Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/11/2010
05:12 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

About 1% Of Google Android Apps Bad

Google's Android Market has less oversight than Apple's iTunes App Store, and users are expected to police the store shelves.

A warning issued last month by First Tech Credit Union that the Droid09 app in the Android Market was malware isn't that uncommon.

Unlike Apple, which errs on the side of caution when reviewing apps for its App Store, Google considers the Android Market to be an "open distribution channel" and has said that there is no pre-approval process for Android apps and minimal automated scanning to ensure compliance with Google's security model.

In the Android Market, it's up to users to find and report bad apps.

"Once an application has been uploaded by the developer and made available for users of Android-powered handsets, the Android Market community is relied on to flag applications that do not abide by our policies," Google explained to the FCC last August.

Applications that have been flagged several times -- Google has not disclosed how many times -- are reviewed by Google staff for policy compliance and, if necessary, removed within three days.

Graham Cluley, senior technology consultant at Sophos, contends that Google's "anything goes" approach, "combined with the current buzz around new phones running Android such as the Motorola Droid and the Google Nexus One, may make the [Android] platform more attractive to cybercriminals in future."

The publication and subsequent removal of apps from Google's Android Market for terms of service violations turns out to be a relatively common occurrence.

A Google spokesperson declined to provide current information about the number of applications that have been removed from the Android Market.

Google's spokesperson said the company doesn't share app download numbers as a matter of policy and was unable to provide current information about the number of apps removed from the Android Market.

But Google answered this question in part last August in its response to the FCC's inquiry into why Google Voice wasn't approved. Back then, when the Android Market had about 6,000 apps, Google said, "Approximately 1% of all applications that have been uploaded to Android Market and subsequently made available to consumers subsequently have been taken down by Google."

If that percentage remains unchanged -- which Google wouldn't confirm -- that means about 220 out of the 22,000 or so apps in the Android Market have been removed for policy violations, only some of which have to do with security.

Typical policy violations have to do with the inclusion of adult content or the unauthorized use of copyrighted material.

However, even if only a few of removed apps are actually malicious, it doesn't take many bad apps to raise security questions. Consider that according to F-Secure, the developer account associated with the Droid09 app, 09Droid, had published almost 40 variants of his or her application, each one targeting a different bank.

Apple told the FCC last summer that it rejects 20% of the apps and updates it receives as originally submitted and that 95% of apps are approved within 14 days.

Several iPhone developers have recently noted that Apple's approval process has become faster, but Apple has not released updated figures to quantify what some developers have been observing.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
CVE-2021-3163
PUBLISHED: 2021-04-12
A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.
CVE-2019-15059
PUBLISHED: 2021-04-12
In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.
CVE-2021-21524
PUBLISHED: 2021-04-12
Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Cr...