Security Warning Over Web-Based Android Market

An anonymous reader writes "Security researcher Vanja Svajcer is warning that cybercriminals may be particularly interested in stealing your Google credentials, after discovering a way of installing applications onto Android smartphones with no interaction required by the phone's owner. The new web-based Android Market retrieves the details of Android devices registered to the Google address, and automatically installs software onto the associated smartphones with no user interaction required on the phone itself. Svajcer summarizes: 'Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.'"

Minimum

[Spad]

Surely as a minimum you should just be able to turn off the ability to install apps remotely.

Re:Minimum

[Charliemopps]

if your account were compromised, couldn't they just turn it right back on?

Re:Minimum

[John+Hasler]

Not if you could turn it off on the phone. Of course, you should obviously have to authorize each installation manually from the phone anyway.

Re:Minimum

[icebike]

Installing apps remotely is a convenience factor that has a lot of merit.
A simple confirmation on the phone should suffice.

Perhaps, but a more sensible approach than turning it off is to make for a more secure environment by having
better password management, and encrypted connections throughout the Google infrastructure.

At a minimum everything you do on Google should be done over https, (the market is, but its not real clear how
secure C2DM really is. It relies on your 'Google Talk' connection, and I simply have not had the time
to sniff that traffic to see if its encrypted or not. Google Talk maintains some pretty resilient connections over
3G,Edge,WIFI, etc.

Its the WIFI ones you have to worry about, especially if you frequent open WIFI routers.

Re:Minimum

[Threni]

Why isn't everything encrypted on Android all the time? And the web? I don't understand. It's not like it's financially or computationally expensive. Can people just not be bothered?

Re:Minimum

[icebike]

As far as the web, it is slightly more expensive computationally to create a secure connection than an open one.

Scaled up to the size of Google, its a major issue, but on the other hand, Google has enough computing power to handle it. Does Slashdot?

For most web pages it simply doesn't matter. But anytime you have to have an account and log in, it should be supported.

Re:Minimum

[sortius_nod]

I have no idea why this wasn't implemented from the start. It seems like one of the most basic of "security" measures. Sure, if the device is compromised and has malicious code on it already this would probably become a useless security feature, but to compromise the device I have a feeling they'll be using this remote install. It won't take much to spoof Google's credentials and get malicious code on to the phone at this stage.

Re:Minimum

[WarmNoodles]

I have no idea why this wasn't implemented from the start. It seems like one of the most basic of "security" measures.

Ya think?
How about as a basic first security measure Google and Apple reach out to one of the following companies and commissioned work to add objective C and the Droid platform java and C++ validators to one or more of the code scanning platforms below. Companies are circa 2008

Ounce labs analyzer
IBM app scan source analyzer
Fortify 360 analyzer
Vericode service
KlocWork analyzer
And thousands of companies that specialize in manual and automated source code reviews

And why they would allow adding arbitrary apps to thier respective app stores without having to present a certified scan from one of the above tools can only be attributed to some combination of apathy, stupidity, greed or just dammed effective marketing.

Just have to shrug and roll my eyes every time I see a proud iPhone or Droid user gloat in carnal innocent malware bliss.

old debacle: convenience vs security

[Superken7]

This is nothing new (the part about no user intervention), its called C2DM. Your google account would need to be compromised for an attacker to remotely install software on your phone.

IMHO this sounds like the old convenience vs security debacle. I prefer convenience in this case, since if someone compromises my goog account, I have much more important things to worry about. (like services trusting the ownership of my email account, private information, etc..)

"As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
Again, I don't agree. I don't care about that, I want CONVENIENCE. However, the point that he makes that your compromised account is now more valuable is still valid. I just don't agree on the solution.
Why not just opt out of remote phone installs? At least make the user validation of remote installs optional, for the ones who are more concerned about that?

Re:old debacle: convenience vs security

[Dexter+Herbivore]

Open devices are like a girl with open legs, convenient but they have their own risks.

Re:old debacle: convenience vs security

[h4rr4r]

Mod parent way the heck up.

If you can get my google account sure it is worth more, but you can also buy stuff via google checkout which is a way bigger risk to me.

Re:old debacle: convenience vs security

[geekoid]

A pop would indicate to you that someone has compromised your account.

Of course, in the end you say exactly what the person you are replying to suggested.

Re:old debacle: convenience vs security

[staryc]

Open devices are like a girl with open legs, convenient but they have their own risks.

Open devices are like a guy with an open mouth, convenient but they have their own risks.
Fixed.

