Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Malicious App In Android Market

kdawson posted more than 4 years ago | from the can't-take-it-to-the-bank dept.

Cellphones 340

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

Sorry! There are no comments related to the filter you selected.

Congratulations, you've made it to the big time! (-1, Troll)

LostCluster (625375) | more than 4 years ago | (#30717812)

It's Droid09 software... finally, the makers of Antivirus 2009 and AntiVir have taken their software writing talents to the Android platform! Download now.

Check for the signed label! (5, Insightful)

LostCluster (625375) | more than 4 years ago | (#30717830)

This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.

Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.

Re:Check for the signed label! (3, Insightful)

RobertM1968 (951074) | more than 4 years ago | (#30717866)

Wow, second post and already we've got the "iPhone vs Android" debate started! Kudos!

That aside, or the apps Apple has had to remove aside... I'm happy with 99% of the quality control on the Android Apps.

Re:Check for the signed label! (1, Offtopic)

LostCluster (625375) | more than 4 years ago | (#30717938)

I didn't start the flame war. [collegehumor.com] It was started by the summary.

Re:Check for the signed label! (0, Interesting)

Anonymous Coward | more than 4 years ago | (#30718516)

I think it is natural to make the comparison, one of the only reasons that Apple has an advantage is because of the quality control it offers on its app store. Of course, until recently Apple didn't do any in app checking, to find out what exactly the app was doing.

And of course you are happy, until you get your information stolen. You might not even realise it, and even when you do, it would be hard to link it to a phone application rather than one of the usual methods.

I find you comment very odd, it adds nothing to the conversation, and complains about the obvious comparison that someone made, and that everybody was thinking about. Android army or just moron?

Re:Check for the signed label! (4, Interesting)

SQLGuru (980662) | more than 4 years ago | (#30718614)

The very same argument has been made as to why the XBox online experience is better than the PS3 or Wii. With MS, the control is in place. To participate, you have to accept the control (ask those banned due to hacked boxes). It's also why the PS network is getting some level of premium status to help curtail some of the problems related to that.

Apple's control is great in terms of keeping the store "clean", but the process they put in place didn't anticipate the number of submissions, overwhelming them. Resulting in slow acceptance times, bogus rejections, etc. Someone will need to figure out a happy medium in terms of control and flexibility.

Re:Check for the signed label! (0, Offtopic)

MobileTatsu-NJG (946591) | more than 4 years ago | (#30718608)

Wow, second post and already we've got the "iPhone vs Android" debate started! Kudos!

You're surprised? You cannot picture a story about an Apple App being malicous containing +5 comments about how Android's policies would mean less damage?

Re:Check for the signed label! (3, Interesting)

sznupi (719324) | more than 4 years ago | (#30718084)

This is why we can't have nice things.

And I'm sure US cellphone carriers can't wait for more malicious apps.

Re:Check for the signed label! (5, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#30718150)

However, there is balance. Look at Ubuntu's repositories, they rarely really "reject" any applications and everything in there is more or less malware free. I can see there being a market for trusted repositories in Android also.

Re:Check for the signed label! (2, Insightful)

LostCluster (625375) | more than 4 years ago | (#30718236)

Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked.

Nice feature, but most software houses see the downside.

Re:Check for the signed label! (0)

Anonymous Coward | more than 4 years ago | (#30718442)

Code review is just one level of defense in depth. In your example it's even implied that this often comes much later (possibly after thousands of downloads) than the ideal.

Put the effort in up front before the app is allowed in the store and then at least implement a form of signing so you know who you're dealing with.

Re:Check for the signed label! (4, Informative)

harlows_monkeys (106428) | more than 4 years ago | (#30718490)

Open source is another way to stop malware... not every user looks at the source, but enough curious ones will put out the warning should anything not be as its marked

That's commonly claimed, but there is not much evidence to back it. There just aren't enough people interested in looking at source to cover all the apps if the Android market gets as big as the iPhone market.

Re:Check for the signed label! (5, Interesting)

BronsCon (927697) | more than 4 years ago | (#30718568)

Do the Underhanded C Contest and Obfuscated C Contest ring any bells?

Even review of every line isn't enough. But it's better than what closed source can offer.

Re:Check for the signed label! (5, Informative)

davester666 (731373) | more than 4 years ago | (#30718214)

Um, no.

Apple's certification process is unlikely to uncover an app like this. Assuming the app appears to do something 'real' [which I assume it does, as people download and use it], you can have the app access a web page that tells the app if it should harvest data or not. You simply don't enable the harvesting until after Apple has accepted it into the App Store. Black box testing won't uncover it, and static program analysis is unlikely to either [short of the app obviously using restricted APIs]. And apps can poke around the system, and I think even other apps data without even needing to hardcode in paths.

Now, it might be easier to Apple to be able to trace where exactly the app came from than it is for Google...

Re:Check for the signed label! (3, Interesting)

LostCluster (625375) | more than 4 years ago | (#30718322)

And that's why certificates can be revoked, and apps can be pulled from the app store after the fact.

