Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Google Data Shows Dangers of Third-Party App Stores (onthewire.io)

Posted by yaelk on from the app-dangers dept.

Trailrunner7 writes: Google's position in the Internet world is a unique one. In one or another, the company controls or sees much of the traffic on the network and owns one of the larger computing arsenals on the planet. It's also in control of a decent chunk of the mobile world, thanks to Android's popularity, and securing that ecosystem is a tremendous challenge in both complexity and scope. Google scans more than 2 million apps every week for its 1.4 billion Android users. And it collects a lot of data from its users, of course. Some new data from the company shows that using only the Play store is much safer than using third-party app stores. The data Google has collected shows that users who install apps only from the Play store have far fewer potentially harmful apps installed on their devices than users who also sideload apps.

67 comments

  1. Vendor finds buying from vendor only is best buy by Anonymous Coward · · Score: 5, Insightful

    News at 11.

  2. PHA? by Anonymous Coward · · Score: 0

    PHAs are apps that the company finds have potentially harmful behavior, undocumented behavior, or other functions that could harm a user’s device or compromise his privacy.

    Er... shouldn't that be all of them? Where are these mythical apps that don't have undocumented behaviours (aka a bugs)?

    1. Re:PHA? by mindwhip · · Score: 1

      In-app purchases that happen directly or indirectly without proper notification or consent, because a user picked what seemed like the easy 'best' option when they were asked for a default choice, without being notified of the full context and implications of that choice.
      As long as Google get their cut they don't care.

      PS: Apple do this too.

      --
      [The Universe] has gone offline.
    2. Re:PHA? by johanw · · Score: 1

      They also mean potentially harmful to their profits: adblockers, tools like Lucky Patcher that can hack playstore verification and disble ad services, etc. are all banned from the playstore.

  3. Well no shit, Sherlock by Modern · · Score: 2

    Useless article.

    1. Re:Well no shit, Sherlock by Anonymous Coward · · Score: 1

      It has a use. It can be used as a demonstration on how to lie with statistics.

    2. Re:Well no shit, Sherlock by Anonymous Coward · · Score: 0

      Amazon App store apps are almost always way behind on updates. That's enough for me to avoid it.

    3. Re:Well no shit, Sherlock by MobileTatsu-NJG · · Score: 1

      Heh. Google's basically saying that the Walled Garden is a more secure approach. Let that sink in for a moment.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    4. Re:Well no shit, Sherlock by skids · · Score: 1

      Plus they don't get the meta-data from people logging in to Google accounts just to download apps. (They could just as easily have posted signatures or digests for approved apps, but then they wouldn't have a monopoly on the web traffic and resulting log data.)

      --
      Someone had to do it.
    5. Re:Well no shit, Sherlock by reboot246 · · Score: 2

      Sometimes that can be a good thing. I've seen apps that start out great but get worse and worse with each new update. I kind of like seeing what's coming and being able to stick with an older version if I want it.

    6. Re:Well no shit, Sherlock by Zontar+The+Mindless · · Score: 1

      Tagged "wellDUH".

      --
      Il n'y a pas de Planet B.
    7. Re:Well no shit, Sherlock by Anonymous Coward · · Score: 0

      I agree. It's a good thing. How else can the mafia sell their counterfeit goods and malware?

    8. Re:Well no shit, Sherlock by johanw · · Score: 1

      Use Raccoon and download the playstoire version toyour PC. Then you can always go back.

    9. Re:Well no shit, Sherlock by Zeio · · Score: 1

      Google blocks AdAway and is working much harder to prevent root. This jailing of the user is meant to force the use of the app store which allows them to monetize personal data (being "scrubbed" (year right)) and targeted marketing.

      When apps that help to truly make your experience secure ( such as adaway that use fdroid and require root) by blocking horrible ads, scumware, malware, and other trash used by marketing on the internet.

      I use various lists just on hosts via android and dns creating blackhole zones with these lists:
      https://adaway.org/hosts.txt
      http://adaway.sufficientlysecu...
      http://hosts-file.net/ad_serve...
      https://pgl.yoyo.org/adservers...
      http://sysctl.org/cameleon/hos...
      http://winhelp2002.mvps.org/ho...
      http://www.mvps.org/winhelp200...
      http://someonewhocares.org/hos...