Re:old debacle: convenience vs security

[Dexter+Herbivore]

Hey, it works both ways, I'm just talking from a male perspective... don't be offended. Man-whores are just as damaging to sexual relations (and potentially health, HPV has awful consequences) as an "easy" woman. I'm sorry I didn't use non-specific gender assignation but that just seems like a load of (quoting Neal Stephenson here) bullshyte when I'm trying to make a general reference from a male perspective. I know plenty of women who can do damage with an open mouth too, but apparently saying that may be offensive!

Re:old debacle: convenience vs security

[node+3]

"As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
Again, I don't agree. I don't care about that, I want CONVENIENCE.

This seems a bit much. A dialog box saying, "Install: [list of new apps]?", seems convenient enough to me. It's not even saying you need to type in your password, just accept new apps. You can even have a "Don't ask me again." checkbox if you really just want binaries from the Internet to be automatically installed.

This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

You talk about "your password is compromised already, you have worse things to worry about!", what about some guy hacking into a girl's gmail account and remotely installing some stalker malware? Or phishers hacking into your parent's account to do the same, but for banking fraud purposes?

This is a bad default decision, but it's reasonable that there will be some mistakes when rolling something new out like this. It seems to me like you're only defending it because to do otherwise would require admitting a security weakness in Android.

Re:old debacle: convenience vs security

[Onuma]

Many surgeons and manufacturers of antibiotics may choose to disagree.

Re:old debacle: convenience vs security

[staryc]

Sexual promiscuousness and speaking are both alright when done responsibly. I'm just reminding /. that there is a female population around here and therefore a female perspective to things, too.

Re:old debacle: convenience vs security

[Dexter+Herbivore]

I quite seriously apologise for any possible offence caused by my remark, please don't take it out of context. I cannot emphasise enough how sorry I am if I have caused offence. It was a comment made without due concern for the sensitivities of other genders and I do understand that. I made a *joke* without proper concern for gender stereotypes without qualifying myself properly. My intention was not to harm but merely to amuse.

Re:old debacle: convenience vs security

[meloneg]

Unfortunately, your analogy falls down badly. Compromising my google account is the equivalent of having my keys. This is more like asking (on the other side of the door) if I really mean to open that door.

Re:old debacle: convenience vs security

[xiando]

This is nothing new (the part about no user intervention), its called C2DM. Your google account would need to be compromised for an attacker to remotely install software on your phone.

The "account" part is less important. What really matters is that Google can remotely install software on your phone. Google itself may be compromised in one way or another. It should simply not be possible to install anything on any device without notifying the user on that device.

Re:old debacle: convenience vs security

[bemymonkey]

Agreed, it's a feature implemented for our convenience. This so called researcher is blowing things way out of proportion...

Re:old debacle: convenience vs security

[bemymonkey]

What malware? The only apps that are installable are the ones on the Android Market, where any malware will be flagged by users right away...

Re:old debacle: convenience vs security

[node+3]

What malware? The only apps that are installable are the ones on the Android Market, where any malware will be flagged by users right away...

You just said, "What malware? The malware that's on the Android Marketplace?"

Yes, that malware.

Re:old debacle: convenience vs security

[John+Hasler]

Or what about people who don't use their Google accounts for anything important?

Re:old debacle: convenience vs security

[SadButTrue]

This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

This sounds like the Vista security policy. It is really, really wrong. Prompting always is pretty much the same as never prompting. If you prompt for the same action over and over people just accept the prompt as part of the action and stop reading them. It's just the way we work.

Re:old debacle: convenience vs security

[amRadioHed]

I don't particularly want the prompting, but I think in this case it wouldn't really be a problem. Sure you would pretty much expect and ignore the dialog every time you installed an app from the web, but I think I'd notice if I had to dismiss that prompt while I'm walking down the street nowhere near another computer.

Re:old debacle: convenience vs security

[hawaiian717]

but it's reasonable that there will be some mistakes when rolling something new out like this

No, it's not reasonable. Making security mistakes like this mean that security wasn't included in the architecture design from the beginning. Yes, lots of people treat security as an afterthought, and no, it's not a good thing.

Re:old debacle: convenience vs security

[aitan]

The user is notified.

After the application is installed you can see a new entry in the notification bar, so if you didn't ask to install it you will notice right away that something is wrong.

Re:old debacle: convenience vs security

[node+3]

This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

This sounds like the Vista security policy. It is really, really wrong. Prompting always is pretty much the same as never prompting. If you prompt for the same action over and over people just accept the prompt as part of the action and stop reading them. It's just the way we work.

