Forgot your password?
typodupeerror
Android Cellphones Google Security Software Technology

Security Warning Over Web-Based Android Market 87

Posted by Soulskill
from the convenience-vs-security dept.
An anonymous reader writes "Security researcher Vanja Svajcer is warning that cybercriminals may be particularly interested in stealing your Google credentials, after discovering a way of installing applications onto Android smartphones with no interaction required by the phone's owner. The new web-based Android Market retrieves the details of Android devices registered to the Google address, and automatically installs software onto the associated smartphones with no user interaction required on the phone itself. Svajcer summarizes: 'Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.'"
This discussion has been archived. No new comments can be posted.

Security Warning Over Web-Based Android Market

Comments Filter:
  • Minimum (Score:5, Interesting)

    by Spad (470073) <{ku.oc.daps} {ta} {todhsals}> on Friday February 04, 2011 @03:01PM (#35105842) Homepage

    Surely as a minimum you should just be able to turn off the ability to install apps remotely.

    • if your account were compromised, couldn't they just turn it right back on?
      • Not if you could turn it off on the phone. Of course, you should obviously have to authorize each installation manually from the phone anyway.
        • I have no idea why this wasn't implemented from the start. It seems like one of the most basic of "security" measures. Sure, if the device is compromised and has malicious code on it already this would probably become a useless security feature, but to compromise the device I have a feeling they'll be using this remote install. It won't take much to spoof Google's credentials and get malicious code on to the phone at this stage.

          • I have no idea why this wasn't implemented from the start. It seems like one of the most basic of "security" measures.

            Ya think?
            How about as a basic first security measure Google and Apple reach out to one of the following companies and commissioned work to add objective C and the Droid platform java and C++ validators to one or more of the code scanning platforms below. Companies are circa 2008

            Ounce labs analyzer
            IBM app scan source analyzer
            Fortify 360 analyzer
            Vericode service
            KlocWork analyzer
            And thousands of companies that specialize in manual and automated source code reviews

            And why they would allow adding arbitrary apps

    • by icebike (68054)

      Installing apps remotely is a convenience factor that has a lot of merit.
      A simple confirmation on the phone should suffice.

      Perhaps, but a more sensible approach than turning it off is to make for a more secure environment by having
      better password management, and encrypted connections throughout the Google infrastructure.

      At a minimum everything you do on Google should be done over https, (the market is, but its not real clear how
      secure C2DM really is. It relies on your 'Google Talk' connection, and I simpl

      • by Threni (635302)

        Why isn't everything encrypted on Android all the time? And the web? I don't understand. It's not like it's financially or computationally expensive. Can people just not be bothered?

        • by icebike (68054)

          As far as the web, it is slightly more expensive computationally to create a secure connection than an open one.

          Scaled up to the size of Google, its a major issue, but on the other hand, Google has enough computing power to handle it. Does Slashdot?

          For most web pages it simply doesn't matter. But anytime you have to have an account and log in, it should be supported.

  • by Superken7 (893292) on Friday February 04, 2011 @03:02PM (#35105846) Journal

    This is nothing new (the part about no user intervention), its called C2DM. Your google account would need to be compromised for an attacker to remotely install software on your phone.

    IMHO this sounds like the old convenience vs security debacle. I prefer convenience in this case, since if someone compromises my goog account, I have much more important things to worry about. (like services trusting the ownership of my email account, private information, etc..)

    "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
    Again, I don't agree. I don't care about that, I want CONVENIENCE. However, the point that he makes that your compromised account is now more valuable is still valid. I just don't agree on the solution.
    Why not just opt out of remote phone installs? At least make the user validation of remote installs optional, for the ones who are more concerned about that?

    • by Dexter Herbivore (1322345) on Friday February 04, 2011 @03:04PM (#35105870) Journal
      Open devices are like a girl with open legs, convenient but they have their own risks.
      • by staryc (852301)

        Open devices are like a girl with open legs, convenient but they have their own risks.

        Open devices are like a guy with an open mouth, convenient but they have their own risks.
        Fixed.

