Security Warning Over Web-Based Android Market 87
An anonymous reader writes "Security researcher Vanja Svajcer is warning that cybercriminals may be particularly interested in stealing your Google credentials, after discovering a way of installing applications onto Android smartphones with no interaction required by the phone's owner. The new web-based Android Market retrieves the details of Android devices registered to the Google address, and automatically installs software onto the associated smartphones with no user interaction required on the phone itself. Svajcer summarizes: 'Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.'"
Minimum (Score:5, Interesting)
Surely as a minimum you should just be able to turn off the ability to install apps remotely.
old debacle: convenience vs security (Score:5, Interesting)
This is nothing new (the part about no user intervention), its called C2DM. Your google account would need to be compromised for an attacker to remotely install software on your phone.
IMHO this sounds like the old convenience vs security debacle. I prefer convenience in this case, since if someone compromises my goog account, I have much more important things to worry about. (like services trusting the ownership of my email account, private information, etc..)
"As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
Again, I don't agree. I don't care about that, I want CONVENIENCE. However, the point that he makes that your compromised account is now more valuable is still valid. I just don't agree on the solution.
Why not just opt out of remote phone installs? At least make the user validation of remote installs optional, for the ones who are more concerned about that?