Can Amazon Save Android From Malware Hell?
Dec 20, 2011 5:00 AM PT
As Android continues its breathtaking rate of growth, malware directed at the platform is keeping pace.
Studies from McAfee and other antivirus software providers warn that Android is a breeding ground for malicious software.
Google has come under fire as a result, with security experts pointing to the company's relatively laissez-faire approach to Android apps and the Android Market as a major contributing cause to the proliferation of Trojans and other forms of evil software on the platform.
Google has often stepped in to pull apps from the Market when it learns they contain malware; however, by the time an app is yanked, it may have already infected thousands of users.
That style of store management has often been compared to that of Apple, which aggressively vets developers' applications before selling them in its iOS App Store.
Recently, however, a new sort of Android tablet made its debut: The Kindle Fire from Amazon. The Fire uses a heavily modified version of the Android operating system, and its users buy their apps directly from Amazon, which runs its own app store and tests its wares for security and other issues.
Is this an example that other Android app outlets should follow?
Amazon's App Scrutiny
Simply put, Amazon tests apps to death before letting them into its app store. Every app submitted undergoes tests for various aspects of its performance. There are linking tests, stability and functionality tests, tests on content issues and tests on security issues.
Each aspect is tested in several ways. For example, stability and functionality tests look to see whether an app opens within 15 seconds; whether it is compliant with the major carriers' networks; whether it freezes, has forced closings or exhibits other forms of instability; and how it reacts to phone calls, text messages, and alarms.
Content issue tests look for missing content, unreadable text and incorrect graphics. They also ensure the app complies with Amazon's content guidelines on offensive content, copyright infringement, illegal activities and other issues.
Security tests include making sure the app doesn't store passwords without the user's content, doesn't collect data and send it to unknown servers, and doesn't harm existing content on the device.
Amazon provides devs a checklist of the six most common reasons for which it rejects apps, together with tips on how to create and submit apps so they pass the first time.
Apps that are resubmitted after having been rejected will be put through the entire grueling round once again.
Verify, Then Trust
Malware in smartphones is "a catastrophe just waiting to happen," Jakob Ehrensvard, chief technology officer for Yubico, told TechNewsWorld.
That's because smartphone apps focus on the user experience. They have simple installation and invocation procedures, and a "vast toolbox" for accessing the Internet, telephone connections, text messaging, files, contact lists and social media accounts, Ehrensvard explained.
Further, by its open nature, Android is open to kernel and operating system updates, which makes the situation worse.
"Anything being installed in the kernel will, by its nature, be unreachable by any antivirus add-ons," Ehrenvard said.
Mobile malware growth is increasing "exponentially," but "it's a question of what protections are being put in place to minimize the danger as much as possible for the average user while still allowing for the maximum amount of fancy new gadgets and capabilities," Adam Wosotowsky, senior research analyst at McAfee Labs, told TechNewsWorld.
Openness in an Unsafe World
Google's open attitude may be partly responsible for the security problems plaguing Android. The Internet giant tends to place few restrictions on the platform and developers. That also keeps Google from controlling independent third-party app stores, where malware-laden apps are most often found.
For Google to vet Android store apps or insist that third-party app stores vet apps before allowing them in "is not enforceable without hampering the open development model of Android software" McAfee's Wosotowsky said.
Google needs to find out why people go to third-party app stores and minimize their reasons for doing so because "you have to click past a few warning screens in order to install from outside the [Android] Marketplace, so obviously there are reasons why some people ignore those warnings," Wosotowsky explained.
Google "takes a much more open approach [than Apple] when permitting content into their marketplace, relying on crowdsourcing -- the belief that any unsavory app will quickly be called out by the millions of Android users and can then quickly be revoked," Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told TechNewsWorld.
This, together with the openness of Android, make the operating system "a magnet for those wishing to distribute malicious content," Sutton added.
Will a Walled Garden Help?
Apple's approach to its app store is the antithesis of Google's, requiring a long, tortuous approval process that has often set devs' teeth on edge.
However, malicious content has slipped through because "the application reviews focus is on the end user experience, not end user security," Sutton pointed out.
Taking a more proactive stance on security, as Amazon has, would help secure Android apps better.
"Providing a known secure source for apps will greatly enhance the overall value of the app store, especially in the Android space where competing app stores exist -- an approach that Amazon appears to be adopting," Sutton concluded.
Neither Google nor Amazon responded to requests for comment on this story.