Re:Check for the signed label! (5, Informative)

Bogtha (906264) | more than 4 years ago | (#30718216)

This is not the case. Apple don't perform in-depth testing in this manner; they don't have access to the source code and some developers have already successfully bypassed the rules of the App Store by hiding functionality as easter eggs. It is trivial to put malicious code in an iPhone app that won't be triggered until after the application is already in the App Store. The security restrictions on what the iPhone OS lets you do doesn't save you from this kind of attack either; it sounds like all an equivalent iPhone app would have to do is embed a UIWebView and wait for people to enter their information.

Why bother? (4, Interesting)

MikeFM (12491) | more than 4 years ago | (#30718400)

If you really want to steal people's info just throw up a quick Magento site pretending to sell things at unlikely prices and submit a Froogle feed. Soon you'll be getting lots of orders and you can collect credit card numbers, addresses, etc to your hearts content and then disappear and repeat the process next week. Lots of people will give you their info without thinking about it.

Re:Why bother? (1)

LostCluster (625375) | more than 4 years ago | (#30718918)

Sorry, stores need crypto signatures or you get browser warnings. Does anybody turn over their banking info without seeing the SSL indications from their browser?

Re:Check for the signed label! (-1, Troll)

s4ltyd0g (452701) | more than 4 years ago | (#30718428)

Mind you apple isn't even able to perform a simple checksum to know if their update is going to brick a phone or not. I guess when it comes to getting your money though, they have all kinds of best practises.

Re:Check for the signed label! (0)

Anonymous Coward | more than 4 years ago | (#30718542)

Actually the main reason you wouldn't get this on the iphone is it would require multi-tasking.

Re:Check for the signed label! (1)

poetmatt (793785) | more than 4 years ago | (#30718548)

likewise, thanks to apple's strict control having useful applications is also far unlikely to happen. How are those google apps going on your iphone? Oh right, you started a flamebait discussion and tried to literally equate that open development equals a lack of security. goood job. Meanwhile, open development also equates to actual security, not falsely believing that apple is magically secure or likewise with windows. Security through obscurity is called delusion.

Re:Check for the signed label! (3, Funny)

PopeRatzo (965947) | more than 4 years ago | (#30718574)

This is something that is far more unlikely to happen on the iPhone

Anyone want to bet that "Droid09" has an address somewhere near Cupertino?

Don't eat the brown acid (0, Offtopic)

Suki I (1546431) | more than 4 years ago | (#30718664)

Don't eat the brown liquorice either. Garth told me.

Re:Check for the signed label! (1)

Eil (82413) | more than 4 years ago | (#30718920)

This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.

There's nothing preventing a developer from slipping something nasty into an iPhone application. There are plenty of apps in the App Store that security and privacy advocates would describe as "malware." E.g., applications that forward your personal details, online behavior, location, etc to their servers or someone else's. Apple's approval process does not "vet" the code in terms of security, quality, or otherwise. The approval process is there only to enforce Apple's artificial limitations on what functions the software can perform.

Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.

The bad guys can target you regardless of whether the platform is open or closed. The trusted source thing is no guarantee that you're getting an application that doesn't pull something sneaky. It's the same "weakness" that SSL has: Just because a website has an SSL certificate doesn't mean it's automatically a-okay to give them your personal information or run their software. It's perfectly possible for a determined individual to set up a legit-looking company and website, write a website password storage application, and get it through Apple's approval process. Nobody would know until too late that the program waits for a particular date and then sends all of its collected passwords to server hosted in a foreign country.

No sandboxing? (0)

vadim_t (324782) | more than 4 years ago | (#30717856)

Why have a certification process, when you can have sandboxing? It's not a new concept even.

I'm sure Google could figure out how to do it with say, SELinux.

Re:No sandboxing? (4, Interesting)

dumbnose (190140) | more than 4 years ago | (#30717896)

Sandboxing wouldn't help here. The app looks like your bank app. So, it just collects the information from you.

Re:No sandboxing? (5, Insightful)

LostCluster (625375) | more than 4 years ago | (#30717908)

Sandboxing is an "always deny" tech that keeps legit applications from working easily. Effective, yes. Going to catch on with the average user, no.

Re:No sandboxing? (1)

Hurricane78 (562437) | more than 4 years ago | (#30718448)

Well, the original idea of the TPM was exactly that: Sandbox everything, manage every trust relationship in your system, hardware, software, whatever, and make it possible for the average user.
Of course we know what that was turned into.

But a good example is SElinux, which is not much different, except that is entirely software. Here on Gentoo, there are SElinux policy packages for every important software. Which are kept proper for me. (Yes, it is far from prefect, but it is a start, that if extended to every app in the repository, with different usage profiles, is what I mean.)

Re:No sandboxing? (5, Informative)

slifox (605302) | more than 4 years ago | (#30717912)

Android has sandboxing, to a degree

Each app has its own user and group ID, and filesystem permissions are used to determine what data an app can access.

