Google Starts Scanning Android Apps 172
eldavojohn writes "A recent blog post has Android developers talking about Google finally scanning third party applications for malware. Oddly enough, Google claims this service (codenamed 'Bouncer') has been active for some time: 'The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise.' So it appears that they allow the software to be sold even before it is scanned and it also appears that no one has been bitten by a false positive from this software. Apparently Bouncer is not as oppressive as Apple's solution although given recent news its effectiveness must be questioned. Have any readers had their apps flagged or pulled by Bouncer?"
Does this mean ... (Score:2)
Does that mean that app like ROM manager or Titanium Backup will be wiped away, considered as viruses because they need root access to work ?
Re:Does this mean ... (Score:5, Interesting)
Not likely. FTA:
Once an application is uploaded, the service immediately starts analyzing it for known malware, spyware, and trojans. It also looks for behaviors that indicate an application might be misbehaving and compares it against previously analyzed apps to detect possible red flags.
That's a pretty good description of proper scanning for bad code. As TFS stated, this isn't the Apple paradigm where they want to control their users. The purpose is to maintain a profitable marketplace and platform by protecting users who keep hearing about Android malware.
Re: (Score:3)
I think the most important part is actually "possible red flags". This automatically scans, but doesn't seem to automatically ban.
Re: (Score:2)
Good catch. But note that "possible red flags" appears in the second part of the quote (after "also looks for"), which discusses only the case where the scanned app shares a similarity to other apps of concern- those potentially containing unknown malware.
The way I read it is if known malware is detected, it could/should be automatically blocked. But sharing "similarity" with other applications would be a second category which may require more analysis before getting blocked.
When will they add... (Score:5, Interesting)
...a more fine-grained security model and a firewall to android?
I understand it's a problem for Google if users can suddenly notice how much
is transferred to Google but I think it's the only way to go in the end.
Re: (Score:3)
..a more fine-grained security model and a firewall to android?
Well, it is rather fine-grained. Especially when compared to the other smartphone market leader. But yeah, there are some things that could be done better.
And regarding firewall:
1. Google release firewall
2. Users start blocking ad servers
3. World goes under
Re: (Score:2)
it's pretty generalistic when compared to market leader j2me(by numbers, don't argue). it's also a lot less "in your face" though. who the fuck wants to press yes 6 times to create a file?
thing is, what would be needed would be the option to allow/disallow actions when they happen(with "allow always" "allow for a day" etc options) - not at install time. and for example if it's sending a sms, show where it's sending it when asking for permission - and for each app there could be a option to view their securi
Re: (Score:2)
it's pretty generalistic when compared to market leader j2me(by numbers, don't argue)
I'll argue. J2ME barely shows in the smartphone market. Dumbphones aren't relevant to a conversation about platforms that support user-downloadable third-party applications.
thing is, what would be needed would be the option to allow/disallow actions when they happen(with "allow always" "allow for a day" etc options) - not at install time. and for example if it's sending a sms, show where it's sending it when asking for permission - and for each app there could be a option to view their security log from app manager.
I posit that would reduce security, not enhance it. It's difficult enough to convince users to take the time to read the permissions they're granting during installation. Later popups would quickly train users to just dismiss any security prompts, especially because they would come up at a moment when the user is, presumably, trying
Re: (Score:2)
I'll argue. J2ME barely shows in the smartphone market. Dumbphones aren't relevant to a conversation about platforms that support user-downloadable third-party applications.
The whole point of JME is to support user-downloadable third-party applications. JME was also supported on smartphones, for example on Symbian.
Re: (Score:2)
Protecting ad flow is the new DRM :O
Re: (Score:3)
Re: (Score:3)
Unfortunately it's grant-all basis only. As in app requests a bunch of permissions, and you can not deny one or two of those requests. You must grant them all, or deny (and not install the app). It is only fine-grained as in there are many different, well-defined permissions an app may request. And of course the good thing is that they're all listed when you install a new app, and you're re-requested to give permission if this changes in an upgrade.
