Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com)

Posted by EditorDavid on from the walled-garden-guardians dept.

An anonymous reader quotes PCWorld: Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...

In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.
100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.

20 of 50 comments (clear)

  1. Why is this a problem? by Balial · · Score: 5, Insightful

    This write-up sounds awfully negative, but if your software is so bad that it can be auto detected to be insecure, you belong in the penalty box until you make it right. Be respectful of users' data.

    1. Re:Why is this a problem? by johannesg · · Score: 1

      If "software, according to some lame heuristic, shows a typical sign of being bad", more likely. "Hey look, this guy is using sprintf! Some people use it wrong, so surely it means he must also be using it wrong, thus his software is bad! Fix it, or else!"

    2. Re:Why is this a problem? by SeaFox · · Score: 1

      This write-up sounds awfully negative, but if your software is so bad that it can be auto detected to be insecure, you belong in the penalty box until you make it right. Be respectful of users' data.

      It's a "bad thing" because a large corporation was able to exert influence over a bunch of third-party developers on a supposedly Open mobile operating system platform. Much like Apple reviews apps and can take action against developers that are breaking rules, Google is showing they can too. So, even though the actions had a positive impact for users and the overall Android platform, it's not good because "EvilCorp can control me". The fact this is Google's Play Store has no bearing on the legitimacy of their actions. Because Google is a monopoly (somehow even when there are alternative ways of searching/getting apps), so they must allow everyone else equal access and cannot take measures in their own business interests now.

      At least that's the only thing I can take away from this.

    3. Re:Why is this a problem? by Desler · · Score: 3, Insightful

      Google has always exerted influence over developers that use the Play Store. Why do you act like this is new? Android may be "open" but the Play Store is not and never has been.

    4. Re:Why is this a problem? by Dutch+Gun · · Score: 1

      The only "bad thing" here is that some developer can't even be bothered to patch known security issues out of their code. It seems unlikely Google would have started to impose deadlines if a significant number of developers weren't simply ignoring those security alerts. The program was originally started with no action required on the part of developers. Obviously, that didn't work out so well.

      I see nothing wrong with Google requiring a minimal effort to maintain security if developers wish to be listed in Google's app store.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    5. Re:Why is this a problem? by SeaFox · · Score: 1

      The only "bad thing" here is that some developer can't even be bothered to patch known security issues out of their code

      Oh, I don't disagree. I was replying to the parent's puzzlement as to why the article has a negative tone, that's what I meant by "at least that's the only thing I can take away from this" since I had to search for that reasoning someone might have. Because otherwise I don't see anything wrong here.

    6. Re:Why is this a problem? by Dutch+Gun · · Score: 1

      Ah, I see. Re-reading again, the last sentence makes that more obvious.

      I'm wondering now if the negative tone was actually intentional or not, because TFA sounds a bit more neutral. I think much of it comes from the word "pressured" in the headline (which the article doesn't use). It makes it sound as though Google is sending goons to app developers' homes to... "encourage" them to upgrade their libraries.

      "That's a lovely app you have there. It would be a real shame if something were to happen to it."

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Re:where's the safe space for apps by tepples · · Score: 1

    Get thee to Unknown sources.

  3. Google takes security seriously by Anonymous Coward · · Score: 1

    I've worked at Google and at two security companies and Google is the only company I know that actually takes software security seriously. In the 'security' companies security is pure theater, they do have security teams but their powers are on paper only, in practice they are merely seen as little annoyance by the development teams. The security teams mostly go with whatever you tell them, and even if they know that the reports you are filing are omitting issues they have to take it at face value. It is even worse with external auditors, you simply tell them you will take your business elsewhere and they will keep a blind eye to all the security issues as long as it is not to obvious in published reports. Their main focus is for you to pass the audits, not actually comply with them.

    So hats down to Google to actually force developers, their message is clear: No security, no business. As long as other companies are seeing security as less business, they will not take it seriously. Personally I believe government should enforce criminal neglect more. How many bankers, CEOs, VPs went to jail over all the scandals in the past 10 years? Not many.

  4. I fixed mine by removing google ads... by Anonymous Coward · · Score: 1

    ... which quietly adds more permissions yhat most apps will ever need

  5. Re:where's the safe space for apps by tepples · · Score: 1

    Let me make it more explicit:

    Pay for a domain, web hosting, and advertising. Obtain a TLS certificate for your domain through the Let's Encrypt button of your web host's control panel. Offer your application as a self-signed apk file for download through your website, along with instructions for users to enable Unknown sources or use adb install to add the application to a device.

  6. Misused access rights by short · · Score: 1, Interesting

    All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.

    Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.

    Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions they ask for.

    Even opening local files could be done safely by an Android-provided dialog box, without giving uncontrolled permissions to the whole disk.

    1. Re:Misused access rights by Anonymous Coward · · Score: 1

      And access to your camera, microphone, picture gallery and location. There is no way every app needs these permissions. If Google is really serious about security, they will only allow apps to require these types of permissions under very strict protocols.

    2. Re:Misused access rights by Anonymous Coward · · Score: 1

      To be fair, they attempted to fix this in Android Marshmallow, now apps can be fine-grained in their permission requests, such as only requesting camera access if some rarely-used camera-based feature is requested by the user.

      But a lot of apps just don't bother with that, and either still use the old permission model, requesting permissions when installing, or request all permissions at startup and refuse to run otherwise.

    3. Re:Misused access rights by stephanruby · · Score: 1

      They're asking about access to the external sdcard (not root access to the entire phone).

      Because while every app has access to internal memory, if the app deals with any large amount of data like pictures, videos, mp3s, or games with lots of graphics, it could easily fill up all the internal memory on your phone.

    4. Re:Misused access rights by denis-The-menace · · Score: 1

      THIS is what Google should be enforcing.

      Otherwise it's blatant phishing,

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    5. Re:Misused access rights by jareth-0205 · · Score: 1

      All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.

      Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.

      Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions they ask for.

      Even opening local files could be done safely by an Android-provided dialog box, without giving uncontrolled permissions to the whole disk.

      Apps used to need full access to the sd card to write any files there, and it's relatively recent that they don't have to. Mostly it is lazy /ignorant developers. You should probably not use apps that require this.

      And you really shouldn't use the accusation "lying" unless you're pretty sure it's deliberate and malicious.

    6. Re:Misused access rights by tlhIngan · · Score: 1

      To be fair, they attempted to fix this in Android Marshmallow, now apps can be fine-grained in their permission requests, such as only requesting camera access if some rarely-used camera-based feature is requested by the user.

      But a lot of apps just don't bother with that, and either still use the old permission model, requesting permissions when installing, or request all permissions at startup and refuse to run otherwise.

      That's because not many phones are on Marshmallow yet. As of now, just over 30% of phones out there have Marshmallow and above. That leaves the rest without, and a good chunk are Jellybean, Kitkat and Lollipop.

      If you're a developer, you can target the new model and exclude 70% of the phones out there, or use the old phones and get 100%. And chances are, most people won't care so sticking with the old mechanism works until maybe a couple of years from now when Marshmallow will be the low end of the majority.

  7. Not a bad thing.... by Anonymous Coward · · Score: 1

    Pressured? Or strongly encouraged? To make their apps more secure. To protect customers, Why is this bad?

  8. Re: is this a problem? by gumbi+west · · Score: 1

    To be clear about how tinfoil hat this is, the "code word" for the pizza show owner was "pizza" which seems like a word that, I don't know, a pizza shop owner might just want to use for their routine business.