As if to underscore the recent concerns regarding mobile apps and the increasing security risk that they pose, Google was alerted to a list of 50 free apps that were posted on the Android marketplace that were infected with malware. Upon being alerted by the user, the Android Police website alerted Google, which then took the infected apps down immediately. They then took a controversial and little used step. Google invoked the “Remote Application Removal” feature that is reserved for extreme support needs to clean infected phones. Most of the users affected welcomed the measure, but many were unaware of the infection and there was no information about damage done to those unaware users’ phones before the apps were removed.

Not So Open Source

The first criticism that was leveled against Google for the incident was that the Android App marketplace was not supposed to be THAT open. Why was there no vetting of applications or scanning them for malware or other infections? Why were app developers allowed to upload anything while Google made no effort to ensure the safety of its growing user base? As of yet, there has been no official response from Google regarding the incident or what, if anything, will be done to prevent such incidents in the future.

While Google is not the only target for such attacks, other app ecosystems are more difficult to hack as they are more closed. Apps can be distributed from private websites, and would not be subject to any scrutiny by Apple, Google, or others, but most of the Apps are distributed from App stores. There are several for Android apps and the others are somewhat more diligent about security. This may not be enough, however, as apps often are granted permissions to access a users browsing history, contacts, phone call lists, and other data in order to facilitate their services. In short, a legitimate app could be accessing data and using it without the user knowing, even with the users consent.

I Agreed to What?

The Android marketplace at Android.com shows the permissions that a user gives an app if he or she chooses to install it. A quick scan of a video chat application shows that the app can:

• Use the authentication credentials of an account


• Manage the accounts list


• Act as an account authenticator


• Directly call phone numbers


• Take pictures and videos, record audio


• Access the Internet without restriction


• Access and modify contact data

Essentially, the application is being granted full control of the phone and all the user data. The assumption is that it will only use these functions for legitimate purposes, but in the event that it does not use it for legitimate purposes, the user has no way of knowing. Even if he or she did, the permissions allow the app to use it for anything, including illegitimate purposes. This leaves the user out in the cold and exposed.

Apps with this kind of access can change the user’s password, prevent key lock, and make phone calls. It could also monitor a camera and send the images to any websites it chooses. The problem is not that the applications are being granted these permissions, but that there should be increased control over what is accessible, especially considering most users never read what they are giving the apps permission to do anyway. At least Android.com shows these permissions and has warning messages but users are notoriously unconcerned, and many of them are young and unaware.

What’s Next

This is a new ecosystem and mobile security is a big issue. Solid security suites are available now, but this will not stop a user from installing an app that is granted explicit permissions at the root level to control the phone. What is needed is greater Active Directory style security and protection. Apps may need to access a camera, such as the video chat above but only upon the user’s initiation of the function. Mobile OS's need to be more sophisticated and secure before such threats are reduced.