But there are issues. I have a 4-in-a-row game on my phone,
Re: (Score:3)
Re: (Score:2)
So when the app is running and is in a situation where it needs a permission that is blocked it notifies the user of the error. Apps like Google Maps already do that when GPS is disabled, there's no reason other apps can't do the same. And in fact, there's no reason other apps shouldn't already be doing that because on a phone things like SMS, location data, and network connections aren't always available.
Re: (Score:2)
Personally, I use DroidWall as a frontend for iptables. Is free and works great.
The funny thing is, I use it mainly to restrict data from leaving my phone, since a lot of apps nowadays insist on having internet access, and can't be trusted with my personal data. A nice side effect of this is that is also blocks ads.
Re: (Score:2)
The problem is the damage that can be done to a phone that does not involve an IP connection.
How about a firewall that prohibits all interstate and international calls? Or stops SMS text messages for all except a few selected apps? The idea of a firewall is really outdated and limited when you're talking about the security of a mobile phone. Many of the phone based scams will sign you up to subscription services via the telephone, not via the internet.
+1 on Droidwall though, it works great.
Re: (Score:2)
Seriously. I was recently looking to install a firewall on my HTC Evo 4G. The apps I found all had tons of useless crap and the firewall portion requires root. I don't want to root my device since I get no support anymore then. In fact I submitted a bug (.Mail folder redownloads all attachments until >1GB in size) and they tried to weasle out when they thought it was rooted.
I had some hopes for Moxie Marlinspike's WhisperMonitor.. not sure if it requires root but probably does. I can't tell because Twitt
Re: (Score:2)
The problem is that even if they did it would take years for the hardware manufacturers to catch up. Many problems with security are fixed but most Android phones still lag 2 versions behind.
Now? (Score:4, Interesting)
You figured something like this would have been in place from day one. Let's sell apps, but not worry about if they are loaded malware or viruses. /facepalm
Re: (Score:3)
I made all kinds of assumptions about the way that these app stores are run in the early days. That they'd not only scan for malware but even inspect the source.
But no, turns out that with both Android and iOS, you get the freedom of a walled garden with the safety of a sketchy warez site.
Re: (Score:2)
Android has no wall.
You can download from Google, or any place else.
No walled garden needed.
Re:Now? (Score:5, Informative)
If you had an Android device you would know that you do not need to root your phone to install apps from someplace other than Google.
You just go into settings and select that you want to be able to install programs from Unknown Sources.
You can try again to spread FUD if you like.
I will wait.
Re: (Score:2)
That is not something that Android does.
That is something that your shithole cell phone provider orders the handset maker to add.
You can try again to spread FUD if you like.
I will wait.
Re: (Score:2)
That is not something that Android does.
That is something that your shithole cell phone provider orders the handset maker to add.
And the end result is what?
Is it spreading FUD to tell it like it is? Seems more honest than describing a situation that, today AFAIK exists only in theory. It's the Tivo all over again but this time the geeks are on the wrong side.
Re: (Score:3)
It is not only theory.
Get a Nexus. Buy it. Do not have some phone company pay for most of it for you and then sign a contract stating that you can now be fucked in the ass and blame it on Android.
You can try again to spread FUD if you like.
I will wait.
Re: (Score:3)
What is the point in releasing other Android handsets if the answer is always "get a Nexus"? You are ignoring that there have been handsets released where the option to install from untrusted sources was absent and you had to get apps from the Marketplace.
Re: (Score:2)
I have not seen an Android phone with that removed. Nexus, Evo 4G, Photon, G1, Evo Shift, Galaxy S all have it.
If there are handsets like that I have yet to see them.
Not being a dick but if you know of one I would love to here about it.
Re: (Score:2)
Motoroloa Droid Razr, apparently (i.e. not the newest Razr but an older model).
Re: (Score:2)
What's the point of blaming Android as a platform when you don't get a Nexus phone?
That's the simple fact. You want the Android experience you get the phone Google dedicates to the task minus any bullshit from the manufacturer and the carrier.
But really feel free to go buy any phone. There are many good Android phones on the market that aren't artificially limited. Just when you do go and buy another phone, don't come back saying something like "Android doesn't support tethering". Have the balls to say "Mot
Re: (Score:2)
Tethering is built into Android. No app or rooting required, works great.
Re: (Score:2)
Duh, tethering is built into all smartphones. It's just a question of the contract between you and your operator whether you can use it without cheating.
