Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com)

← Back to Stories (view on slashdot.org)

Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com)

Posted by EditorDavid on Saturday January 21, 2017 @05:34AM from the walled-garden-guardians dept.

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.
100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.

50 comments

Min score:

Reason:

Sort:

Why is this a problem? by Balial · 2017-01-21 05:42 · Score: 5, Insightful

This write-up sounds awfully negative, but if your software is so bad that it can be auto detected to be insecure, you belong in the penalty box until you make it right. Be respectful of users' data.
1. Re:Why is this a problem? by freeze128 · 2017-01-21 05:51 · Score: 0
  
  Is this what is meant by "fake news"?
2. Re:Why is this a problem? by Anonymous Coward · 2017-01-21 05:58 · Score: 0
  
  Actually, the write-up sounds completely impartial to me (absolutely no positive or negative undertones).
3. Re:Why is this a problem? by Anonymous Coward · 2017-01-21 06:14 · Score: 0
  
  Anything that starts out "Google Pressured" is automatically negative. See, they're a big mean corporation who unfairly treats innocent app developers. The snowflakes around here don't like that.
  CAPTCHA: compel
4. Re:Why is this a problem? by johannesg · 2017-01-21 06:39 · Score: 1
  
  If "software, according to some lame heuristic, shows a typical sign of being bad", more likely. "Hey look, this guy is using sprintf! Some people use it wrong, so surely it means he must also be using it wrong, thus his software is bad! Fix it, or else!"
5. Re:Why is this a problem? by slimjim8094 · 2017-01-21 06:45 · Score: 0
  
  No. Fake news is news that's been deliberately fabricated, often to make its purveyors money, and doesn't attempt to relate to the truth. For instance, "child sex ring in some Washington pizza shop" - there's just no relationship to the truth and whatever their reasons for publishing such nonsense, it wasn't an attempt to inform anyone of anything that could plausibly have been said to have been real. Real news may be inaccurate or flat-out wrong, but real news is intended to be based on some sort of truth. Now whether and how often a particular source succeeds could be a question of some debate, but even the most partisan news sources are - if they're real news - based on some event that actually occurred.
  The deliberate confusion of "fake news" with "news I don't like" is actually a very postmodern idea. There's no such thing as fact, it's just your perception that matters.
  
  --
  I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
6. Re:Why is this a problem? by Threni · 2017-01-21 07:06 · Score: 0
  
  Why? Do you believe this story was fake?
7. Re:Why is this a problem? by SeaFox · 2017-01-21 07:14 · Score: 1
  
  This write-up sounds awfully negative, but if your software is so bad that it can be auto detected to be insecure, you belong in the penalty box until you make it right. Be respectful of users' data.
  It's a "bad thing" because a large corporation was able to exert influence over a bunch of third-party developers on a supposedly Open mobile operating system platform. Much like Apple reviews apps and can take action against developers that are breaking rules, Google is showing they can too. So, even though the actions had a positive impact for users and the overall Android platform, it's not good because "EvilCorp can control me". The fact this is Google's Play Store has no bearing on the legitimacy of their actions. Because Google is a monopoly (somehow even when there are alternative ways of searching/getting apps), so they must allow everyone else equal access and cannot take measures in their own business interests now.
  At least that's the only thing I can take away from this.
8. Re:Why is this a problem? by Desler · 2017-01-21 08:04 · Score: 3, Insightful
  
  Google has always exerted influence over developers that use the Play Store. Why do you act like this is new? Android may be "open" but the Play Store is not and never has been.
9. Re: Why is this a problem? by Rujiel · 2017-01-21 08:09 · Score: 0
  
  At the core of pizzagate is the presence of coded words in podesta's emails, particularly ones involving the owner of said pizza store. This much is undeniable, so media choose to strawman anyone who mentions it into purporting a pedo ring.
10. Re:Why is this a problem? by Dutch+Gun · 2017-01-21 09:15 · Score: 1
  
  The only "bad thing" here is that some developer can't even be bothered to patch known security issues out of their code. It seems unlikely Google would have started to impose deadlines if a significant number of developers weren't simply ignoring those security alerts. The program was originally started with no action required on the part of developers. Obviously, that didn't work out so well.
  I see nothing wrong with Google requiring a minimal effort to maintain security if developers wish to be listed in Google's app store.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
11. Re: Why is this a problem? by Anonymous Coward · 2017-01-21 11:45 · Score: 0
  
  At the core of pizzagate is the presence of coded words in podesta's emails, particularly ones involving the owner of said pizza store. This much is undeniable, so media choose to strawman anyone who mentions it into purporting a pedo ring.
  Have you no decency sir? Podesta had nothing, zip, zero nado, to do with any pedo ring, pizza based or otherwise.
  And this is the first i've heard about these so called coded words. Most likely it is more complete crap.
12. Re:Why is this a problem? by SeaFox · 2017-01-21 15:13 · Score: 1
  
