Google Remotely Nukes Apps From Android Phones 509
itwbennett writes "Google disclosed in a blog post on Thursday that it remotely removed two applications from Android phones that ran contrary to the terms of the Android Market. From the post: 'Recently, we became aware of two free applications built by a security researcher for research purposes. These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission.INTERNET. As the applications were practically useless, most users uninstalled the applications shortly after downloading them. After the researcher voluntarily removed these applications from Android Market, we decided, per the Android Market Terms of Service, to exercise our remote application removal feature on the remaining installed copies to complete the cleanup.' The blog post comes a day after security vendor SMobile Systems published a report saying that 20% of Android apps provide access to sensitive information."
Update: 06/25 16:44 GMT by S : Clarified last sentence, which incorrectly suggested that 20% of Android apps were malicious. According to the report (PDF, which we discussed recently), "a majority of these applications were developed with the best of intentions and the user data will likely not be compromised.
What the hell dude, enough with the sensationalism (Score:5, Informative)
security vendor SMobile Systems published a report saying that 20% of Android apps are malicious.
No, the report said that 20% of apps require access to sensitive data (ie your address book) or functionality to perform their job. You'd think people would have noticed by now if 1 in 5 Android apps were "malicious".
Re:What the hell dude, enough with the sensational (Score:5, Informative)
Odd, that although he references a slashdot article from a few days ago, instead of linking to that article, or the article that links to (on CNET), or to the source of the report, or even to the report itself, he links to a rehash on itworld.
Tagged as a slashvertisement for self-promotion.
Re:Google Fanbois will turn this around (Score:2, Informative)
20% of Android apps are not malicious. 20% of Android apps have the potential to be malicious.
If you do not want an application to have the possibility of stealing your private data, then do not install that application! When you install an app on an Android phone, you are presented with a list over which data this application wants to access. If you don't like that the FTP app you are about to install have access to your SMS/MMS messages, then click on cancel and find another FTP client.
Big diffs with ANdroid vs. Apple (Score:3, Informative)
You do not have to use the Market to install apps.
If Google removes an app you like from the market, or even does a remote-uninstall, you can just re-install it yourself, and it is then un-nukeable.
The market can only remote-uninstall apps installed via it.
And the issue is, erm, what exactly? (Score:4, Informative)
Just to clarify; Google nuked two applications that had been distributed via Android Market, which they explicitly reserve the right to do via their Terms Of Service [google.com] (see section 2.4).
However, if you don't like these terms there is nothing that stops you from downloading applications from alternative sources and installing them on your Android device - there are a number of alternate Android application stores like SlideMe [slashdot.org] and AndAppStore [slashdot.org] for example, not to mention downloading .apk files directly to your phone and installing that way bypassing Android Market altogether.
Besides, what are they supposed to do if there are malicious applications on Android Market? Pull them and leave affected users with crap on their devices?
Oh well, I'm perfectly happy with my HTC Magic running Cyanogenmod 5.0.8 downloaded and installed via Clockworkmod ROM Manager, which itself was downloaded from Android Market.
Re:Still doesn't bode well (Score:5, Informative)
It's a pocket-sized computer, so why don't we have pocket-sized operating systems instead of glorified firmware on them?
Two reasons:
1. Drivers. Many are still closed source.
2. The baseband image (i.e. the bit that talks to the mobile network). This is *always* closed source, and there's no way manufacturers are going to release the documentation for it...
Apparently Google are going to try to separate the UI from the base system better in future so upgrades will be easier. I'll believe it when I see it though.
Re:oh noes! (Score:4, Informative)
Android Market TOS [google.com]
Furthermore, having done it, they informed you.
From Google's blog [blogspot.com]:
Re:oh noes! (Score:4, Informative)
You can run any app you want. Just don't get it from the marketplace or you will be subject to the T&Cs of the marketplace.
And 20% malicious apps? As if there weren't enough problems getting iphone 4s as it is....
That figure refers to apps that ask for permissions they don't need, not malicious apps. Android has a finegrained permission model and some apps ask for more things than they require, things that could potentially be used for malicious purposes. Personally I think the model is sound but the implementation could do with more safeguards, possibly something akin to UAC in Windows for certain operations so that the user is always aware of what apps are doing.
Re:But what if I liked the application (Score:4, Informative)
On and Android Phone there is an application called 'Market' this application allow you to browse all applications on the google android market, install the ones you like, uninstall what you don't want any more, etc. In addition this application periodically checks with the server to see if there are new versions of your installed apps and offers to update those.
I suppose the market did check for the offending apps and found that they had the 'remove' flag set and removed them from the phone.
If you would have installed the same apps without market (downloading the apk file) the market would not know about them and leave them alone.
Markus
Re:But what if I liked the application (Score:3, Informative)
Android Market is more than just an app repository. It is also the installer and uninstaller for those apps (and checks for updates). So the Android Market application itself is what has the permissions to do these things.
Re:But what if I liked the application (Score:5, Informative)
I'm fine with repositories and security updates, but nuking an applications without asking first is what Steve Jobs does and that Google is not supposed to do.
Actually, Apple has never done this until now. Yes, they have the infrastructure to do so, but so far they have never used it.
Re:Do not want (Score:3, Informative)
No reason to get alarmed, however the fact that this is possible makes me very cautious about the android marketplace. I understand Google trying to do good, but in this case it's worse than Apple. What happens when 5000 people download an iPhone application, and then that application gets removed from the app store? Do those 5000 copies stay on the phones they were originally downloaded on?
Re:But what if I liked the application (Score:5, Informative)
I'm fine with repositories and security updates, but nuking an applications without asking first is what Steve Jobs does and that Google is not supposed to do.
I hate iPhone OS policies as much as the next geek (why don't I get an upgrade for security on my original iPhone, even to iOS 3.1.4?), but even Jobs doesn't delete apps from your phone. Any apps once through the store, are yours, lock, stock, and barrel. They may prompt you to upgrade, they may stop selling an app, but they don't delete them. What google should be doing is sending these users an email and free SMS letting them know that they "should delete app $FOO because it's potentially dangerous. For reference, please see https://google.com/android/press-release/93857293875928.html [google.com]" Maybe some people wanted these apps... like the friends of the security researchers in question.
Actually the iPhone has the exact same "kill switch" for the exact same purpose. http://www.iphonealley.com/node/2928 [iphonealley.com]
Re:But what if I liked the application (Score:3, Informative)
That said, you can install apps from non-Market sources by simply checking a box in the Settings. Install the app from any other avenue besides the Market, and Google can do naught. The issue about this app is that it was distributed through the Market, which is its own trusted source.
Re:But what if I liked the application (Score:3, Informative)
If you install your own application from somewhere else, Google has no responsibility and can't delete it so you have control in that case. You own the phone and control it.
Re:oh noes! (Score:3, Informative)
Read section 8.3:
"Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service."
Re:oh noes! (Score:3, Informative)
Actually, I have read the EULA for all of the software that's installed on my computers. Some of them drone on for pages and pages of legalese, some of them (like the BSD or MIT licenses) are actually easily human-readable.
While it doesn't detract from your main point, the BSD and MIT licenses, along with the GPL, are distribution licenses, not end user license agreements (EULAs). They govern redistribution of the software, not use. The GPL makes not imposing an EULA a condition of the license. The BSD and MIT licenses don't, so you may have an EULA in addition to these licenses, but they themselves are not EULAs.