Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Starts Scanning Android Apps

Posted by timothy on from the bender's-job-between-seasons dept.

eldavojohn writes "A recent blog post has Android developers talking about Google finally scanning third party applications for malware. Oddly enough, Google claims this service (codenamed 'Bouncer') has been active for some time: 'The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise.' So it appears that they allow the software to be sold even before it is scanned and it also appears that no one has been bitten by a false positive from this software. Apparently Bouncer is not as oppressive as Apple's solution although given recent news its effectiveness must be questioned. Have any readers had their apps flagged or pulled by Bouncer?"

33 of 172 comments (clear)

  1. When will they add... by Anonymous Coward · · Score: 5, Interesting

    ...a more fine-grained security model and a firewall to android?

    I understand it's a problem for Google if users can suddenly notice how much
    is transferred to Google but I think it's the only way to go in the end.

    1. Re:When will they add... by Terrasque · · Score: 2

      ..a more fine-grained security model and a firewall to android?

      Well, it is rather fine-grained. Especially when compared to the other smartphone market leader. But yeah, there are some things that could be done better.

      And regarding firewall:
      1. Google release firewall
      2. Users start blocking ad servers
      3. World goes under

      --
      It's The Golden Rule: "He who has the gold makes the rules."
    2. Re:When will they add... by Darkness404 · · Score: 2

      Android is the only smartphone with fine grained security. Applications only have as much access that is granted to them when you download the application.

      --
      Taxation is legalized theft, no more, no less.
    3. Re:When will they add... by wvmarle · · Score: 2

      Unfortunately it's grant-all basis only. As in app requests a bunch of permissions, and you can not deny one or two of those requests. You must grant them all, or deny (and not install the app). It is only fine-grained as in there are many different, well-defined permissions an app may request. And of course the good thing is that they're all listed when you install a new app, and you're re-requested to give permission if this changes in an upgrade.

      But there are issues. I have a 4-in-a-row game on my phone, ad supported. Fair enough. For those ads (and the internet play option) you need network access. I can accept that. But the more recent versions of this app start to ask for location information. Now there it's getting hairy. It has network access so should be able to deduce my rough location by IP address (can be useful for targeting ads), why does it need to know in which street I'm walking around? That's too much.

      Other apps ask for access to "services that may cost you money" like to make phone calls, or to send SMS messages. While I don't see any such functionality in the app itself. Then I also wonder why it's needed. And I can't just flat-out deny that specific access.

    4. Re:When will they add... by idontgno · · Score: 2

      A privileges-control software package like LBE Privacy Guard purports to control individual app access to distinct individual permissions. I use that app, and it seems to work, but if it leaks access, I'm not certain I'd be able to tell, so YMMV.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  2. Now? by C_Kode · · Score: 3, Interesting

    You figured something like this would have been in place from day one. Let's sell apps, but not worry about if they are loaded malware or viruses. /facepalm

    1. Re:Now? by GameboyRMH · · Score: 2

      I made all kinds of assumptions about the way that these app stores are run in the early days. That they'd not only scan for malware but even inspect the source.

      But no, turns out that with both Android and iOS, you get the freedom of a walled garden with the safety of a sketchy warez site.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    2. Re:Now? by Dishevel · · Score: 4, Informative

      If you had an Android device you would know that you do not need to root your phone to install apps from someplace other than Google.
      You just go into settings and select that you want to be able to install programs from Unknown Sources.
      You can try again to spread FUD if you like.
      I will wait.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    3. Re:Now? by ozmanjusri · · Score: 4, Informative

      once you jai - sorry, root the device.

      Settings/Applications/Unknown Sources.

      It's a toggle, so you can turn it back to block unknown sources after you've sideloaded whatever you wanted.

      --
      "I've got more toys than Teruhisa Kitahara."
    4. Re:Now? by Tr3vin · · Score: 2

      No, once you check the box for 'unknown sources' in the device settings menu. I am a power-user and I don't have my current phone rooted. There are very few instances where it is needed. In fact, the only time I have had a rooted phone was as a result of installing cyanogenmod,.