  The only "bad thing" here is that some developer can't even be bothered to patch known security issues out of their code
  Oh, I don't disagree. I was replying to the parent's puzzlement as to why the article has a negative tone, that's what I meant by "at least that's the only thing I can take away from this" since I had to search for that reasoning someone might have. Because otherwise I don't see anything wrong here.
13. Re:Why is this a problem? by Dutch+Gun · 2017-01-21 16:15 · Score: 1
  
  Ah, I see. Re-reading again, the last sentence makes that more obvious.
  I'm wondering now if the negative tone was actually intentional or not, because TFA sounds a bit more neutral. I think much of it comes from the word "pressured" in the headline (which the article doesn't use). It makes it sound as though Google is sending goons to app developers' homes to... "encourage" them to upgrade their libraries.
  "That's a lovely app you have there. It would be a real shame if something were to happen to it."
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
14. Re:Why is this a problem? by Anonymous Coward · 2017-01-22 02:38 · Score: 0
  
  Is this what is meant by "fake news"?
  Yes, all the stories we hear about hacked smartphones are fake. Personal information has not been stolen, and mobile systems have never been compromised.
  Nothing to see here. Move along.
and this is bad how? by Anonymous Coward · 2017-01-21 05:42 · Score: 0

Seems like a good idea
where's the safe space for apps by Anonymous Coward · 2017-01-21 05:42 · Score: 0

How dare Google coerce my apps? My apps can be as insecure as they want to be!
1. Re:where's the safe space for apps by tepples · 2017-01-21 05:50 · Score: 1
  
  Get thee to Unknown sources.
2. Re:where's the safe space for apps by Anonymous Coward · 2017-01-21 05:53 · Score: 0
  
  I already do that so I can build my own crapps and install self-signed apk files.
3. Re:where's the safe space for apps by tepples · 2017-01-21 06:17 · Score: 1
  
  Let me make it more explicit:
  Pay for a domain, web hosting, and advertising. Obtain a TLS certificate for your domain through the Let's Encrypt button of your web host's control panel. Offer your application as a self-signed apk file for download through your website, along with instructions for users to enable Unknown sources or use adb install to add the application to a device.
4. Re:where's the safe space for apps by Anonymous Coward · 2017-01-21 06:24 · Score: 0
  
  Scam people into installing your shitty app. Got it. Also fuck you.
5. Re: where's the safe space for apps by Anonymous Coward · 2017-01-21 09:31 · Score: 0
  
  So installing apps not from Play is a bad thing? Let me say fuck you, Google fanboy.
6. Re:where's the safe space for apps by Anonymous Coward · 2017-01-21 10:33 · Score: 0
  
  Also fuck you.
  Game, set and match Tepples. Made you cry.
Re:LOL by Anonymous Coward · 2017-01-21 05:58 · Score: 0, Funny

Women who voted Trump have gaping wide meaty pussies.
Google takes security seriously by Anonymous Coward · 2017-01-21 06:15 · Score: 1

I've worked at Google and at two security companies and Google is the only company I know that actually takes software security seriously. In the 'security' companies security is pure theater, they do have security teams but their powers are on paper only, in practice they are merely seen as little annoyance by the development teams. The security teams mostly go with whatever you tell them, and even if they know that the reports you are filing are omitting issues they have to take it at face value. It is even worse with external auditors, you simply tell them you will take your business elsewhere and they will keep a blind eye to all the security issues as long as it is not to obvious in published reports. Their main focus is for you to pass the audits, not actually comply with them.
So hats down to Google to actually force developers, their message is clear: No security, no business. As long as other companies are seeing security as less business, they will not take it seriously. Personally I believe government should enforce criminal neglect more. How many bankers, CEOs, VPs went to jail over all the scandals in the past 10 years? Not many.
I fixed mine by removing google ads... by Anonymous Coward · 2017-01-21 06:15 · Score: 1

... which quietly adds more permissions yhat most apps will ever need
Re: Thanks Trump! by Anonymous Coward · 2017-01-21 06:15 · Score: 0

> implying android was ever great before
Re: Thanks Trump! by Anonymous Coward · 2017-01-21 06:15 · Score: 0

What the Zuck was that?
Re:LOL by Anonymous Coward · 2017-01-21 06:15 · Score: 0

Oh yeah! So much flesh to grab.
Re: Thanks Trump! by Anonymous Coward · 2017-01-21 06:19 · Score: 0