What you're really saying is that security is the same as no security. Why lock your door? You're just going to unlock it every time someone comes to it, right?

I can't see how you can reasonably equate prompting with not prompting in this case. Vista is a red herring. We're not talking about prompting every time a user does something remotely admin-like. We're talking about prompting whenever the OS wants to install software from the Internet. This is much more like Windows prompting before installing third-party software. The problem with UAC (in Vista far more than in 7) is that it came up so much that it was essentially something you just learned to click in order to use your computer. That's not what we're talking about here. Software install and update prompts have been normal for a decade now.

This whole argument against prompting is extremely silly. If anyone other than Google was doing this, there'd be an uproar. But since it's Google, I guess we'll let this slide, right?

This is Security 101. You don't let third party binaries on your system that you didn't ask for.

Re:old debacle: convenience vs security

[node+3]

but it's reasonable that there will be some mistakes when rolling something new out like this

No, it's not reasonable. Making security mistakes like this mean that security wasn't included in the architecture design from the beginning. Yes, lots of people treat security as an afterthought, and no, it's not a good thing.

I didn't say it was a good thing, I said it was reasonable.

My proof is that people are fallible. What's unreasonable is expecting absolutely no security hitches ever. When something like this happens (and it's wise to always count on something like this happening), what's important is how it's dealt with. This situation only really becomes unreasonable if Google does nothing about it, or takes too long to do so.

Re:old debacle: convenience vs security

[SadButTrue]

This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

This sounds like the Vista security policy. It is really, really wrong. Prompting always is pretty much the same as never prompting. If you prompt for the same action over and over people just accept the prompt as part of the action and stop reading them. It's just the way we work.

What you're really saying is that security is the same as no security. Why lock your door? You're just going to unlock it every time someone comes to it, right?

Nope, What I am saying and what I did say was that obtrusive warnings and no warnings are roughly the same. Which you agree with in your next paragraph.

Re:old debacle: convenience vs security

[node+3]

Nope, What I am saying and what I did say was that obtrusive warnings and no warnings are roughly the same.

No, you said warnings and no warnings are roughly the same. Specifically, "Prompting always is pretty much the same as never prompting."

Which you agree with in your next paragraph.

No, I said prompting too often can train the user to just click them away. Obtrusiveness is a necessary aspect of security prompts. Prompting for every little thing isn't. If that's what you really meant, or at the very least, what you mean now, than we agree enough on that topic at least.

And I also stated, however, that this is a red herring, because remote app installs aren't going to happen so often as to become automatic responses.

Re:old debacle: convenience vs security

[ChunderDownunder]

Obligatory

Re:old debacle: convenience vs security

[commodore64_love]

>>>Open devices are like a girl with open legs

Yeah true but a phone can be thrown-out if it becomes "diseased". Not so with your willy. An open unprotected phone is less deadly and less of a concern.

Re:old debacle: convenience vs security

[CheerfulMacFanboy]

Unfortunately, your analogy falls down badly. Compromising my google account is the equivalent of having my keys. This is more like asking (on the other side of the door) if I really mean to open that door.

Unfortunately you analogy falls even worse. It would be like asking for your approval if you actually wanted to use that brand new appliance that has been delivered to your house while you were away - because you will not remote install apps on your phone even remotely as often as you will open your door.

it's safe for me!

[s0litaire]

"The new web-based Android Market retrieves the details of Android devices registered to the Google address, and automatically installs software onto the associated smartphones with no user interaction required on the phone itself"

That's only a problem if the site works!!

So far I've tried 3 times with 3 different apps and i've not been able to remotely install an app via the web page on my Android phone...

Re:it's safe for me!

[pvera]

What carrier? I have installed at least 3 so far with no issues, this is a Samsung Intercept (2.1) with Virgin Mobile USA.

Re:it's safe for me!

[s0litaire]

I'm on UK "Three" Network.
Running CynogenMod 6.1.3
With Market 2.2.6

Looks like it's a problem with some versions of Rom's people are using. Stock, and "sense" based roms seem to work, but custom ones it's hit or miss wither it works.

Re:it's safe for me!

[psyclone]

Why would you use the website on your Android phone and not the Market app?

The only purpose for the [ugly] market.android.com website is to bypass the phone for app research and installs.

Though if you're browsing a website not on the phone, why not use AppBrain instead? At least it supports rudimentary sorts and filters.