      Fanboy has some good lists as well

      A lot of these lists are not for blocking ads but for blocking really bad content from coming into your browsing experience.

      When Google and Apple actively prevent me from cleaning up this rubbish on a device I own and they kill all apps that attempt to do any of this and they remove all the hooks from the OS to allow us to do this its really a poor situation.

      Now I have to worry about fdroid going away while Google claims this is a fight against amazon - scamazon. As much as I dislike Bezos and Scamazon and want Google to keep them with a better offering, banning 3rd party appstores and apps is a bad idea because its the only way we can bypass the draconian and ridiculous "rules" the official rules of either Apple or Google app stores force on developers. There are a lot of useless apps out there but they have banned many useful ones because they conflict with their interests and not with safety or security.

      --
      Legalize the constitution. Think for yourself question authority.
  4. Third party app stores like... by h33t+l4x0r · · Score: 1

    Amazon? What exactly are we talking about here? Who are the players?

    1. Re: Third party app stores like... by Anonymous Coward · · Score: 0

      If only there was a service to search the internet for information. We could call it something similar to the company in this story.

    2. Re:Third party app stores like... by Anonymous Coward · · Score: 0

      It would be nice if they did a store by store comparison, lumping them all in together is a category error. The obviously bad actors are stores like Aptoide. Amazon is only slightly shonky. But on the other hand you'll find more malware on Google's own store than you will on F-Droid.

    3. Re:Third party app stores like... by Dutch+Gun · · Score: 4, Insightful

      I think Google is really talking about third-party stores in China, India, etc. I'm not sure if the Google presentation didn't mention those countries by name, though TFA does. Apparently, lots of people use them over there, and subsequently get viruses or malware. It probably causes Android malware vs iOS to be badly skewed. Google is rightly pointing out that you're more likely to get hit with malware from some sketchy Chinese app store than from Google Play. It's not really all that shocking a revelation. Think about CNet's Download.com and all the crap you get on your system if you use that site, and you get the basic idea.

      People are implying that Google is singling out Amazon here. While I don't think Google would shed tears if people somehow got that impression, I'd bet that Amazon's store is almost as safe as Google's. Besides, Amazon is a big boy and doesn't need defending from us, the peanut gallery. If they want to release a study demonstrating how safe their own store is, they're perfectly capable of doing so.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Third party app stores like... by Anonymous Coward · · Score: 0

      If google wanted to protect people, they could public the md5/sha hashes of the current versions of apps and let those be easily checked by their hardware partners to report "oo, this might be a hacked version"

    5. Re:Third party app stores like... by tlhIngan · · Score: 1

      I think Google is really talking about third-party stores in China, India, etc. I'm not sure if the Google presentation didn't mention those countries by name, though TFA does. Apparently, lots of people use them over there, and subsequently get viruses or malware. It probably causes Android malware vs iOS to be badly skewed. Google is rightly pointing out that you're more likely to get hit with malware from some sketchy Chinese app store than from Google Play. It's not really all that shocking a revelation. Think about CNet's Download.com and all the crap you get on your system if you use that site, and you get the basic idea.

      Problem is, Google Play is not available in China. (I have no information on whether or not it is available in India).

      So if you're an Android phone user in China, you have no choice BUT to use a third party app store. And there are several Chinese app stores, and various ones run by the carriers. Of course, they are havens for piracy and malware since those stores do not care about user safety or anything.

      For this, to increase safety would require developers to release the APKs on their own websites and simply not use those sketchy app stores.

  5. Re:Not necessarily true for desktop software, thou by richy+freeway · · Score: 3, Insightful

    Do fucking shut up.

  6. app store censorship and carrier lockdown are bad by Joe_Dragon · · Score: 1

    app store censorship and carrier lockdown are bad parts of a 1 app store only system.

  7. Hmm... by wwalker · · Score: 3, Interesting

    In other words, Google says Google is better. How about an *independent* study?

    1. Re:Hmm... by Anonymous Coward · · Score: 0

      of course google says their own 'store' is better... and while it may be easy to just say they're biased in their report, it is also true.

      google may fuck up every now and then letting a bad app in their 'store', but they do scan their store and weed out virtually all of the bad stuff...

      while the users that are going out of their way to hook into third-party 'stores' or sideload apps are also more likely to be the users going after the uhh.. 'more naughty' stuff.. like porn and pirated movies and stuff, which is a humongous target for malware makers and scammers. so of course those users are more apt to get their phones and other devices full of crap ...

      and the same thing applies on the desktop.... buy mainstream applications and games from legit sources or obtain direct from the developer or publisher, you're mostly ok (sony rootkits not withstanding), google for free porn or movies and click willy-nilly on search engine results, and your computer will get fucked up faster than you can fap to whatever it was you downloaded.