        • Hey, it works both ways, I'm just talking from a male perspective... don't be offended. Man-whores are just as damaging to sexual relations (and potentially health, HPV has awful consequences) as an "easy" woman. I'm sorry I didn't use non-specific gender assignation but that just seems like a load of (quoting Neal Stephenson here) bullshyte when I'm trying to make a general reference from a male perspective. I know plenty of women who can do damage with an open mouth too, but apparently saying that may be

          • by staryc (852301)
            Sexual promiscuousness and speaking are both alright when done responsibly. I'm just reminding /. that there is a female population around here and therefore a female perspective to things, too.
            • I quite seriously apologise for any possible offence caused by my remark, please don't take it out of context. I cannot emphasise enough how sorry I am if I have caused offence. It was a comment made without due concern for the sensitivities of other genders and I do understand that. I made a *joke* without proper concern for gender stereotypes without qualifying myself properly. My intention was not to harm but merely to amuse.
            • Obligatory [xkcd.com]
      • >>>Open devices are like a girl with open legs

        Yeah true but a phone can be thrown-out if it becomes "diseased". Not so with your willy. An open unprotected phone is less deadly and less of a concern.

    • by h4rr4r (612664)

      Mod parent way the heck up.

      If you can get my google account sure it is worth more, but you can also buy stuff via google checkout which is a way bigger risk to me.

    • by geekoid (135745)

      A pop would indicate to you that someone has compromised your account.

      Of course, in the end you say exactly what the person you are replying to suggested.

    • by node 3 (115640)

      "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
      Again, I don't agree. I don't care about that, I want CONVENIENCE.

      This seems a bit much. A dialog box saying, "Install: [list of new apps]?", seems convenient enough to me. It's not even saying you need to type in your password, just accept new apps. You can even have a "Don't ask me again." checkbox if you really just want binaries from the Internet to be automatically installed.

      This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

      You talk about "your password is compromised al

      • What malware? The only apps that are installable are the ones on the Android Market, where any malware will be flagged by users right away...

        • by node 3 (115640)

          What malware? The only apps that are installable are the ones on the Android Market, where any malware will be flagged by users right away...

          You just said, "What malware? The malware that's on the Android Marketplace?"

          Yes, that malware.

      • Or what about people who don't use their Google accounts for anything important?

      • This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

        This sounds like the Vista security policy. It is really, really wrong. Prompting always is pretty much the same as never prompting. If you prompt for the same action over and over people just accept the prompt as part of the action and stop reading them. It's just the way we work.

        • I don't particularly want the prompting, but I think in this case it wouldn't really be a problem. Sure you would pretty much expect and ignore the dialog every time you installed an app from the web, but I think I'd notice if I had to dismiss that prompt while I'm walking down the street nowhere near another computer.

        • by node 3 (115640)

          This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

          This sounds like the Vista security policy. It is really, really wrong. Prompting always is pretty much the same as never prompting. If you prompt for the same action over and over people just accept the prompt as part of the action and stop reading them. It's just the way we work.

          What you're really saying is that security is the same as no security. Why lock your door? You're just going to unlock it every time someone comes to it, right?

          I can't see how you can reasonably equate prompting with not prompting in this case. Vista is a red herring. We're not talking about prompting every time a user does something remotely admin-like. We're talking about prompting whenever the OS wants to install software from the Internet. This is much more like Windows prompting before installing third

          • This is Security 101. Prompting should be default, and if it's to be allowed to be disabled at all, it should require some level of user acceptance.

            This sounds like the Vista security policy. It is really, really wrong. Prompting always is pretty much the same as never prompting. If you prompt for the same action over and over people just accept the prompt as part of the action and stop reading them. It's just the way we work.

            What you're really saying is that security is the same as no security. Why lock your door? You're just going to unlock it every time someone comes to it, right?

            Nope, What I am saying and what I did say was that obtrusive warnings and no warnings are roughly the same. Which you agree with in your next paragraph.

            • by node 3 (115640)

              Nope, What I am saying and what I did say was that obtrusive warnings and no warnings are roughly the same.

              No, you said warnings and no warnings are roughly the same. Specifically, "Prompting always is pretty much the same as never prompting."

              Which you agree with in your next paragraph.

              No, I said prompting too often can train the user to just click them away. Obtrusiveness is a necessary aspect of security prompts. Prompting for every little thing isn't. If that's what you really meant, or at the very least, what you mean now, than we agree enough on that topic at least.

              And I also stated, however, that this is a red herring, because remote app installs ar

      • but it's reasonable that there will be some mistakes when rolling something new out like this

        No, it's not reasonable. Making security mistakes like this mean that security wasn't included in the architecture design from the beginning. Yes, lots of people treat security as an afterthought, and no, it's not a good thing.

        • by node 3 (115640)

          but it's reasonable that there will be some mistakes when rolling something new out like this

          No, it's not reasonable. Making security mistakes like this mean that security wasn't included in the architecture design from the beginning. Yes, lots of people treat security as an afterthought, and no, it's not a good thing.