I'd really love to browse a market by filtering-away apps that require permissions X (where X includes reading browser history, contacts, etc.). Then I could sort by number of downloads as well as ratings. (Not just average rating but number of ratings.)

The android market is a joke, both on the device and off.

Re:it's safe for me!

[s0litaire]

Did i say i was using my mobile to access the website?

I'm using the site on my laptop. (phone is charging on the other side of the room.)

p.s.
It does not work even if I use the site on my mobile.

Re:it's safe for me!

[idontgno]

Thank God I'm running CM7.1 nightlies!* Hell, the built-in stuff doesn't work all the time! Certainly this remote-installing nightmare-hell of malware is guaranteed to fail!

*Or was, until I broke my smartphone's screen... <sad>. Can you imagine how hard it is to use a touchscreen OS when you can't see what's on the screen?

Re:it's safe for me!

[s0litaire]

I'm keeping clear of the Nightlies at the moment.
I'm waiting for a stable beta of CM7 (probably when HTC bring out a stock Gingerbread for the desire HD)

Re:it's safe for me!

[Skythe]

Have you turned sync adapters on? (Power control widget's 2nd last icon). If you have sync disabled it won't work.

Really?

[MrHanky]

When you install software on your phone, it shows up in the status bar. It's not like someone can install things secretly.

Re:Really?

[geekoid]

True, but who is looking at their status bar 24/7?

Especially if the program being maliciously installed is designed to remove itself from the status bar.
Seriously, root kits have been removing themselves from lists and logs since 1984.

Re:Really?

[NatasRevol]

Can't Sleep.

Status Bar Will Eat Me. /simpsons

Re:Really?

[h4rr4r]

The notification stays until you clear it. If there are apps with rootkits in them in the market then you have bigger problems.

Re:Really?

[MrHanky]

No one, of course. But don't you have to run an app to, well, run it? Unless you restart your phone, evidently: Some apps do start up at boot even if you never started them before, but I've never noticed one start at install. Then again, I'm not entirely sure how the .apk packages work.

Re:Really?

[maxwell+demon]

So you think an app with a rootkit which you have to explicitly install is a bigger problem than an app with a rootkit which installs itself without user interaction?

Re:Really?

[h4rr4r]

No, I would say they are the same problem. The issue is then an app with a rootkit and how you got it does not matter.

Re:Really?

[maxwell+demon]

I would say they are not the same problem. I can protect myself against an app with a root kit by not installing it. I can't do that if it installs itself.
Now you will probably counter that I usually won't know that there's a root kit in the app. Which is only partially true: While you never can be completely sure about it, there are apps which are more likely to have root kits than others. Moreover, generally the set of apps you knowingly install will be quite limited. An attacker would have to put the root kit into an app which you would want, but where you don't already have an equal or even better app. With an app which installs itself, the attacker doesn't even need to make the app appear interesting. I'll get it even if I don't want to.

Re:Really?

[pointybits]

Apps can include background services, but by design they can't start the services on install, they are only allowed to start them when the application is run for the first time, or when the device is rebooted. However they can hook system events on install so the app can be launched when the phone receives an SMS for example.

Re:Really?

[brunes69]

That's not possible for a few reasons. First, you would need root-access to the Android OS. Second, even if you have rooted your phone, any time an app asks for root a big box takes over the phone and you HAVE to accept it within 5 seconds or that app is blacklisted from ever asking for root again.

Re:Really?

[Tacvek]

That assumes you have installed Koush's or ChainsDD's Superuser app, which admittedly pretty much all rooted "ROM"s and pretty much all instructions for rooting a phone contain, so in practice it is always installed. However, please note that any app that exploits a kernel flaw to gain root could bypass the superuser application.

summary is misleading

They can only do this if they steal your password first -- not that they will silently install an app, and then swipe your login details.

Re:Fourth Post!

[Stenchwarrior]

Damnit!

The bigger security issue

[Mike+Buddha]

The bigger security issue that aflicts all Android phones is that of pocket-based or belt-holder-based security. The vast majority of Android users falsely secure their devices by carrying them in their pockets or on belt holders. If a hacker were able to remove the phone from the pocket or belt, they could covertly install malicious apps, make phone calls, check call log, spam sms messages, etc.

Google needs to address this gaping hole in Android security.

Re:The bigger security issue

[mdm-adph]

WHOOSH

Re:The bigger security issue

[BitZtream]

The difference is, if someone takes it off my belt I'll know it.