    2. Re: Hmm... by Anonymous Coward · · Score: 0

      No, it's not true, Mr. Google employee.

      The play store is FAR less safe than f-droid.

  8. Re:app store censorship and carrier lockdown are b by sims+2 · · Score: 1

    Anyone else remember when apple pulled all the apps that let you use the camera flash as a flashlight? Or how you still afaik can not get a app to scan wifi aps?

    --
    Minimum threshold fixed. Thanks!
  9. Poor article by c0d3g33k · · Score: 1

    TFA has all the factual content of a fluff piece read by the attractive yet dimwitted weekend morning anchor on the local news. There is no information at all to back up the baseless claims in the article. Not even a link to the "data" or a summary of the "data" that Google has allegedly collected.

    This story should never have made it out of the firehose.

  10. Article makes no sense at sentence of two by Anonymous Coward · · Score: 0

    "In one or another, the company..."

    Error: article makes no sense at sentence two. Can't be bothered fucking reading."

  11. Re: Vendor finds buying from vendor only is best b by Anonymous Coward · · Score: 1

    I just checked channel 4 and the news is on right now.

  12. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  13. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  15. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  16. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  17. Comment removed by account_deleted · · Score: 0

    Comment removed based on user account deletion

  18. AdAway by Anonymous Coward · · Score: 0

    You'll can pry that from my cold dead hands.

  19. Hey editors! by BronsCon · · Score: 1

    In one or another

    It seems this article has lost its "way".

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  20. Re: Vendor finds buying from vendor only is best b by Anonymous Coward · · Score: 0

    And again at 11.

  21. Re:Not necessarily true for desktop software, thou by fluffernutter · · Score: 1

    That's a relief, because I chose the totally naive route and IGNORED THEM.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  22. Re: app store censorship and carrier lockdown are by LDAPMAN · · Score: 1

    The ability to use the flash as a light is built into the OS now.

  23. Re:Not necessarily true for desktop software, thou by Anonymous Coward · · Score: 1

    Until systemd resets the system date to it's release date and triggers a nuclear launch.

  24. f-droid? by ChunderDownunder · · Score: 1

    I'd personally trust more a repository of programs where the programs had been built from source by volunteers and was free to tinker with under a FOSS license.

    1. Re:f-droid? by oddware · · Score: 1

      Changed over to F-droid only about 3 years ago. Never installing the GAPPS services again as my phones have longer battery life and no more invasive 'We are going to do this/that, click ok to accept, click i disagree (for the 200th time) if you do not accept"

    2. Re:f-droid? by oddware · · Score: 2

      Use Owncloud and Tasks App + DAVDroid for Contact, Task & Calendar Syncing/Backup over multiple devices.
      Owncloud with the genuine Owncloud & Owncloud Notes for file and Note taking.
      Car Reports for recording your vehicle expenses (also syncs to owncloud and all your devices).
      OSMAnd~ for full voice navigation.

    3. Re:f-droid? by Anonymous Coward · · Score: 0

      These are great suggestions. I use all but Car Reports. I'll add some more from F-Droid that I use frequently.

      Firefox for Android - great mobile browser with add-on support; for me NoScript and uBlock Origin make the web usable. There was a major rewrite of the mobile browser around 3 years ago--it used to be slow and lackluster (and had poor add-on support) but it's a completely different beast now. So if you haven't recently, try it out. For some reason F-Droid will be dropping it from their repos at some point, but for now it's in there. I think you may be able to update Firefox from within itself? Or there will remain helper apps in F-Droid that check for new versions and download Firefox directly from Mozilla for you.

      Conversations - fantastic XMPP/jabber client; provides several types of end-to-end encryption, good design, fast, just a pleasure to use. Supports group chats. Do your friends, relatives and coworkers a favor and set up something like Prosody as the back-end (easy setup, low resources, high functionality) and Conversations as the Android client. Way the hell better than WhatsApp/Viber/etc for chatting and sending pictures for free. You can easily use Pidgin on your desktop and continue to message, and there are several iOS XMPP apps as well.