          I didn't say it was a good thing, I said it was reasonable.

          My proof is that people are fallible. What's unreasonable is expecting absolutely no security hitches ever. When something like this happens (and it's wise to always count on something like this happening), what's important is how it's dealt with. This situation only really becomes unreasonable if Google does nothing about it, or takes too long to do so.

    • by xiando (770382) on Friday February 04, 2011 @04:16PM (#35106518) Homepage Journal

      This is nothing new (the part about no user intervention), its called C2DM. Your google account would need to be compromised for an attacker to remotely install software on your phone.

      The "account" part is less important. What really matters is that Google can remotely install software on your phone. Google itself may be compromised in one way or another. It should simply not be possible to install anything on any device without notifying the user on that device.

      • by aitan (948581)

        The user is notified.

        After the application is installed you can see a new entry in the notification bar, so if you didn't ask to install it you will notice right away that something is wrong.

    • Agreed, it's a feature implemented for our convenience. This so called researcher is blowing things way out of proportion...

  • "The new web-based Android Market retrieves the details of Android devices registered to the Google address, and automatically installs software onto the associated smartphones with no user interaction required on the phone itself"

    That's only a problem if the site works!!

    So far I've tried 3 times with 3 different apps and i've not been able to remotely install an app via the web page on my Android phone...

    • by pvera (250260)

      What carrier? I have installed at least 3 so far with no issues, this is a Samsung Intercept (2.1) with Virgin Mobile USA.

      • I'm on UK "Three" Network.
        Running CynogenMod 6.1.3
        With Market 2.2.6

        Looks like it's a problem with some versions of Rom's people are using. Stock, and "sense" based roms seem to work, but custom ones it's hit or miss wither it works.

        • by idontgno (624372)

          Thank God I'm running CM7.1 nightlies!* Hell, the built-in stuff doesn't work all the time! Certainly this remote-installing nightmare-hell of malware is guaranteed to fail!

          *Or was, until I broke my smartphone's screen... <sad>. Can you imagine how hard it is to use a touchscreen OS when you can't see what's on the screen?

          • I'm keeping clear of the Nightlies at the moment.
            I'm waiting for a stable beta of CM7 (probably when HTC bring out a stock Gingerbread for the desire HD)

    • by psyclone (187154)

      Why would you use the website on your Android phone and not the Market app?

      The only purpose for the [ugly] market.android.com website is to bypass the phone for app research and installs.

      Though if you're browsing a website not on the phone, why not use AppBrain instead? At least it supports rudimentary sorts and filters.

      I'd really love to browse a market by filtering-away apps that require permissions X (where X includes reading browser history, contacts, etc.). Then I could sort by number of downloads as w

      • Did i say i was using my mobile to access the website?

        I'm using the site on my laptop. (phone is charging on the other side of the room.)

        p.s.
        It does not work even if I use the site on my mobile.

        • by Skythe (921438)
          Have you turned sync adapters on? (Power control widget's 2nd last icon). If you have sync disabled it won't work.
  • When you install software on your phone, it shows up in the status bar. It's not like someone can install things secretly.

    • by geekoid (135745)

      True, but who is looking at their status bar 24/7?

      Especially if the program being maliciously installed is designed to remove itself from the status bar.
      Seriously, root kits have been removing themselves from lists and logs since 1984.

      • Can't Sleep.

        Status Bar Will Eat Me. /simpsons

      • by h4rr4r (612664)

        The notification stays until you clear it. If there are apps with rootkits in them in the market then you have bigger problems.

        • So you think an app with a rootkit which you have to explicitly install is a bigger problem than an app with a rootkit which installs itself without user interaction?

          • by h4rr4r (612664)

            No, I would say they are the same problem. The issue is then an app with a rootkit and how you got it does not matter.

            • I would say they are not the same problem. I can protect myself against an app with a root kit by not installing it. I can't do that if it installs itself.
              Now you will probably counter that I usually won't know that there's a root kit in the app. Which is only partially true: While you never can be completely sure about it, there are apps which are more likely to have root kits than others. Moreover, generally the set of apps you knowingly install will be quite limited. An attacker would have to put the roo

      • by MrHanky (141717)

        No one, of course. But don't you have to run an app to, well, run it? Unless you restart your phone, evidently: Some apps do start up at boot even if you never started them before, but I've never noticed one start at install. Then again, I'm not entirely sure how the .apk packages work.