Additionally, apps have to declare the special permissions they require before installation, such as internet access, read contacts data, etc...

Android is way ahead in this department -- this story is simply a case of phishing: the users thought the app was a legit bank app, and they willingly gave their sensitive information to it. It's hard to prevent against that without user training, and the success of normal email/website phishing has shown that very few users are "trained" in this sense...

Re:No sandboxing? (3, Informative)

mlts (1038732) | more than 4 years ago | (#30718022)

Android already has sandboxing. Every app installs under its own user ID by default, and if it wants more permissions, it will ask the user on install, and the user can deny it.

Even if this app had no permissions whatsoever except to display on the screen and send info back to a server, it would be successful, as it made for social engineering, as opposed to having the primary function as being compromise of the Android device.

Sandboxing IS NOT THE ANSWER! (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#30718096)

Holy fuck. These days, whenever the topic of software security arises, some idiot chimes in with "sandboxing" as the cure.

Sandboxing HAS NO EFFECT against what is basically automated social manipulation. You can sandbox your goddamn sandboxes, and that still won't do a damn thing to change the fact that the human user is voluntarily giving away what should be very private data.

Even when sandboxing might be somewhat useful, it often just ends up interfering with normal, legitimate use. So holes are intentionally poked in the sandbox walls, so the sandboxed app can access data or perform actions that are necessary.

So take your sandboxing idea, and fuck right off.

Use an Outbound Firewall (5, Interesting)

slifox (605302) | more than 4 years ago | (#30717858)

One great app I use is DroidWall, which is a simple GUI for iptables.
I set the default outbound policy to DROP, then specifically whitelist the apps that should reasonably have access to the internet.

Since Android apps have to specifically declare the privileges they require before installation (such as ability to read contact data, internet access, etc), then it's easy to make sure that all apps that read personal data are not whitelisted, unless they come from a reputable developer (e.g. Google-made apps). Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.

I still wouldn't use my banking info on my phone regardless, since a phone is so easily losable, and locking/unlocking the data everytime with a secure passphrase would probably be too inconvenient. At very most, I would only allow read access to transactions from my phone (if banks offered this), thereby limiting the amount of useful information or control a would-be attacker could gain from compromising my phone.

Re:Use an Outbound Firewall (5, Insightful)

dumbnose (190140) | more than 4 years ago | (#30717942)

Sounds like a really easy way for your standard user to administer their phone. My mom would totally get that....no wait....I think I meant the opposite of that. Yeah.

Seriously, though, how do you communicate this to your standard, non-techie user?

Re:Use an Outbound Firewall (4, Insightful)

slifox (605302) | more than 4 years ago | (#30717998)

This app is just another vector in the long history of internet phishing attacks

The problem isn't technical, but rather lack of user training

The internet is not a safe place. If you want to use it openly, you better not be gullible and hand out your info to anyone who asks.

One solution would be to setup the phone for your non-techie friend, and whitelist all the apps that they'll need that should have internet access. Yes, this means they'll have limited use of new apps, but if they can't figure out when not to give out her bank details, they aren't sufficiently trained to safely use the internet.

Re:Use an Outbound Firewall (0, Offtopic)

LostCluster (625375) | more than 4 years ago | (#30718118)

The OSX platform has an undefeated record against viruses, but that's because any time the bad guys score they claim that the user had to approve the untrustworthy code along the way, which technically makes it a trojan horse.

Re:Use an Outbound Firewall (4, Informative)

QuantumG (50515) | more than 4 years ago | (#30718706)

Yes, but it's not just that.. it's also that Apple redefines the terms as they go along.

"It's impossible to write a virus for our platform!"
"Ok, here's one I wrote."
"That's not a virus."
"Oh really? How do you figure?"
"It requires user help to move from machine to machine."
"Uhhhh... yes, that's what a virus is."
"No, it has to move from machine to machine without user intervention to be a virus."
"No.. that's a worm.. as has been clearly defined since the Morris worm."
"We call it a virus."
"You're idiots. This is a virus and it is trivial to write them for your platform. In fact, it's easier to write viruses for OS X than any other platform, as there's literally dozens of ways to load code into every running process simultaneously."
"We disagree."

and so on.

Apple, they believe their own hype and they're willing to deny reality to maintain that belief.

Re:Use an Outbound Firewall (1)

ducomputergeek (595742) | more than 4 years ago | (#30718154)

This happens enough, the carriers will quickly move to take back control of the handsets with their own "software" in the guise of consumer protection just like they have been. I can see a day where the, the new Verzion "SafeDroid" runs a firewall that blocks everything by default, for user safety of course. Oh, want to run turn by turn navigation, that will be $15 a month please. Want to unlock this app, $5 a month please.

It may be based on android, but I'll be the carriers will move to lock it down.

Re:Use an Outbound Firewall (0)

Anonymous Coward | more than 4 years ago | (#30718244)

I own my android phone. My carrier is just my connectivity provider.

