Google are booting lots more Apps out of the Market place.

Click

I wonder how much bad press Android will have to get before people start to not trust it anymore.

or the other spin, Google taking customer security as more of a priority to ensure people can trust it.

Do people trust google if so they are just as niave and stupid IMHO as the people that trust Apple, Microsoft or any other company.

So they boot out more apps that were found to contain malware and that is bad?

At least they are actively removing these issues, mind you Apple aren't exactly doing well after refusing to allow an app on their marketplace that stated the proceeds would go to charity.

Indeed.

That's simply responsible marketplace management.


Sorry but no.

All "open-source" means is that they allow free distribution, derivation and access to the source code so that end-users can make changes to their own hardware should they choose to do so and redistribute the resulting code. Nowhere does the OS Definition state that the vendor should encourage or facilitate modification of the code.

What you're referring to is community development which is a related but wholly separate idea.

After 10's of thousands of people have already downloaded them? Yeah, that is bad, in a 'locking the stable door after the horse is bolted' kind of way.

Jon

But as long as there's a few horses left in the shed, it's worth doing. Regardless of how many have already bolted.

True, but a "We genuinely didn't know about this until now and are acting in response" is a genuine option, until malware updates and they can scan them there isn't much that can be done, there isn't even much to stop it on any application on any platform short of reading the source code (I could encrypt the IMEI then sent it and decrypt it on my server) to see what I do with the code.

Not bad at all. What is bad is that it got in there in the first place. How much is still in there that they haven't checked yet?

CC

Is it really such a big deal? If you are that kind of person that downloads anything and everything then you deserve it.
You are careful with you windows downloads so why can't you apply the same cautiousness to Android?

I think you get a trade off: truly open app store with a risk that not everything will play nicely. Don't like it? Buy and iphone so Steve Jobs can hold your hand all the time. And get a nanny too while you are at it!

Well how about iOS apps then? The process is very similar and they have had similar stories in the past

Excuse me? Are you serious? These apps had access to pretty much anything on the user's phones they wanted. One of the functions of the class of dodgy apps they found is they can download & execute further code with root privilege. Nobody knows what that code is/was. Nobody knows what it does/did.

So, yes, it's a big deal actually. The android market place distributed apps which effectively rooted the user's android phones. Any info on those phones should be considered compromised. Who knows what info that might be on a smartphone. It's certainly their Google password at an absolute minimum I'd imagine. Of between 50,000 and 200,000 people (nice they don't actually know, so they can't warn people, eh?). That's a lot of inconvenience to a lot of people, even assuming they haven't done anything like start start background IP sessions or sent text rebilling messages that will have cost people actual money.


Please, tell me you're not actually that ignorant. This was stuff that was on the official android market place. This wasn't stuff they downloaded off some dodgy web site. They went to the official source for apps for their smartphones and that market place supplied something that may very well have stolen from them. Blaming the users for this is like blaming someone who got burgled for having a door to break in through.


I think what's it's proved is a 'truly open' app store is actually no better than having no app store at all, and in some senses it's actually worse, as it engenders a perception of quality and security that's not actually there.

It's also proved you're living in some kind of bizarre fantasy world where every smartphone user is an IT professional.

Jon

There has never been an instance where an app that gave a third party root access to the device has made it through the Apple App store approval process.

There have been ones that have allowed unauthorised use and also for mining private data, there probably is one, remember a Chinese one a few years ago that did it
http://www.razorianfly.com/2010/12/20/w ... ould-care/

Unauthorised teathering access, lasted a LONG time before it got pulled, there are other apps suspected of sending private data over after requiring access for 'legitimate' reasons
http://xsellize.com/topic/74624-tetheri ... -required/

Of course Apple don't need an app to do it, their browser was vulnerable enough to jailbreak devices using the built in browser
http://www.h-online.com/security/news/i ... 49234.html
Existing since iOS 1.1.1, so almost since release......

Attacks on jailbroken iPhones from 2009
http://arstechnica.com/apple/news/2009/ ... e-wild.ars

The iPhone is still not properly secured
http://iphonehelp.in/2011/02/10/securit ... om-iphone/

Not an exclusive issue with the iPhone, or more generally phone software, let's face it. Not specifically an iPhone issue.



Again, not an issue specific to the iPhone, is it. How long was that on the App Store for?

\

All of which rely on physical access to the phone, and/or it being jail broken.
If you're into voiding your warranty, I don't think it's then really fair to complain that the company supplying the software you've chosen to ignore isn't doing a bang up job of securing the software you've chosen to ignore...

None of those attack vectors allow for some of the nasty things the recently discovered Android malware can do (for example, they can't send a text message surreptitiously which you can be billed for). These apps do bad things, certainly. I would however quibble with the description that 'Existing since iOS 1.1.1, so almost since release......'. The idea of using Safari as a 'point of entry' has existed since the infancy of the iPhone but the implication that there is some vulnerability which has gone unpatched since then is incorrect. The actual attack vector in each version of iOS has changed, although the method of allowing that attack vector into the system - accessing a HTTP stream via Safari - has remained.

However, the fact some of these events are quite old begs another question - How come Google are still making the mistakes Apple were making three years ago? Aren't they smart enough to learn from other people's foul ups?

Is iOS 'secure'? No, of course it isn't. if it was it'd be practically unusable by most of the population. But the really nasty things about these Android apps - the possible financial abuse and the the arbitrary code execution - you actually can't do on iOS.

Aside from all of that, 'well, iPhones aren't secure either' is the logic of the schoolyard and actually irrelevant to whether Android is/should be secure or not. Android should be secure. That statement stands of itself. Whatever Apple or RIM or MS might do, it's doesn't absolve Google of it's own responsibilities.

Jon