Re: (Score:2)
I was responding to a poster who did not know that.
Re: (Score:2)
Looks like I've got a Mac fanboy with their pants all twisted in a knot.
This whole discussion is about Android phones. I replied to a message where the person did not understand that Android phones can tether without installing apps or rooting, etc. I explained that this functionality is built into the Android OS.
I did not mean to ignore or cast aspersion on the sacred iPhone which I understand also has the ability to tether (I think since version 4.3). I apologize for not including the sacred iPhone in
Are all Android users so dense? (Score:2)
Looks like I've got a Mac fanboy with their pants all twisted in a knot.
I was simply posting a fact, as your post implied other platforms might not support tethering. How you chose to interpret that is, literally, your problem.
I replied to a message where the person did not understand that Android phones can tether without installing apps or rooting, etc.
Like most Android users, you seem to have rather a burr up your butt when anything negative is said. In fact the original post did not claim Android coul
Re: (Score:2)
Geez...
You ipHone fanbois are a real pain in the butt.
I merely stated that you could tether with Android without going through any hoops. Since this whole discussion is about Android, I didn't say anything about iPhone. However, you weaselly insecure iphone fanbois have to make everything about iphone.
So, I did some research since I don't have an iphone and found out that yes, indeed, apple did add tethering recently (about two years after Android added it) but that it is implemented so that it "phones ho
Re: (Score:2)
Actually, my phone (SGS2) have built-in wireless tether from the manufacturer. Phone sets up an access point and functions like a normal internet router.
And it works. I've used it several times, in fact. And that is with default firmware, no rooting or anything.
http://www.youtube.com/watch?v=GGsG239_hbA [youtube.com]
Re: (Score:2)
Wireless tether on Android is built into the OS. It takes about three taps to activate. No root required. No special apps required. Your local friendly telecoms carrier has no way of knowing you are tethering... it's all data.
OTOH, tethering on the iPhone is tightly controlled by the OS and requires payment to the telecoms carrier before it will activate. There have been a few iPhone apps which have briefly unlocked tethering but these have been squashed by Apple. You might be able to get them if you j
Re: (Score:2)
Understood. The first thing off my Evo was NASCAR.
Re:Now? (Score:5, Informative)
once you jai - sorry, root the device.
Settings/Applications/Unknown Sources.
It's a toggle, so you can turn it back to block unknown sources after you've sideloaded whatever you wanted.
Re: (Score:3)
Re: (Score:2)
on the original iPhone, apps were intended to be web apps run entirely within Mobile Safari
Yet Safari provided no means to access the camera, microphone, accelerometer, etc. How would, say, a web app that scans barcodes have worked?
More lies from the Apple Haters (Score:2)
The uproar over native apps forced them to rush the release of the SDK, rush to opening of the App Store review system, etc
No it didn't. Anyone who programmed the original SDK knew it had been planned to be released all along, there was way too much material for it to have been a rush job. Also at first app store submissions didn't take that long, it was only later when demand went bonkers they really started to be overloaded.
Poor Apple Haters, can't even revise history correctly...
Re: (Score:2)
Forgive my squirrley ignorance.
But as to you signature.
Is it not written on the sacred scrolls that all Muds should be written in C?
The "recent news" was retracted... (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Adware is malware.
What's apparent to you may not be apparent to me (Score:2, Insightful)
So it appears that they allow the software to be sold even before it is scanned and it also appears that no one has been bitten by a false positive from this software.
Why does it 'appear' that they allow the software to be sold even before it is scanned? It could be true but it doesn't seem to follow from anything else that was said. It sounds as if it scans items that "are in the market" but that doesn't necessarily mean they aren't scanned before they go into the market, just that they continue to be scanned as the scanning techniques improve/change.
Why does it 'appear' that no one has been bitten by a false positive? I don't see anything that could lead to that conclu
Re: (Score:2)
because nobody's bitched about it on any dev forums? vs. the amount of people who have bitched about being pulled from apple store with a legit app.
"it appears" is there exactly for that it's just appears so, that it might not be so, but for he time being it seems so.