If you lease your phone from your carrier, and agree to let them have access to it -- you can blame no one but yourself.

I'm not saying it's right, but that's how it is. If you want full control, then treat your phone like a laptop and buy it yourself.

Re:Use an Outbound Firewall (1)

ScrewMaster (602015) | more than 4 years ago | (#30718280)

If you want full control, then treat your phone like a laptop and buy it yourself.

I agree, but unfortunately that's only viable if carriers allow phones on their network that they don't provide.

Re:Use an Outbound Firewall (0)

Anonymous Coward | more than 4 years ago | (#30718298)

I'd like that, but some carriers [1] will refuse to have any devices on their network unless it is something they sold, and thus have full control of what is put on their phone. Of course, you can reflash, but I'm sure if a carrier wants to keep control, they would have some way of detecting if someone is doing something their flash doesn't allow, and then ban the IMEI number from connecting to their network on the grounds of "the device has been tampered with, and is now not safe or authorized to use our trusted connections".

[1]: This is not likely to happen with GSM carriers, because people can switch out SIM cards and devices change so fast. However, CDMA networks where a user has to call up customer support in order to get a phone put on an account (no R-UIM cards), this isn't too farfetched because the provider has absolute control if a device is allowed to communicate or not.

Re:Use an Outbound Firewall (1)

maxume (22995) | more than 4 years ago | (#30718532)

net10 buys time on AT&T and T-Mobile towers, and they manage to lock sim cards to individual devices.

Re:Use an Outbound Firewall (1)

Thinboy00 (1190815) | more than 4 years ago | (#30718254)

Want to unlock this app, $5 a month please.

If Verizon does that, AT&T will be quick to point it out in the ads. Somehow, I don't think Verizon is quite that stupid, although I could be totally wrong.

Re:Use an Outbound Firewall (1)

mmurphy000 (556983) | more than 4 years ago | (#30718062)

I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation)

I'm sure you know this, but for other readers of your post -- just as there is a permission to read contacts and such, there is a permission apps have to request to gain access to the Internet. So, at install time, you can read through the list of requested permissions and take appropriate action. For example, I rarely install ones that ask for my contacts and for the Internet, even presumably reputable apps like the Evernote client.

What you can't do is later change your mind (other than to uninstall the app) or selectively grant permissions. Your iptables trick lets you change your mind on the Internet permission, in effect.

Re:Use an Outbound Firewall (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30718130)

One caveat: Droidwall doesn't work on Android devices which don't have iptables, such as the CLIQ, DEXT, or others. So, if you don't have an HTC phone, don't bother with this app until the handset maker pushes out 2.1, or until your favorite rom cooker bakes the iptables/ipchains functionality in.

Re:Use an Outbound Firewall (0)

Anonymous Coward | more than 4 years ago | (#30718424)

Cyanogenmod FTW!

Re:Use an Outbound Firewall (0)

Anonymous Coward | more than 4 years ago | (#30718886)

Cyanogenmod is a great project. However, on a lot of devices, it is taking time to get all the drivers working on phones. Some phones like the Cliq have not even been rooted yet (AFIAK, I could be wrong), so that has to be solved, then finding the right drivers to get all the phone features working. All this, while making sure the phone is still flashable or re-flashable.

Some devices don't even have a full .shx flash yet. This means if you root it and write outside out of user directories, there is no way to fix it if you scrozzle the apps or the configuration.

Re:Use an Outbound Firewall (1)

MathiasRav (1210872) | more than 4 years ago | (#30718204)

I wish this functionality was built into the OS, rather than having to do it manually (for example, a way to disallow internet access during installation) -- but at least it's doable on Android. I don't think any other phone platforms give this level of permission separation or control. I'm not so sure that app review would really fix the overall problem; it might catch the obviously-malicious phishing apps like in this story, but I bet that the app auditors' opinion on what is a privacy violation differs greatly from my own.

To be fair, as a developer I would much prefer the all or naught policy that Android enforces - the user basically has to check out the app, see if what it wants to access corresponds to what it's supposed to do, and if not, don't install the application. You're only asking for trouble and bogus bug reports when you let the users deny access to core functionality at their own whim, and if that was the case, the developers would ideally have to spend much more time on graceful degradation in case access to feature x is denied.

However, this brings up the problem of peer pressure (in lack of a better term) - what if the app in question has a really useful feature or it's otherwise important to you, yet it makes ridiculous claims in the list of built-in functionality access?

With smart, non-spontaneous users (i.e. non-users), that wouldn't be a problem because of market forces - the app requires access to data it's not supposed to need, so no one installs it, it doesn't gain popularity, and the developer has to lose the unnecessary privileges to release an app that instead gains popularity. However, that's clearly not what's going on in the Android app market as it is. Internet connectivity is in my experience the most common privilege requested when it's not needed. Often (I suspect) it's for apps that simply need to fetch advertisements to display, even though the base app functionality shouldn't require access to the Internet.

