But doesn't a lot of malware get attached to trusted products?

Is it not the outlet you need to trust rather than the developer?

No it's the developer, it's why a lot of these were copied apps with malware injected into them

The counterfeit products with the malware were quite clearly listed on Marketplace as not being from the correct developer. It's like downloading Adobe Premier from Joes Bargin ware's (sic)

Well that's fair enough with products that are 'famous' enough - but if you're just browsing the store looking for 'an app that does <thing>', how are you supposed to tell actual app that does <thing> from a counterfeited app that does <thing + send all your data to chinese gangsters and put hour long calls into premium rate chat lines without telling you>?

In precisely the same way you do with software you install on your Windows PC or Mac.

Um, no. On the PC/Mac I can buy boxed software from a reputable retail vendor. I can be 100% sure that is OK. I don't have that option on mobile platforms.

The point remains - if you have an online store (or a set of online stores) which is/are not strongly curated, and unscrupulous people are putting counterfeit version of legit software on those stores with added malware, how can you be certain a piece of software you are downloading is 'safe'? My contention is you can't. Some level of oversight is required to prevent this kind of stuff happening. You can't expect the user to know the maker of every piece of software before they find it on the repository, even if it only had a few hundred items on it, let alone a few hundred thousand. You have to assume the only information the user has is what they can see in front of them on the screen and they have no obvious way of externally verifying if that information is correct or valid.

The way I see it there are only two valid mechanisms for ensuring you don't have counterfeit software on your store

1) Curation - you authenticate all the people who want to put software up on your store, and you preflight the software yourself to check it has no nasties attached. That won't prevent infection, but it will at least ensure the stuff you're sending out is safe, which is all you can realistically do.

2) Code signing in some form - App vendors must 'book in' an app to the store/OS maker and the upload must have a code sign key that matches the one the vendor used when booking in the app. App names must be unique. All subsequent uploads of patched versions etc must be done with the same code sign key. The device must also be able to check the code sign key is correct before opening the app, which would allow for an 'open' architecture to some degree. The
store or OS maker essentially becomes the 'root certificate holder' of the PKI architecture.

I'd want the second one as a minimum, and both to be sure.

The bald fact is - you can't have full open-ness and anything approaching decent app security. Those things are mutually exclusive. It's like you can't keep your car secure if you insist on keeping the convertible roof open. If anyone is allowed to upload any app to the marketplace and people are allowed to download apps from wherever they like, your system simply cannot guarantee app integrity. Frankly, under those rules it's not a matter of 'if' you'll get a nasty on your phone, it's a matter of 'when', unless you're typical gee paranoid, which most people aren't.

Phones are not PCs. The majority of people with Android or iPhones are not PC-literate savvy users. My other half and my sister in law both have Android phones. Neither of them could be expected to be able to tell a real app from a fake one, unless it was so obvious that the faker might as well not have bothered. If Android really is going to be the dominant 'smart' mobile platform in handset and tablet markets, this needs to be sorted out. Or it'll end up with the rep of being buggy and nasty-ridden.

Jon

They could lock down the phones so that only apps from approved sources are allowed. This seems a sensible way to go.

Oh, another has just hit the news.

Clicky

No worries here though. Just Russia. Also just side loaded.

They sort of do. By default the phones are set to only allow marketplace apps. But you can easily disable that feature.

Unless the manufacturer doesn't release a "compliant" device, then the user is not allowed to access the Google marketplace...

Are you seriously suggesting that no one downloads software for their PC or Mac? If so, you're living in a very different world to me. I haven't bought boxed software for about a decade

No, I'm suggesting they have the option of doing that. On Macs/PCs there is a verifiably secure channel for software distribution should the online ones be considered insecure, along with a mass of insecure ones you don't have to go anywhere near if you don't want to. On mobile devices there is no such verifiably secure channel; there is one somewhat secure channel on iPhone and only that and on Android there are many channels, hardly any of which are secure in any real sense.

With all due respect JJ, you're not the kind of person this stuff is a problem for. The fact you haven't bought boxed software in years shows that. However, you and people like you (and me, for that matter) represent a small and diminishing portion of the smartphone using population.

They get cheekier. This just in.

Android security tool contains Malware

More in

http://mybroadband.co.za/news/cellular/ ... rning.html

After the recent malware found in the Android Market some of you might like this news.

http://www.lifeofandroid.com/news_detai ... d-tablets/

AVC has an anti-malware product for your handset. And the price is right.