Re:Scan for quality? (Score:4, Informative)
Re: (Score:2)
Comparing any old Android app to Winterboard isn't exactly fair, in my opinion.
Winterboard has to implement a ton of hacks to work on iOS, because there's no official API for theming. You can call this a fault of the OS if you want, but my point is Winterboard necessarily employs more hacks than your average app. It uses MobileSubstrate [iphonedevwiki.net] which (I'm not even exaggerating) dynamically changes how existing applications work by changing their code when they start.
Re: (Score:2)
That's funny. The only app I ever have issues with is one of the most widely used - Good - and it is awful on both platforms from what I understand.
Re: (Score:2)
Saying that an app as "awful" and "one fo the most widely used" in one sentence is a bit strange - why would so many people use an "awful" app? Especially with the competition out there. By the way I assume "Good" is the name of the app? I for one have never even heard about it.
Re: (Score:3, Informative)
It's because it is the most widely supported enterprise email app. It was the first most companies went with so they are slow to move to alternatives.
Re: (Score:2)
It's actually one of the most popular MDM (mobile device management) platforms used in enterprise environments. We use it and while it isn't perfect, it it is far from "awful". I'm running it on ICS and have found it works pretty well. My battery drop (a given for any app like this) has been insignificant, I can access my corporate email/calendar/contacts, the data is secured, and it is separate from my other data. The biggest problem we've seen is the occasional delay in email delivery compared to Acti
Re: (Score:2)
I have never used Good, but I would assume if the app is crap and a lot of people still use it then it must do something both unique and desirable.
Re: (Score:3)
Because it's used for accessing corporate email. In many organizations, that's the only choice if someone wants to access their mail on a phone.
The biggest selling point is that it keeps corporate data segregated from the rest of what's on the device. (If someone's phone is lost / stolen or leaves a company the end result is that it allows for a remote wipe command to clear out just the data for Good)
Last I had looked at it (close to a year ago), usability was lagging behind the native email clients for A
Re: (Score:2)
We use it and the biggest issue we see is an occasional delay of less than a minute for email delivery. Otherwise, performance and usability are acceptable given the trade-off of secured and controlled corporate data. Interestingly, the Android version on ICS seems to be better than the iOS version on iOS5.
Re: (Score:2, Funny)
why would so many people use an "awful" app?
Maybe they want to read the Something [android.com] Awful [apple.com] Forums [somethingawful.com]
Re: (Score:3)
Re: (Score:2)
To me this is a serious question. I guess I know enough about Java to be dangerous. Just curious and not trying to troll.
Re:Scan for quality? (Score:5, Informative)
1. Create ArrayList
2. Add ALL THE THINGS
3. Forget to remove old entries when not used anymore
Reference still exist, not considered garbage.
Re: (Score:3)
Re: (Score:2)
Yes. In other words, competent programming would prevent this problem, like most software problems.
Now, the aggravating factor is that in the Android Dalvik runtime, apps aren't usually idle-killed and don't often exit. Some very user-interactive programs (like games) have some kind of "exit" option, but most apps just stay in the background, suspended but still holding system resources... in other words, their memory leaks can persist until (A) user force-closes the app from the system menu, or (B) user re
Re: (Score:3)
This is part of the picture but there is more to it. One of the major problems is the fact that a lot of devs are unaware of, or forgot about, the fact that certain API objects like Drawable are bound to a View (which is bound to the larger UI (and Activity). So what seems like a simple ArrayList of thumbnails that really shouldn't put much of any pressure on memory ends up holding references to the entire UI/Activity. This is called "Leaking the Activity" and is very common. Some of the blame rests wi
Re:Scan for quality? (Score:5, Informative)
Memory Leaks in Java are not objects that are not freed, but dangling references to data/objects that are no longer needed (often static HashMaps that people use to implement their own caches and forget to clean up, or listeners that are still registered, even if the listening object could be discarded).
Also there are leaks in the Android WebView: http://code.google.com/p/android/issues/detail?id=9375 [google.com] :(
So using the WebView (which many apps do) causes leaks
(not the fault of the developer though)
Re: (Score:3)
"Memory Leaks in Java are not objects that are not freed, but dangling references to data/objects that are no longer needed"
In Java terms that _is_ an 'object that has not been freed'.