Oh well. I have nothing to hide, so it's not my problem, is it?

Re:Use an Outbound Firewall (4, Interesting)

Anonymous Coward | more than 4 years ago | (#30718378)

Any app that can read my contacts data, my calendar, my email, etc, is sure as hell not getting internet access for "usage statistics" or whatever other lame excuse they give.

Usage statistics are the only reliable way to get real feedback about how actual users interact with the software (short of having a horde of QA testers that we can't afford). Some of the more useful things that my apps track (anonymized and with the terms stated clearly on install with an opt-out):

(1) Which settings are most often changed, and to what. This helps us put the most-changed settings near the top and set better defaults. If a setting is changed back and forth a lot, that usually tells that the UI needs widget to control that behavior.

(2) Which functions are used most or used most together. This helps organize the UI in accord with the most common usage patterns. Many times, we will see that users do the same clusters of things over and over and that lets us combine those into a single task in some fashion.

(3) What functions/options are almost never used, especially ones we had imagined would be useful. This is usually a sign that we have either totally dropped the ball on implementation or interface or that we don't understand the user's workflow.

I will admit that this is largely a matter of trust between the developer and the user -- I really can't blame users that opt-out or firewall us because they really don't have a reason to trust us. That said, such distrust does deprive us of very important data that we use to improve our products. I just want to express my deep appreciation for all the users that have let us have their usage statistics -- we really do read and act on them!

Re:Use an Outbound Firewall (1)

farble1670 (803356) | more than 4 years ago | (#30718808)

in this case, if you downloaded an app that you thought was a legit banking app, you would have just added it to the whitelist.

An iPhone-like process? (2, Insightful)

bcmm (768152) | more than 4 years ago | (#30717874)

An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?

Re:An iPhone-like process? (2, Insightful)

broken_chaos (1188549) | more than 4 years ago | (#30717956)

How about "Linux-distro style vetting process"?

Impossible, unless all apps are required to be open source (which would not be popular with many commercial developers). I'd even bet a large number of commercial developers would even be annoyed enough to stop developing for Android's app store if required to turn over their complete source code only to Google employees for review -- Apple doesn't even require this for their app store.

Re:An iPhone-like process? (4, Informative)

mounthood (993037) | more than 4 years ago | (#30718120)

How about "Linux-distro style vetting process"?

Impossible, unless all apps are required to be open source ...

Not true. You can have binary only repositories. Ubuntu 9.10 has a "partner" repository from which you can install Flash, and interestingly, you can add it to your sources list by clicking a link in Firefox.

Re:An iPhone-like process? (2, Insightful)

LostCluster (625375) | more than 4 years ago | (#30718392)

So who do you let into the "partner" program without being called biased against a "too small" programming shop?

Re:An iPhone-like process? (2, Informative)

bcmm (768152) | more than 4 years ago | (#30718326)

Not all Linux distros package only open-source software.

Re:An iPhone-like process? (1)

broken_chaos (1188549) | more than 4 years ago | (#30718696)

Then what is a "Linux-distro style vetting process", if not relating to the hundreds of eyes on the source of most programs?

Re:An iPhone-like process? (0)

Anonymous Coward | more than 4 years ago | (#30718876)

Then how does Apple make sure there's no malicious software in their app store?

Re:An iPhone-like process? (0)

Anonymous Coward | more than 4 years ago | (#30718916)

Shut up! Awesome idea. And if the commercial guys don't like it- they can go stick it where the sun don't shine and be cut out of the market. It'll leave us open source commercial developers to make more $$$.

Re:An iPhone-like process? (4, Insightful)

LostCluster (625375) | more than 4 years ago | (#30717966)

iPhone's vetting process has a "AT&T doesn't like it, so Apple will deny" clause that the jailbreak stores don't. Apple then claims that jailbroken apps could be trojans that will overload AT&T's network.

Google seems to be taking a "we'll do what we want and carriers can't stop us" attitude. Good luck with that.

Re:An iPhone-like process? (1)

Sulphur (1548251) | more than 4 years ago | (#30718172)

iPhone's vetting process has a "AT&T doesn't like it, so Apple will deny" clause that the jailbreak stores don't. Apple then claims that jailbroken apps could be trojans that will overload AT&T's network.

Can apps grow up to be Trojans?

Re:An iPhone-like process? (3, Insightful)

farble1670 (803356) | more than 4 years ago | (#30718822)

iPhone has youtube and pandora among many other apps that have very high network usage. sort of shoots a hole into the theory that AT&T is rejecting based on potential network overload.

Re:An iPhone-like process? (4, Interesting)

mounthood (993037) | more than 4 years ago | (#30718038)

An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?

Multiple repositories solve part of the problem, but more then just vetting the repository as a whole we need to score/rank/blacklist/require individual applications and authors. What friends think of an application is much more important than the "average" score of everyone. IT departments need to add/update/remove applications for workers phones, but also let the end user manage applications. Ban lists need to be available in a form that lets the end user (or their tech. support) decide what to trust.

