Google Says Android App Security Report Flawed

 
 
By Brian Prince  |  Posted 2010-06-23
 
 
 

Google is taking issue with a report from SMobile Systems suggesting Google Android applications are leaving users open to identity theft.

In an analysis of more than 48,000 applications (PDF) currently available on the Android Market, SMobile found that 20 percent request permission to access sensitive information an attacker could use for some malicious purpose. In addition, 5 percent of applications have the ability to place a call to any number without requiring user intervention.

"The Android operating system and the Android Market are quickly becoming the most widely used mobile platform and app store in the world," Neil Book, CEO of SMobile Systems, said in a statement. "There are individuals and organizations out there right now, developing malicious code designed to capture your most personal information and use it to their advantage."

SMobile's technology uses the permissions and application requests as a basis to judge whether or not the application is malicious. In its study, 29 of the applications were found to request the exact same permissions as known spyware. However, a Google spokesperson pointed out that the permissions list gives the user the ability to prevent unauthorized applications from doing anything malicious. 

"This report falsely suggests that Android users don't have control over which apps access their data," a Google spokesperson said. "Not only must each Android app get users' permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious."

Though the spokesperson could not share the number of malicious applications removed from Android Market, Google did remove some banking applications in 2009 for violating its terms of use. According to Google, in addition to users receiving a clear list of permissions that they can choose to accept or decline, users are able to flag content they deem inappropriate, or that causes problems with their devices, for human review.

"This information helps users to decide what to download and what not to download," the Google spokesperson said. "In case malware does end up getting downloaded, we 'sandbox' every application on Android, meaning we give it limited access to phone resources by default such that any malware that appears will have limited impact."

Android is not the only mobile platform being targeted by attackers. Earlier in June, researchers at mobile security vendor Lookout discovered attackers were targeting Windows Mobile devices with malicious applications.

"The open-source architecture that drives Android phones and the abundance of application stores available for all smartphone devices have allowed developers to quickly create and post thousands upon thousands of new applications," SMobile Systems CTO Daniel Hoffman said in a statement. "As a result, applications are currently available that have the potential to cause serious harm to devices, customers and to the broader cellular network."

Rocket Fuel