Sadly the Cult Of Garbage Collection has made many Java programmers far too lax about ensuring that everything is freed when it's no longer required.
Re: (Score:3)
Re: (Score:3)
Memory leaks are a coders problem, even on languages with automatica garbage collection. an example: a developer add items to a Hashmap used as cache but forgets to release unused items, that is a memory leak that no GC will solve
Re: (Score:2)
the java vm can't decide for yourself to add "reference_to_blablabla_that_we_dont_actually_need_anymore=null;".
it's coders problem. everything is.
it's not that much more of a problem than on other ways of doing it than garbage collection. at least with garbage collection if you're leaking memory you (usually) are keeping a reference somewhere and can just find out where.
Re: (Score:2)
Re:Scan for quality? (Score:5, Insightful)
It is good that they are going to finally scan for malware.
Yes.
But in the end Android apps need better quality control.
No.
Look, this site espouses the value of open source and more open markets in general. Android is pretty open as far as markets go, but the caveat that comes with that is that there is a lot of garbage. If you aggregated every, say, Wordpress blog on the Wordpress.com website, 95% of them would probably be unreadable drivel. The same goes for programs.
If an app exists but it doesn't work for you, then go to a competing app. If an app exists, is really crappy, and is the only one of its kind, that is what we call a "business opportunity". The market lacks quality software and that's a hole that you can fill. If an app doesn't exist but it would be useful (or fun!), then do it and make some money.
Re: (Score:3)
If I wanted to be in app writing business, I'd already *be* in the app writing business. But there's a reason why I'm downloading rather than writing.
In addition to not wanting to be in the app writing business... I don't have
Re: (Score:2)
Well then, someone else needs to fill the need. If they had stricter QC then the app might have not even made it into the store. There's really no way to tell whether the developer will say "Okay, I guess I'll make this run better" or "Fuck it, I'll code something else that's easier and will make me more money."
Re: (Score:2)
You say that like keep crappy apps out of the store is a bad thing. If the developer isn't willing to do the work to write a decent app, then let him compete amongst the (many) others going for the
Re: (Score:2)
Which is why the fact that Android doesn't bar you from using 3rd party sources is valuable.
Google's official market should be clean and secure in terms of the behavior of software available through it.
Apple is right in one way, wrong in the other. So is Android. Google could easily take the best of both.
Re: (Score:2)
It is good that they are going to finally scan for malware.
Yes.
But in the end Android apps need better quality control.
yes.
Fixed that for you.
See, funny thing happens when there is no regulation: Everything is a race to the bottom. You say "Use a competitor" but that assumes two things: First, that there exists a competitor at all, and second, that the competitor is meaningfully better. In theory, you might have something. However, there is an adage for this: In Theory, theory and reality are the same. In Reality, they are completely different.
With regulation, however, there is a mandatory minimum to which all apps must adhere
Re: (Score:2)
I know everything's a race to the bottom. Look, fast food used to be the same way. But then people noticed places like Wendy's didn't make as much money as McDonald's, but they had consistent profits and growth and had really good customer satisfaction. That showed other entrepreneurs that people are willing to pay for quality, and now we have more slightly higher end fast food chains like Five Guys and Smash Burger.
Re:Scan for quality? (Score:5, Insightful)
If you've found apps that aren't of high enough quality to suit you i suggest you just find a better app and/or tell the author what the problems are and ask them to improve it. Or if you can't find a better version and the problems really bother you that much, just uninstall it. If the problem is dealt with by Google wielding a ban hammer then it is "solved" not only for you, but also for all the people who thought the value of the app was worth dealing with the problems.
Re: (Score:3)
It seems like, given that the Android platform lets you use whatever stores you please (or your ODM makes you use), Google could pretty much implement whatever quality control it wants, it just reflects on their reputation ultimately. People who want to sell apps that Google bounces would still have Amazon, GetJar, Handango, or their own website.
Re: (Score:3)
yes in Java and in any other language with garbage collection, stop thinking GC solves all memory leaks problems. example: a developer add items to a Hashmap used as cache but forgets to release unused items, that is a memory leak that no GC will solve
Re: (Score:2)
Does the scope of a static variable goes beyond the life cycle of an application?