It's amazing that such a big industry has such crappy tools to manage applications. Making things "just work" for the end user does not need to mean a monopoly or tyrant controlling the (only) store.

Re:An iPhone-like process? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30718234)

Even with vetting, it still won't keep a truly determined and malicious attacker away. Say someone makes an app that is popular and releases to the Android market. The only odd thing is that it asks for a lot of permissions. Lots of people download it, and it gains a cool buzz with nobody having problems with it, except for people who wonder about the huge amount of perms asked. But eventually people get to shrugging and continuing.

Then the app maker releases an update and slings in the malicious code. It copies off the addressbook to a remote site to sell to targetted phishers. It sends text messages to shady places subscribing the phone network holder to numerous charge by month "services" (akin to the old modem dialers). It spawns a botnet client which can be used for spamming. It intercepts other apps to obtain their stored usernames and passwords which are used for ID theft attacks (the bogus "hey bud, I'm stuck, could you wire me $500?" which a lot of people on social networks fell for.)

So, even though Android has a very good priv model, in theory, it can still be stung by someone who drops in their malware at a later date.

Re:An iPhone-like process? (2, Insightful)

QuantumG (50515) | more than 4 years ago | (#30718046)

No, the iPhone vetting process is unashamedly "that competes with us, denied!"

Re:An iPhone-like process? (4, Insightful)

A1rmanCha1rman (885378) | more than 4 years ago | (#30718344)

An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?

The iPhone vetting process is closer to Slifox's "error on the side of caution" method on his outbound firewall, with the default being set to DROP (deny the app), followed by a specific whitelist (approved apps subject to continuous monitor for "good behaviour").

Quite a number of approved apps in the iPhone App Store have been caught out doing naughty things like accessing and sending "home" users' Contacts - email addresses, phone numbers and home/work addresses - where they really had no business requiring such information for their function (battery charge display apps, games etc) and have promptly been expelled from the app store - quite rightly in my opinion.

The price of true freedom is eternal vigilance, not laissez-faire do-what-you-please laxity...

Applications, applications, applications... (-1, Troll)

BertieBaggio (944287) | more than 4 years ago | (#30717914)

There sure are a lot of mentions of the word "applications" in the summary.

http://img34.imageshack.us/i/applications.jpg [imageshack.us]

I know, it's just serendipitous rendering on Chrome's part, but part of me wants to believe that the submitter was actually channelling their inner Ballmer.

Re:Applications, applications, applications... (0)

LostCluster (625375) | more than 4 years ago | (#30718008)

It's the new buzzwords. Everybody who's got data now seems to have an API which stands for Applications Programming Interface. Programmers use the interface to make... applications. And there's where that word comes from.

Re:Applications, applications, applications... (0)

Anonymous Coward | more than 4 years ago | (#30718088)

Application, you mean an Apple program for the iPhone... right? And API is Apple Program Interface, duh. You should keep up with the worldz you old fossil.

Apple's store ain't much better (2, Informative)

Anonymous Coward | more than 4 years ago | (#30717958)

Apple's policy ain't foolproof either. I found an app designed for validating stolen credit cards, marketed to Romanian hackers:

http://rationalitate.blogspot.com/2009/12/credit-card-stealing-app-in-apples.html

Re:Apple's store ain't much better (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30718068)

You are a fucking moron.

The app in question doesn't do anything illegal. It is a simple database lookup and checksum utility. It uses the first 6 digits to lookup the credit card issuer and then checksums the rest of the numbers to tell you if the number COULD BE valid.

Before the advent of simple payment gateways, this was the primary method for catching user entry errors at the point of online sale.

Re:Apple's store ain't much better (2, Informative)

nneonneo (911150) | more than 4 years ago | (#30718348)

The app by itself is not illegal -- it uses publicly available information to "parse" a credit card number, and the algorithms which determine the validity of a set of 16 credit card digits are pretty well-known by now. What the app probably cannot tell you is whether the card actually belongs to someone.

The description also doesn't outwardly suggest that the app was "marketed to Romanian hackers". Basically, there's nothing in the app description or screenshots to suggest that the application, which uses only publicly available knowledge, violates any of the terms of Apple's app policy.

Re:Apple's store ain't much better (1, Informative)

LostCluster (625375) | more than 4 years ago | (#30718436)

Knowing the number-crunching formula for credit card validation is a one-way result. A "reject" is 100% certainty that the card can't be valid. A "pass" simply means the number could be valid, but doesn't give you any clue that the number will work when you try to use it. Pass too many bad account numbers to be processed, and you'll be noticed.

Attaining Ignition For Android Depends On It (0, Offtopic)

zubinwadia (1355675) | more than 4 years ago | (#30717988)

More details here: http://zwadia.com/?p=125 [zwadia.com]

Nothing new here (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30718048)

From time immemorial, bazaars have had pickpockets.

The FBI should be notified first (0, Troll)

The FBI (1717712) | more than 4 years ago | (#30718056)

Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised.