      K-9 Mail - email client. Has all the features and configurability that I want.

      KeePassDroid - password vault.

      Open Camera - feature rich camera app.

      VLC - media player.

      AnySoftKeyboard - keyboard.

      These are all apps from F-Droid that I use most frequently and think are of high quality in their area. Those along with the ownCloud apps plus DAVDroid and OSMAnd~ make for one super useful device without any proprietary or pushy stores or apps. Thanks to everyone who has and continues to put effort into making them what they are and sharing them with us.

    4. Re:f-droid? by oddware · · Score: 1

      AC nailed it.

      I also use conversations for xmpp but a few of my users prefer Xabber as it is a little more user friendly (Has a better "Currently Online" view).

      KeePassDroid, Open Camera, VLC, AnySoftKeyboard are all excellent suggestions.
      i will add Hackers keyboard (not as polished as anysoft but usefull if you ssh from your droid), AdAway (Blocks Ad's throughout the whole phone - Requires Root) and Ghost Commander (+ Plugins) just to name a few.

      I currently run Openfire for the XMPP server but will be porting over to Prosody as it is less resource hungry (Ran Prosody on a Raspberry Pi with Asterisk off a solar panel on a trip with a group, yeah....nerd)

      If you have tinkered with the idea of making the switch (away from GAPPS) i highly recommend it, you phone will simply be better (and yours).

    5. Re:f-droid? by Anonymous Coward · · Score: 0

      I used to use Firefox for Android from the F-Droid repo. However, about two years ago, I switched to Lightning browser in the f-droid repo. Much better, faster, browser. I'll also add Hacker's Keyboard, oandbackup (backup app to replace Titanium backup), and Runnerup (app for joggers/runners). The only app that I depend on that isn't in F-Droid is SSHelper, an open source ssh server for android. Not sure why it isn't in F-droid repo, but I get the apk directly from the developer: http://arachnoid.com/android/SSHelper/

    6. Re:f-droid? by Anonymous Coward · · Score: 0

      Same here. Switched to omnirom with my latest nexus and left gapps behind about three months ago. With F-Droid repo, Google play isn't needed anymore.

  25. Google Slashvertisement by omnichad · · Score: 1

    Looks like a Google employee managed to get an advertising piece linked to from Slashdot's main page.

  26. Google created the monster by Kevin108 · · Score: 1

    If Google wasn't so stupid about what they don't allow in the Play Store, the 3rd party market wouldn't have been born.

    --

    It's a perfect time for being wasted.
    A perfect time to watch the stars.
    - Burden Brothers, "Beautiful Night"
    1. Re:Google created the monster by GuB-42 · · Score: 1

      That's not it. They are rather tolerant in what they accept, there are a few touchy subjects like ad blockers and sometimes an app is removed for some time for obscure reasons (like Tasker). But globally you can find almost everything legal in the play store, even root apps and apps that compete directly with Google's offering. These are not things that you will find on the Apple app store.

      The real reason is that :
      - For OEMs to get the Play store and the rest of the gapps on their devices, they need to follow Google's guidelines, something they sometimes don't want to.
      - Google gets 30% of all app sales in addition to valuable user data. Something that 3rd parties would prefer to end up in their own pockets.
      - China.

      True alternative markets installed by users themselves are, I think, a minority. And I think a large part of them are for piracy. Free software markets like F-Droid, the ones that everyone here like to talk about are probably just a niche. A very important niche but a niche anyways.

  27. low P-value by Anonymous Coward · · Score: 0

    real conclusion: Users who sideload fall victim of malware that google is able to identify and so block them on their app store.

    malware that pass the app store validation also pass google head count in this joke of a study.

  28. Re:Not necessarily true for desktop software, thou by Anonymous Coward · · Score: 0

    My logs are still plain text.

    Which means you configured it to pass the logs on to the system logger, this is not the default.
    Or else it might mean that you're thinking your logs are text merely because journalctl outputs text.
    Geez.

  29. i do recall psdoom on early Linux by Anonymous Coward · · Score: 0

    I dloaded doom-touch apk from a russian server and only gripe is their russian font in the gui.

  30. Re: Vendor finds buying from vendor only is best b by davester666 · · Score: 2

    That's news to me.