    5. Re:Now? by Dishevel · · Score: 2

      It is not only theory.
      Get a Nexus. Buy it. Do not have some phone company pay for most of it for you and then sign a contract stating that you can now be fucked in the ass and blame it on Android.
      You can try again to spread FUD if you like.
      I will wait.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    6. Re:Now? by toriver · · Score: 2

      What is the point in releasing other Android handsets if the answer is always "get a Nexus"? You are ignoring that there have been handsets released where the option to install from untrusted sources was absent and you had to get apps from the Marketplace.

  3. Re:Scan for quality? by ThisIsSaei · · Score: 4, Informative

    Some of the most popular Jailbroken iPhone apps have the same issues, like WinterBoard.

  4. Re:Does this mean ... by Monchanger · · Score: 5, Interesting

    Not likely. FTA:

    Once an application is uploaded, the service immediately starts analyzing it for known malware, spyware, and trojans. It also looks for behaviors that indicate an application might be misbehaving and compares it against previously analyzed apps to detect possible red flags.

    That's a pretty good description of proper scanning for bad code. As TFS stated, this isn't the Apple paradigm where they want to control their users. The purpose is to maintain a profitable marketplace and platform by protecting users who keep hearing about Android malware.

  5. Re:Scan for quality? by RazzleFrog · · Score: 2, Informative

    It's because it is the most widely supported enterprise email app. It was the first most companies went with so they are slow to move to alternatives.

  6. Re:Scan for quality? by Ihmhi · · Score: 5, Insightful

    It is good that they are going to finally scan for malware.

    Yes.

    But in the end Android apps need better quality control.

    No.

    Look, this site espouses the value of open source and more open markets in general. Android is pretty open as far as markets go, but the caveat that comes with that is that there is a lot of garbage. If you aggregated every, say, Wordpress blog on the Wordpress.com website, 95% of them would probably be unreadable drivel. The same goes for programs.

    If an app exists but it doesn't work for you, then go to a competing app. If an app exists, is really crappy, and is the only one of its kind, that is what we call a "business opportunity". The market lacks quality software and that's a hole that you can fill. If an app doesn't exist but it would be useful (or fun!), then do it and make some money.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  7. The "recent news" was retracted... by efriese · · Score: 5, Informative

    Turns out the malware was more like adware. http://securitywatch.pcmag.com/none/293699-symantec-retracts-android-malware-claims-to-align-with-lookout

  8. Re:Scan for quality? by TimTucker · · Score: 2

    Because it's used for accessing corporate email. In many organizations, that's the only choice if someone wants to access their mail on a phone.

    The biggest selling point is that it keeps corporate data segregated from the rest of what's on the device. (If someone's phone is lost / stolen or leaves a company the end result is that it allows for a remote wipe command to clear out just the data for Good)

    Last I had looked at it (close to a year ago), usability was lagging behind the native email clients for Android / iOS, but they did seem to be making slow progress.

  9. Re:Scan for quality? by Daetrin · · Score: 4, Insightful

    Uh, scanning for malware is great. But i don't want Google putting itself in the position of deciding what apps are "good enough" to be in their store. There have already been enough questionable decisions based on things like copyright, i don't want them having to make judgement calls on something even more nebulous like "quality."

    If you've found apps that aren't of high enough quality to suit you i suggest you just find a better app and/or tell the author what the problems are and ask them to improve it. Or if you can't find a better version and the problems really bother you that much, just uninstall it. If the problem is dealt with by Google wielding a ban hammer then it is "solved" not only for you, but also for all the people who thought the value of the app was worth dealing with the problems.

    --
    This Space Intentionally Left Blank
  10. Re:Scan for quality? by Terrasque · · Score: 4, Informative

    1. Create ArrayList
    2. Add ALL THE THINGS
    3. Forget to remove old entries when not used anymore

    Reference still exist, not considered garbage.

    --
    It's The Golden Rule: "He who has the gold makes the rules."
  11. Re:Does this mean ... by Aladrin · · Score: 2

    I think the most important part is actually "possible red flags". This automatically scans, but doesn't seem to automatically ban.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  12. Re:Scan for quality? by jiriki · · Score: 5, Informative

    Memory Leaks in Java are not objects that are not freed, but dangling references to data/objects that are no longer needed (often static HashMaps that people use to implement their own caches and forget to clean up, or listeners that are still registered, even if the listening object could be discarded).