Zuck will save you the trouble of voting because when Zuck runs for prez Zuck will be unopposed. Hawaii now, America soon. All will belong to Zuck.
Misused access rights by short · 2017-01-21 06:25 · Score: 1, Interesting

All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.
Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.
Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions they ask for.
Even opening local files could be done safely by an Android-provided dialog box, without giving uncontrolled permissions to the whole disk.
1. Re:Misused access rights by Anonymous Coward · 2017-01-21 06:46 · Score: 1
  
  And access to your camera, microphone, picture gallery and location. There is no way every app needs these permissions. If Google is really serious about security, they will only allow apps to require these types of permissions under very strict protocols.
2. Re:Misused access rights by rajafarian · 2017-01-21 06:55 · Score: 0
  
  disk?
3. Re:Misused access rights by Anonymous Coward · 2017-01-21 07:04 · Score: 1
  
  To be fair, they attempted to fix this in Android Marshmallow, now apps can be fine-grained in their permission requests, such as only requesting camera access if some rarely-used camera-based feature is requested by the user.
  But a lot of apps just don't bother with that, and either still use the old permission model, requesting permissions when installing, or request all permissions at startup and refuse to run otherwise.
4. Re:Misused access rights by stephanruby · 2017-01-21 08:07 · Score: 1
  
  They're asking about access to the external sdcard (not root access to the entire phone).
  Because while every app has access to internal memory, if the app deals with any large amount of data like pictures, videos, mp3s, or games with lots of graphics, it could easily fill up all the internal memory on your phone.
5. Re:Misused access rights by denis-The-menace · 2017-01-21 09:27 · Score: 1
  
  THIS is what Google should be enforcing.
  Otherwise it's blatant phishing,
  
  --
  Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
6. Re:Misused access rights by jareth-0205 · 2017-01-22 02:34 · Score: 1
  
  All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.
  Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.
  Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions they ask for.
  Even opening local files could be done safely by an Android-provided dialog box, without giving uncontrolled permissions to the whole disk.
  Apps used to need full access to the sd card to write any files there, and it's relatively recent that they don't have to. Mostly it is lazy /ignorant developers. You should probably not use apps that require this.
  And you really shouldn't use the accusation "lying" unless you're pretty sure it's deliberate and malicious.
7. Re:Misused access rights by tlhIngan · 2017-01-23 05:08 · Score: 1
  
  To be fair, they attempted to fix this in Android Marshmallow, now apps can be fine-grained in their permission requests, such as only requesting camera access if some rarely-used camera-based feature is requested by the user.
  But a lot of apps just don't bother with that, and either still use the old permission model, requesting permissions when installing, or request all permissions at startup and refuse to run otherwise.
  That's because not many phones are on Marshmallow yet. As of now, just over 30% of phones out there have Marshmallow and above. That leaves the rest without, and a good chunk are Jellybean, Kitkat and Lollipop.
  If you're a developer, you can target the new model and exclude 70% of the phones out there, or use the old phones and get 100%. And chances are, most people won't care so sticking with the old mechanism works until maybe a couple of years from now when Marshmallow will be the low end of the majority.
Not a bad thing.... by Anonymous Coward · 2017-01-21 07:07 · Score: 1

Pressured? Or strongly encouraged? To make their apps more secure. To protect customers, Why is this bad?
omg! flush the stash! by Anonymous Coward · 2017-01-21 07:31 · Score: 0

trump is making communication laws work
laziness by Anonymous Coward · 2017-01-21 08:13 · Score: 0

The developers dont care. If 90% will blindly click install -- job done.
Re:LOL by Anonymous Coward · 2017-01-21 11:30 · Score: 0

So the size of a man's penis is important to you?
Re: is this a problem? by Anonymous Coward · 2017-01-21 11:58 · Score: 0

Podestas email was chock full of dog whistles, aka code words. The whole DNC strategy involved conveying different messages to the different constituencies.
Re: is this a problem? by gumbi+west · 2017-01-21 18:16 · Score: 1

To be clear about how tinfoil hat this is, the "code word" for the pizza show owner was "pizza" which seems like a word that, I don't know, a pizza shop owner might just want to use for their routine business.
Default sandbox for every App by Anonymous Coward · 2017-01-21 19:20 · Score: 0

i would like to sandbox every applucation so their camera access only gets an avatar gif loop and the microphone access gets a loop of some shitty elevator music with a chop saw in the background cutting metal and the disk access is a sandboxed default Android image.
where is the application that lets me do this for nagging apps that reqiure all this to run and i dont get benefit from it?
lazy by Anonymous Coward · 2017-01-23 04:52 · Score: 0

I find this leaves a rather bitter taste in my mouth.. I once found an SQL injection flaw in one of my libraries then spent 30 hours populating the fix to all "infected" libraries....