The FBI should be notified first and then in cooperation with your mobile provider we will work with you to resolve this issue, but do not remove any applications, they are considered evidence and may assist us in our investigation.

How will app vetting help? (1)

aussersterne (212916) | more than 4 years ago | (#30718094)

Apple's app store is already full of apps that require the creation of an account with a username and password. That's part of the value proposition of the technology platform: always-on synchronization between device and cloud.

In a significant portion of cases I imagine this means that users have a single username/password pair that they have used to create dozens of accounts with services around the web. The fact that the app has been vetted and functions exactly as promised does not mean that there is not also someone on the "service provider" end of things collecting all of those username/password pairs for more nefarious purposes.

It doesn't even have to be a phish for it to be a security issue. But so long as we do the username/password pair thing, this will remain a vulnerability for the general public, and no amount of "app vetting" can fix it.

Re:How will app vetting help? (1)

LostCluster (625375) | more than 4 years ago | (#30718176)

Because Apple's vetting has a step in it where they verify the identity of the author. Pull that trick, and people will wonder why their accounts were compromised, and surveys of the users will find that everybody affected used your app. Go to jail, go directly to jail, do not pass go, do not collect $20.

Re:How will app vetting help? (1)

Thinboy00 (1190815) | more than 4 years ago | (#30718288)

Because Apple's vetting has a step in it where they verify the identity of the author. Pull that trick, and people will wonder why their accounts were compromised, and surveys of the users will find that everybody affected used your app. Go to jail, go directly to jail, do not pass go, do not collect $200.

FTFY. I don't believe that the great recession has been quite that bad.

Re:How will app vetting help? (1)

thatkid_2002 (1529917) | more than 4 years ago | (#30718230)

Do you think that apps added to Linux distribution's repositories aren't vetted at all?
Stop. Breathe. Think about it for a second.

If you want to be free (1)

Duradin (1261418) | more than 4 years ago | (#30718136)

If you want to be free, be free. But then get checked every three months and you probably shouldn't give out your real address and phone number to anyone you're being free with.

Re:If you want to be free (4, Insightful)

ducomputergeek (595742) | more than 4 years ago | (#30718222)

Tragedy of the Commons comes to mind here. People around here like to bitch about Apple's policies with their app store, but I understood the reasoning behind it from the beginning. The average consumer doesn't know better. A cute app that is malicious can spread to millions of users before someone wises up. And it only takes one or two to make people fearful of the platform.

It will be fun to see if the carriers take advantage of this and try to get control over the handsets back in their court as opposed to that of Google. If it happens a couple more times, I can the Verizon App store popping up and a Verizon UI required on all android phones that only allow users to use their store. And I'm sure a lot of the apps will require extra "monthly" fees.

Re:If you want to be free (2, Interesting)

mlts (1038732) | more than 4 years ago | (#30718458)

What I can see is that carriers would have their own Android app stores, similar to how one carrier in the US used to require not just Microsoft code certificates on signed executables, but the carrier's as well. If the app wasn't signed by a certificate either from the carrier, or a key allowed by the carrier, the app won't install on the phone. Of course, the certs can be yanked at a moment's notice.

Droid09 is Apple shill? (0, Troll)

trafic_man (774311) | more than 4 years ago | (#30718190)

The question needs to be asked. Would a shill for apple create tainted Droid applications to discredit Google? First Post! Please go is easy on me, I have been reading /. for over 5 years and this is my first post!

Re:Droid09 is Apple shill? (0)

Anonymous Coward | more than 4 years ago | (#30718242)

Yeah, and maybe get a few bank accounts for their trouble

Re:Droid09 is Apple shill? (0, Offtopic)

LostCluster (625375) | more than 4 years ago | (#30718300)

This flies just as well as me posting the rumor that Psystar was funded by the major computer makers to destroy Apple and Microsoft if they got in front of a crazy judge that believed their arguments.

Re:Droid09 is Apple shill? (1)

Qlither (1614211) | more than 4 years ago | (#30718588)

I can see why it would make sense, however it seems more likely someone is out for a quick buck. It is a new platform and just needs time to get on its feet.

I am just thankful it was not a virus or something a person with a shred of common sense would fall for.

Re:Droid09 is Apple shill? (1)

mgblst (80109) | more than 4 years ago | (#30718688)

Paranoid much?

And anyway, what difference does it make? Do you think it is only Apple shills who can do bad stuff here? How ignorant are you?

Reserved words? (2, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#30718200)

What if the Android market would reserve a few words for only legitimate organizations? For example, apps would need to be certified to appear in an online banking part of the store, and there would be no certification other than Google contacting the company and making sure this is the app they made. For example, if someone submits an app with "Bank of America" in the description (or something) the Android market puts a big red heading saying This app was not developed by Bank of America, do not give out sensitive financial details over the app? It isn't restrictive because it still is open development yet it weeds out phishing apps.