If someone malicious attacks google or your google account, you end up with software on your phone without any prior knowledge.

So go ahead, take my phone out of my pocket, install malicious app on it, and put it back in my pocket ... I'm pretty sure I'll know, unless you happen to get it during the 7 or so hours a night when its not in my hand or my pocket ... but instead laying next to me on my nightstand ... I'm pretty confident I'll know you did it.

On the contrary, Google can install things all day long and you may never notice since it or anyone else with the right information can do it wirelessly. Doesn't have to be Google, just has to be someone that finds an exploit. THIS IS WHY STATICLY CONFIGURED REMOTE ACCESS AND CONTROL IS BAD. Not just because Google can do it ... but because ANYONE with the right info can do it to millions of devices.

Perhaps you shouldn't talk about security, even if you're trying to be funny.

Of course, its important to note, since most people are new to smart phones in general that they pretty much all had some sort of setup like this done via the carriers since cell phones started. Its also important to notice that AFAIK Apple was the first to more or less take all control away (not that they didn't maintain it for themselves) from the carriers (at least initially).

Re:The bigger security issue

[Mike+Buddha]

Perhaps you shouldn't talk about security, even if you're trying to be funny.

You're absolutely right. I've learned my lesson. Some subjects are just too serious to have anything remotely funny said about them. Having programs installed on your phone due to a hypothetical security flaw is one of those subjects. Are there any other purely hypothetical situations that should not be made light of, or should we treat all FUD with the same level of respect and dour consternation?

It's Always Worked This Way

This is the way the Android Market app has always installed apps on the phone. The process is async. The Market app sends a request to google, google authorizes it, then pushes the app to your phone. The web site is using the same mechanism.

Before you write another story, make sure it's actually been cracked first.

Re:Silent install is needed

[Onuma]

Agreed.

I think there should be a default level of "silence" depending on the programs to be installed. Make it optional to have everything, nothing, or specific programs bring up a prompt based on user preference. It sounds like a fairly easy solution, really.
While I'm running a recent version of the Blackberry software, I've got Google Sync allowed to do some things with everything else requiring my assent. Android designers should have taken a cue from an extremely successful portion of wireless market.

and a secure solution would look like what?

[xanthos]

Lets help Google out here and describe what a secure solution should look like.

Do you follow Apple's walled garden approach and only run officially signed code?
Do you follow Msft's signed code approach where you warn but let them run anyway?
Do you download to a quarentine area and force the user to accept it to run it?

others?

Re:and a secure solution would look like what?

[h4rr4r]

Sandbox every app, then have the user allow specific permissions. This would mean however than a user could avoid adds in a free app by not letting it talk to the network.

Oh come on

[shoehornjob]

As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.

That'll never work. Can you say drive by attack? Users don't look at these things and criminals know it. That's why people get their pc's infected with all sorts of nasty bits. Oh yeah 800 viruses and spyware found on your computer!!! Click here to clean your pc. Google needs to make it right not just put a band aid on it.

Re:Oh come on

[John+Hasler]

That'll never work. Can you say drive by attack? Users don't look at these things and criminals know it.

So what you mean is "That'll never work for fools."

Re:Oh come on

[shoehornjob]

So what you mean is "That'll never work for fools."

Ok....you got me there but Google still needs to make it right.

Ahhh yes

[WillyWanker]

Ahh yes... today's security DDDDDOOOOOOOOOOOOOOMMMMMM!!!!! Really, isn't anyone else sick to death about these things that NEVER affects ANYONE?

Re:Ahhh yes

[Mike+Buddha]

FUD affects everyone. If Apple is going to withstand the onslaught of Android, the FUD's going to have to fly fast and thick. Potential insecurity! Fragmentation! Beware!

just don't let someone access your account

[mshenrick]

make this an optional security feature and just do the same as you would your facebook account, don't let other people on it!

Is this an Apple or HP announcement?

[Earl+The+Squirrel]

I was watching this on engadget and couldn't tell from the images whether I watching an Apple or HP announcement.

This picture ... change TouchPad to iPad and put the guy in a black turtleneck....sure looks like the iPad announcement.. Look at this picture from the original iPad announcement... sure looks similar to me.

This e-mail app looks pretty damn close to the iPad one.

This keyboard sure looks almost identical to the iPad.

In general, I saw this as a rehash of the Apple and Google approaches to a common OS for Phone and Pad. Can't speak to either on "pc" though both have leaked rumors at least of having their OS on some form of a PC. To me this was a big "yawn" from a late comer to this space.