Separating Fact From Hype On Mobile Malware

wiredmikey writes with this quote from an article about determining whether the recent doom-and-gloom reports about malware on mobile devices are justified: "As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull's eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype."

Re:Allow users to set permissions?

[alostpacket]

There are a couple apps out there that do this (most needing root). They essentially re-write the manifest to not ask for the permission -- sometimes by decompiling/recompiling. This crashes a lot of apps as devs dont expect to need to check for a SecurityException. The other problem with this level of granularity comes user confusion. The more granularity, the more confused a user can get. It also breaks the "agreement" between the dev/publisher and the user, much like ad-blocking in web browsers does. This is unfortunate because it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control. Honestly, I'm not sure there is an easy answer/fix to this. Open markets mean a bit of chaos is likely to emerge -- that's a good thing. But the only way to combat the unscrupulous is through educating users and having the community diligent in it's policing and reporting.

The worst offenders though are the carrier bloatware apps (IMHO).

Full disclosure: I have myself written a security guide for Android (CC license), and have an app for sale that provides information for novice users as well as permission search (to see what apps are using what permissions). I say this because obviously my work will bias my thoughts on the matter.

The link in case anyone is interested: http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/
Please note the guide is intened for novice users, which is unlikely to apply to most of the Slashdot crowd :)