1.2% of Apps On Google Play Are Repackaged To Deliver Ads, Collect Info

An anonymous reader writes "Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google's official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google's reputation in general. Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature."

All or nothing approach is silly

[Mr_Silver]

I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.

Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".

A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.

That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.

Re:All or nothing approach is silly

[zequav]

There is App Ops in android >=4.3. Install App Ops Starter and disable the permissions you don't want to grant to an app.

Re:All or nothing approach is silly

[tlhIngan]

Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions (as opposed to the iphone model in which the user is never told what the application can do).

Except to 99.99% of Android users, that permission information is completely useless to them. They don't know what it means, other than it's a screen that pops up whenever they install anything. They don't read it, they just tap Install and be done with it.

The technical term is Dancing Pigs (or dancing rabbits), and it describes basically that the user is most likely not pick the right choice security wise. They see an app in the Play store, tap install, then up comes the list of gobbledygook with a button that says "Install". They bypass the list and tap install, because they just wanted to install the app.

Relying on the user to make security decisions is poor security - all it affords you is the ability to blame the user for this mischoices, except said user is part of the very large majority who don't understand the screen, don't understand the need for it, and certainly don't understand why they need to spend the time reading it.

And that doesn't even get into the weird permissions you need in order to do stuff (like Read Phone State and Identity to get notifications when someone is calling).

The iPhone model isn't any better, but popping up extra dialogs doesn't work. Though, iOS at least does notify you and give you the ability to decline individual permissions (e.g., to stuff like location information, contacts and other stuff). But it too suffers from popup-it is.

Hell, the user can monkey around with some pretty complex steps if you tell them how to do it in small easy steps and they see benefit at the end. It's how they can do stuff like install OpenSSH, run PuTTY and enter in complex command lines - as long as they want to do it, they'll blindly follow. It's how the early jailbreak viruses spread - because people would do them to pirate apps and such and leave OpenSSH running with default passwords (because the HOWTO they used didn't tell them they needed to).

And I'm almost certain if you've helped someone tat they'll say something like "every time I print, nothing comes out of the printer" despite every time they print, a big screen shows saying "NO PAPER IN TRAY". No, they don't read dialogs either (happens with developers as well - the solution may be right there staring them in the face...).

Mozilla does that too.

[Animats]

Mozilla allows that, too. There's a slimeball company that takes over abandoned Firefox add-ons, adds spyware, and puts them up on Mozilla's "store". They did this to BlockSite. Users were very angry.

Mozilla's reaction? Mozilla's add-on policies prohibit this: "Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)" ... "These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review." The spyware was just fine with Jorge Villalobos, Mozilla's add-on project manager, who wrote "That's outdated, since we don't enforce that policy."

You can't trust the Mozilla Foundation any more. That's sad.

Re:F-Droid, FTW

[Nerdfest]

Many of us don't need FaceBook or NetFlix. F-Droid is great, and there's actually a lot of stuff that's actually on both. Wonder if some of the Play versions are included in some of the adware-added nstuff they're talking about ...

Anyway, it's damn nice to have options. I realize Google bashing is the funded topic these days, but I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.