As malware developers devise more tactics for duping users into installing their nasty apps, Google must be more vigilant on behalf of naïve users.
Android has garnered a reputation for being an
insecure platform, and deservedly so. Trend Micro went so far as to deem
Android malware as one of the top security threats for 2013. We witnessed
several instances of cyber criminals exploiting the relatively porous Android
app market to spread nasty code in recent months.
Android malware is a problem that's spiraling
out of control as the tech industry and users collectively forget or ignore
every security lesson they learned over the past decade-plus as they've
struggled to protect Internet-connected PCs. While iOS users aren't entirely
immune from malware threats, Android users face more significant threats. The
reason: Apple is notoriously meticulous in vetting each and every app and bit
of content that's added into the iTunes Store. "Say what you will about
Apple's 'closed' or 'vetted' iTunes store for iPhone apps, but it seems to do a
comparatively stupendous job of keeping out malicious apps," Krebs wrote.
The real trouble is that relying on users to
exercise even a modicum of discretion as they eagerly grab shiny new Android
apps out of the Internet ether is a recipe for disaster. End-user naïveté?
End-user stupidity? Call it what you want. What matters is that end-users can
be an overly gullible or trusting lot, and malware developers will continue to
find techniques to further take advantage of that fact -- say, selling
malicious apps under the name of a "Google-verified" developer.
Krebs spells out some common-sense solutions
for end-users, but they may not be entirely realistic. Among them, he
recommends that users "take a moment to read and comprehend an app's
permissions before you install it." That's sound advice, but it's not
necessarily practical. Just getting an average user to read all that legalese
and techno-mumbo-jumbo, let alone comprehend it, is highly unlikely. They don't
do it for websites, after all, which is why last year a group of privacy
enthusiasts launched Terms of Service; Didn't Read (ToS;DR), an open
source-inspired project aimed at helping users make better-informed choices
before clicking Agree when presented with mind-numbing TOSes.
Krebs' second piece of advice: "Make sure
you download apps that are scanned through Bouncer." That's good advice,
but it's not a guarantee that the app you're about to download is secure. A
study out of North Carolina State University from late last year found that
Android's built-in malware scanner isn't entirely effective; in tests,
researchers found it detected just 20 percent of malicious apps.
Krebs' third piece of advice: "Do a bit of
due diligence before installing an app: Would you randomly grab some Windows
program and install it without learning something about its reputation, how
long it had been around, etc? Hopefully, no. Treat your phone with the same
respect, or it may one day soon no longer belong to you."
Again, excellent advice, but malware developers
have long found ways to fool users into trusting them though such tactics as
masking malware to resemble legitimate software from reputable companies.
Nicholas Weaver, a senior researcher at U.C.
Berkeley's networking group, responded to Krebs's report with an interesting
proposal for curbing Android exploitation:
[The] biggest flaw in Android [is] the Blame the
User permissions model. With iOS, you have Apple's nazgul, err, lawyers
and limited API (apps can't dial the phone or access SMS messages) protecting
you, and what few prompts occur happen on first use, so users can meaningfully
make a decision and have already established that the app can run.
With Android, the only thing really protecting
the user is a huge permissions blob that all but an expert has no hope of
decoding, and it's all or nothing: Either the app runs or it doesn't.
They really, really need to change this to
shift a lot of scary permissions (SMS, phone dialing, private data access, etc.:
All the stuff the malcode really needs to do) into "prompt on first use.
Krebs's reply: "You're absolutely right,
IMHO. It's the same thing with privacy policies, only this time it's
apps." This story, "Google needs to be more like
Apple to keep users safe," was originally published at InfoWorld.com. Get
the first word on what the important tech news really means with the InfoWorld
Tech Watch blog. For the latest developments in business technology news,
follow InfoWorld.com on Twitter.

No comments:
Post a Comment