag set and removed them from the phone.
If you would have installed the same apps without market (downloading the apk file) the market would not know about them and leave them alone.
Markus
I'm fine with repositories and security updates, but nuking an applications without asking first is what Steve Jobs does and that Google is not supposed to do.
Actually, Apple has never done this until now. Yes, they have the infrastructure to do so, but so far they have never used it.
I'm fine with repositories and security updates, but nuking an applications without asking first is what Steve Jobs does and that Google is not supposed to do.
I hate iPhone OS policies as much as the next geek (why don't I get an upgrade for security on my original iPhone, even to iOS 3.1.4?), but even Jobs doesn't delete apps from your phone. Any apps once through the store, are yours, lock, stock, and barrel. They may prompt you to upgrade, they may stop selling an app, but they don't delete them. What google should be doing is sending these users an email and free SMS letting them know that they "should delete app $FOO because it's potentially dangerous. For reference, please see https://google.com/android/press-release/93857293875928.html" Maybe some people wanted these apps... like the friends of the security researchers in question.
Actually the iPhone has the exact same "kill switch" for the exact same purpose. http://www.iphonealley.com/node/2928