        • Apps can include background services, but by design they can't start the services on install, they are only allowed to start them when the application is run for the first time, or when the device is rebooted. However they can hook system events on install so the app can be launched when the phone receives an SMS for example.
      • by brunes69 (86786)

        That's not possible for a few reasons. First, you would need root-access to the Android OS. Second, even if you have rooted your phone, any time an app asks for root a big box takes over the phone and you HAVE to accept it within 5 seconds or that app is blacklisted from ever asking for root again.

        • by Tacvek (948259)

          That assumes you have installed Koush's or ChainsDD's Superuser app, which admittedly pretty much all rooted "ROM"s and pretty much all instructions for rooting a phone contain, so in practice it is always installed. However, please note that any app that exploits a kernel flaw to gain root could bypass the superuser application.

  • by Anonymous Coward

    They can only do this if they steal your password first -- not that they will silently install an app, and then swipe your login details.

  • by Mike Buddha (10734) on Friday February 04, 2011 @03:12PM (#35105956)

    The bigger security issue that aflicts all Android phones is that of pocket-based or belt-holder-based security. The vast majority of Android users falsely secure their devices by carrying them in their pockets or on belt holders. If a hacker were able to remove the phone from the pocket or belt, they could covertly install malicious apps, make phone calls, check call log, spam sms messages, etc.

    Google needs to address this gaping hole in Android security.

    • by BitZtream (692029)

      The difference is, if someone takes it off my belt I'll know it.

      If someone malicious attacks google or your google account, you end up with software on your phone without any prior knowledge.

      So go ahead, take my phone out of my pocket, install malicious app on it, and put it back in my pocket ... I'm pretty sure I'll know, unless you happen to get it during the 7 or so hours a night when its not in my hand or my pocket ... but instead laying next to me on my nightstand ... I'm pretty confident I'll know yo

      • Perhaps you shouldn't talk about security, even if you're trying to be funny.

        You're absolutely right. I've learned my lesson. Some subjects are just too serious to have anything remotely funny said about them. Having programs installed on your phone due to a hypothetical security flaw is one of those subjects. Are there any other purely hypothetical situations that should not be made light of, or should we treat all FUD with the same level of respect and dour consternation?

  • by Anonymous Coward

    This is the way the Android Market app has always installed apps on the phone. The process is async. The Market app sends a request to google, google authorizes it, then pushes the app to your phone. The web site is using the same mechanism.

    Before you write another story, make sure it's actually been cracked first.

  • Lets help Google out here and describe what a secure solution should look like.

    Do you follow Apple's walled garden approach and only run officially signed code?
    Do you follow Msft's signed code approach where you warn but let them run anyway?
    Do you download to a quarentine area and force the user to accept it to run it?

    others?

    • by h4rr4r (612664)

      Sandbox every app, then have the user allow specific permissions. This would mean however than a user could avoid adds in a free app by not letting it talk to the network.

  • As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.

    That'll never work. Can you say drive by attack? Users don't look at these things and criminals know it. That's why people get their pc's infected with all sorts of nasty bits. Oh yeah 800 viruses and spyware found on your computer!!! Click here to clean your pc. Google needs to make it right not just put a band aid on it.

    • That'll never work. Can you say drive by attack? Users don't look at these things and criminals know it.

      So what you mean is "That'll never work for fools."

      • So what you mean is "That'll never work for fools."

        Ok....you got me there but Google still needs to make it right.

  • Ahh yes... today's security DDDDDOOOOOOOOOOOOOOMMMMMM!!!!! Really, isn't anyone else sick to death about these things that NEVER affects ANYONE?
    • FUD affects everyone. If Apple is going to withstand the onslaught of Android, the FUD's going to have to fly fast and thick. Potential insecurity! Fragmentation! Beware!

  • make this an optional security feature and just do the same as you would your facebook account, don't let other people on it!
  • I was watching this on engadget and couldn't tell from the images whether I watching an Apple or HP announcement.

    This picture [blogcdn.com] ... change TouchPad to iPad and put the guy in a black turtleneck....sure looks like the iPad announcement.. Look at this picture [blogcdn.com] from the original iPad announcement... sure looks similar to me.

    This e-mail app [blogcdn.com] looks pretty damn close to the iPad one.

    This keyboard [blogcdn.com] sure looks almost identical to the iPad.

    In general, I saw this as a rehash of the Apple and Google approaches to a common

It seems that more and more mathematicians are using a new, high level language named "research student".

Working...