    Also there are leaks in the Android WebView: http://code.google.com/p/android/issues/detail?id=9375
    So using the WebView (which many apps do) causes leaks :(
    (not the fault of the developer though)

  13. What's apparent to you may not be apparent to me by Anonymous Coward · · Score: 2, Insightful

    So it appears that they allow the software to be sold even before it is scanned and it also appears that no one has been bitten by a false positive from this software.

    Why does it 'appear' that they allow the software to be sold even before it is scanned? It could be true but it doesn't seem to follow from anything else that was said. It sounds as if it scans items that "are in the market" but that doesn't necessarily mean they aren't scanned before they go into the market, just that they continue to be scanned as the scanning techniques improve/change.

    Why does it 'appear' that no one has been bitten by a false positive? I don't see anything that could lead to that conclusion.

    Either or both of those statements could be true, but just sticking "It appears" in front of them without explanation is ridiculous.

  14. Re:Scan for quality? by ShavedOrangutan · · Score: 2

    A programmer can code a memory leak in Java (or Dalvik or .NET) just like any other language.

    --
    Godaddy is a scam and a ripoff.
  15. Re:Scan for quality? by robmv · · Score: 2

    Memory leaks are a coders problem, even on languages with automatica garbage collection. an example: a developer add items to a Hashmap used as cache but forgets to release unused items, that is a memory leak that no GC will solve

  16. Re:free software matters by GameboyRMH · · Score: 2

    At this point they're completely incompatible with each other, so I'd say they're roughly as distant as the Linux and BSD kernels.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  17. Re:Scan for quality? by robmv · · Score: 2

    yes in Java and in any other language with garbage collection, stop thinking GC solves all memory leaks problems. example: a developer add items to a Hashmap used as cache but forgets to release unused items, that is a memory leak that no GC will solve

  18. Re:Scan for quality? by blackraven14250 · · Score: 2

    Facebook is definitely one of the most widely used, and awful as well.

  19. Re:Scan for quality? by stewbee · · Score: 2

    So as a follow up then, after looking at the API, would a call to 'removeAll' or 'remove' keep this situation from occurring? (using the 'List' interface as my reference for function calls).

  20. Re:Scan for quality? by 0123456 · · Score: 2

    "Memory Leaks in Java are not objects that are not freed, but dangling references to data/objects that are no longer needed"

    In Java terms that _is_ an 'object that has not been freed'.

    Sadly the Cult Of Garbage Collection has made many Java programmers far too lax about ensuring that everything is freed when it's no longer required.

  21. Re:Scan for quality? by DerekLyons · · Score: 2

    If an app exists, is really crappy, and is the only one of its kind, that is what we call a "business opportunity". The market lacks quality software and that's a hole that you can fill.

    If I wanted to be in app writing business, I'd already *be* in the app writing business. But there's a reason why I'm downloading rather than writing.
     

    If an app doesn't exist but it would be useful (or fun!), then do it and make some money.

    In addition to not wanting to be in the app writing business... I don't have the months it would take to learn how to write apps in the first place.

  22. Re:Scan for quality? by iluvcapra · · Score: 2

    Uh, scanning for malware is great. But i don't want Google putting itself in the position of deciding what apps are "good enough" to be in their store.

    It seems like, given that the Android platform lets you use whatever stores you please (or your ODM makes you use), Google could pretty much implement whatever quality control it wants, it just reflects on their reputation ultimately. People who want to sell apps that Google bounces would still have Amazon, GetJar, Handango, or their own website.

    --
    Don't blame me, I voted for Baltar.
  23. Re:Scan for quality? by alostpacket · · Score: 2

    This is part of the picture but there is more to it. One of the major problems is the fact that a lot of devs are unaware of, or forgot about, the fact that certain API objects like Drawable are bound to a View (which is bound to the larger UI (and Activity). So what seems like a simple ArrayList of thumbnails that really shouldn't put much of any pressure on memory ends up holding references to the entire UI/Activity. This is called "Leaking the Activity" and is very common. Some of the blame rests with the devs, but I think some could be argued to be the fault of the API and/or GC.

    --
    PocketPermissions Android Permission Guide