Re: (Score:2)
Depends what you call the lifecycle of an application. Facebook app always start a service, no matter if you closed all FB activities, worse it starts that service even when you have never logged in on FB with it , so a leak on a static variable on that service will slow down the system, sure Android will kill it sometime when memory is needed for other applications, still the system could run sluggish when that hypothetical leak is triggered
Re: (Score:2)
Oh, that would be true, but according to my research each application has a limited amount of heap memory they can use (on a G1 it was 16MB). So even if you're a service, it's still not that serious.
Especially not as serious as a possible objective-c memory leak (since the author seems to be implying that memory leaks happen very frequently on android unlike iOS). Quite sure apple doesn't test your app for memory leaks.
Quality control will not stop memory leaking apps in no way shape or form, especially bec
Not everything is garbage-collected (Score:2)
Re: (Score:2)
That "memory leak" is someone adding an image to a cache and never removing it. It might slow down your application when the cache gets too big, but it should still get unloaded when the program exits (and ends up killed because of Android's architecture).
After my answer I actually looked for it and I found a way to do memory leaks in java, but I still think that wouldn't happen on android because of the constant load-unload scheme it has going on.
Re: (Score:2)
disregard this answer, just noticed it was static. Not sure how android handles static variables, so nevermind.
Re: (Score:2)
Actually, just read a bit more and my point stands (:
Re: (Score:2)
No, it means that making the whole system run slowly is extremely hard because of the way android works.
Even the fact that each application seems to be limited to 16MB of heap memory (on some phones, not sure if in all of them, but quite sure they all implement a limit) makes that task of making the whole system need a reboot extremely hard.
The "lack" of quality of the apps on the Android market (actually, a myth, since more and more apps exist on both platforms - so you might have the shitty apps, but the
Re: (Score:2)
Try an iPhone. You might like the fact that most of the thinking is done for you already.
The iOS App Store isn't saving on the thinking. It's saving on the time spent filtering out all the crap. Selecting the quality app that's right for you is work. Back in my corporate days, when a new corporate application was needed, somebody would have to research a list of perhaps 6 candidate applications,then spend a week or a month of work evaluating those applications to find the right one for the business. OK, choosing a phone app for personal use isn't as much work as that. But it is work. And it's
Re: (Score:2)
I would wholeheartedly agree with you if that was all they did.
But the do much more than that. They take out apps that work perfectly well but they do not like.
They kill apps that do a better job than the stuff that comes with the phone.
Also. Your sub standard AI may in my opinion just be different. I may actually like it more.
Why should I not be able to use what I like more? Why do I have to use their dialer, their contact manager, or their file manager?
I like different stuff.
My wifes phone is an Evo 4G. F
Re: (Score:2)
Do you blame Microsoft or Amazon when you buy what turns out to be a crappy EA game for your Windows computer via Amazon.com?
Not being worse than Windows is a pretty low bar.
Re: (Score:2)
Which has nothing to do with what I said.
Put the blame where it belongs.
Re: (Score:2)
I chose Maemo over Android too, unfortunately we're a small minority even among geeks, I think I'm going to try to hack Maemo or some other GNU/Linux distro onto a Droid 4 for my next phone.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Please stop. Don't continue to talk about FOSS if you're going to sound this stupid. You make the rest of us look bad.
This is utter nonsense. Look at Ubuntu which is certainly FOSS. Does that mean no proprietary code will run on it? Of course not. Check out their own market- lots of applications are for sale as binary-only. Disallowing those, or any other business model a developer/publisher wants to employ is not best left up to Ubuntu, or Google. That should be the user's choice.
If you choose to r
Re: (Score:2)
Why do you say that kernel is a distant relative? I was under the impression that little had changed outside the driver model.
Re: (Score:3)
At this point they're completely incompatible with each other, so I'd say they're roughly as distant as the Linux and BSD kernels.
Re: (Score:2)
This is flat out bullshit.
http://www.muktware.com/news/3273/linux-33-will-let-you-boot-android-greg-kh [muktware.com]
Linux 3.3 will allow you to boot Android unmodified.
Re: (Score:2)
Well forgive me for being a day or two behind on the bleeding-edge development news.