    --
    Sleep your way to a whiter smile...date a dentist!
  31. Yes but there is an obvious reason for this by DrXym · · Score: 1
    Some people use 3rd party app stores in order to obtain warez. They search for some app which costs a fortune on Play and find a dubious place to obtain it for free. e.g. type "final fantasy apk" and various hits come up.

    It doesn't so much follow that Play is safer (although it probably is for other reasons), but that there are determined idiots out there who'll put their phone, privacy and security at risk to save a few dollars.

    BTW, there are many reputable 3rd party app stores who either curate or proactively monitor their submissions but Google probably doesn't make the distinction. It probably just scans apks on infected phones and determines if they came from their store or "somewhere else" which means Amazon's appstore, F-droid and all the rest are lumped in with the warez sites.

    1. Re:Yes but there is an obvious reason for this by drinkypoo · · Score: 1

      BTW, there are many reputable 3rd party app stores who either curate or proactively monitor their submissions but Google probably doesn't make the distinction. It probably just scans apks on infected phones and determines if they came from their store or "somewhere else" which means Amazon's appstore, F-droid and all the rest are lumped in with the warez sites.

      On the other hand, if you're using Chrome and syncing your phone, are you leaking your history back to Google? They might well know where you got those APKs.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Yes but there is an obvious reason for this by DrXym · · Score: 1

      During setup Google sticks a popup asking if it can scan all your apps for security. I assume any stat gathering falls out of that. It should be straightforward for them to figure out if an apk comes from their store by comparing the hash, signatures etc.

  32. ehhhh...? by beh · · Score: 1

    So, basically google now says, that Apple's "single App Store" is the better model?

    1. Re:ehhhh...? by Anonymous Coward · · Score: 0

      Yes, that's what they've always said in effect, by *defaulting* to exactly that model, that that model is best *for most users*. But unlike Apple they also give you the *choice* to change the default *at your own risk*.

      I guess you think that choice is bad? That advanced users who know what they're doing should be treated the same as those who don't, rather than be able to make their own risk assessments? That all devices should be irrevocably locked down?

    2. Re:ehhhh...? by alex67500 · · Score: 1

      Hang on, Google have always said that Google's "single Play Store" was the best approach, and Amazon think the same with their store. The only reason Google had to open its stores to others is to show they weren't trying to create a monopoly.

  33. pretty bad result for google play by sad_ · · Score: 1

    10 times more secure of whatever then other android app stores, is still bad, it should be zero. We're talking about malware here, why is it even on google play?
    I wonder what the malware rate for the f-droid 'store' is?
    Screw this closed source mobile app world, it's even worse then what we had on windows.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  34. Re:app store censorship and carrier lockdown are b by swb · · Score: 1

    There is an *Apple* app for their own APs that has a scan mode that lets you scan for APs. It's not as fancy as some I've seen for Android, but it's useful enough to have.

  35. Re:app store censorship and carrier lockdown are b by tlhIngan · · Score: 1

    Or how you still afaik can not get a app to scan wifi aps?

    Because there's no way to write a wifi-scanner without using private APIs. You can probably write a very basic one that scans for available APs, but gets you little more than what the settings dialog shows you anyways using the available APIs. Getting any more information requires private API usage which is banned.

    Of course, no one really talks much about it since Apple has an open-source sideload ability now - open source apps can be loaded on your iOS device provided you have a Mac. (Yes, I say open-source because Apple strongly discourages abusing this mechanism for binary only apps - which is what happened to f.lux - they distributed their app as a binary with an Xcode project wrapper).

    Which I find mind-boggling, for Apple has found a way to have a walled garden, support open-source applications (no, you can't download binaries, but you can certainly BUILD the binary yourself and load it on your device), with the advantage that open-source apps can do a lot of things since Apple doesn't approve them. Oh yeah, added Mac sales, yadda yadda yadda.

  36. Less is not better here by Anonymous Coward · · Score: 0

    "have far fewer potentially harmful apps installed on their devices than users who also sideload apps"

    This statement tells you all you need to know. Even the Google store gets harmful apps.
    Pot, meet kettle.

    Now, go to a quiet place and try to figure out why you are such retarded sheep, and are ok with Google having all your personal information while shoving virus-laden ads and pushing nefarious apps to the device you only THINK you own.

    Are there any Adults in business anymore?