Re:Reserved words? (3, Insightful)

LostCluster (625375) | more than 4 years ago | (#30718266)

"Bank of America" is already a reserved word under trademark law. You could say that "bank" is a reserved word, but then you'll accidentally block "iBank" and such. Such problems.

Re:Reserved words? (1)

Darkness404 (1287218) | more than 4 years ago | (#30718796)

Under trademark law doesn't mean crap on the internet. I'm going to fill this post with trademarked words.

Nintendo, Sony, Apple, Microsoft, Facebook, Philips, HP, AMD, Intel, Final Fantasy, Square-Enix, Wii, Pepsi, Coke, Compaq, Logitec, Halo,

Now, when someone would search for these, my post might come up (yeah, unlikely, but I suppose its possible) same with the Android marketplace. If I put on a description "This app lets you use Twitter" its no different than an app that says "This app lets you sign in and pay bills online using your Bank of America account". Only for the banking one Google would flag it, not censor it, but would say that its not made by the company. Though I don't have an Android device handy, I don't think Google would forbid me from putting trademarked words in app descriptions (or even titles) making phishing easier.

The fact that something is trademarked might be a problem to a legitimate small, medium or large sized company, but for an individual person running a scam, it doesn't mean anything.

Re:Reserved words? (0)

Anonymous Coward | more than 4 years ago | (#30718398)

Phishing may not be solved. Also, I can imagine multiple entities with the same name in different countries, etc. etc.

Separate passcode locked to a verified device (4, Interesting)

beakerMeep (716990) | more than 4 years ago | (#30718314)

One of the things my bank does for their mobile banking application (which is contracted out to another company) is to give you a special code that is akin to a extra "mobile password." You get this code from the bank's website after putting in your mobile phone number. You then must enter it on your phone and "activate" that phone to access your account. At any time also, you can go into the website and "deactivate" the device. At no time do you ever enter your banking login details into your phone, only this special code which is tied to you phone number, mobile OS, and carrier (that you can deactivate at any time) is entered into your phone.

It's not perfect security, but it certainly puts up a few more decent hurdles against phishing.

Re:Separate passcode locked to a verified device (0)

Anonymous Coward | more than 4 years ago | (#30718820)

The nice thing about Android is that it allows installs of code outside the app store. The bank (via their SSL servers) can give you a link to their app on the app store, or allow direct download of it from their servers. This way, one knows it came from a trusted source.

I like the idea of having a "trusted" repository. Maybe it would work -- have a preapproved section (where it would cost a certain amount of cash for an app developer to put an app in, but the app would be vetted and approved.) My concern is that this will fork things, and create two tiers of apps, "premium" big-cash apps, and everything else.

Re:Separate passcode locked to a verified device (2, Insightful)

LostCluster (625375) | more than 4 years ago | (#30718898)

That prevents the problem of somebody bringing in a mobile device and claiming to be you... but doesn't stop you from giving your main password to a false app that asks for it.

Precedented (1)

pgn674 (995941) | more than 4 years ago | (#30718342)

It wouldn't be unprecedented, as the Internet has places like SnapFiles and CNET for multiple operating system verified-OK application download hosting.

Re:Precedented (1)

LostCluster (625375) | more than 4 years ago | (#30718468)

CNET is a good fact-checking group, but they've fallen for tricks in the past. They're quick to put out a loud warning when they get tricked and figure it out, but they aren't perfect.

Boring (1)

ascari (1400977) | more than 4 years ago | (#30718464)

When I saw "android market" I had visions of Star wars and little Annikin. Turned out to be about some stupid phone. Yawn.

Still early. (0)

Anonymous Coward | more than 4 years ago | (#30718610)

With Droid marketplace(s) just starting to gain traction I don't feel this is a big deal. I'm sure the handset manufacturers and Google have a roll out plan for "validating" Droid apps. The real question will be the "how" they do this as opposed to "if" or "when".
The entire Droid program is a great success and I'm positive that Google will have an innovative approach to vetting applications that will both protect users and yet give developers the free reign they need to continue to innovate.
I would also argue that most Droid users are more tech savvy and would be harder to fool with malware or fakeware. In contrast, I would argue that the average iphone user is less aware of the threats that abound and simply trusts that Apple will somehow protect their user experience.

old problem new platform (3, Insightful)

mjwx (966435) | more than 4 years ago | (#30718788)

This is just the same old phishing attack moved to a new platform. This is no different then directing a web users to a fraudulent banking site.

The fault here lies primarily with the user, but seeing as we cant force the users to be smarter the onus for defeating this attack relies on the bank. Banks can do a variety of things to prevent such phishing attacks from working such as using 2 factor authentication and One Time Passwords. OTP works best when being used for transactions rather then logins, my bank will SMS me a code when I want to make a transaction to another account so even if a phisher has my password, they need my phone to do anything (plus this is a dead give-away that a phisher has gained my password). Banks could also issue a private key to official applications and block any application that does not have the key (granted this is less useful and may be easily defeated)

Iphone style lock downs will not work as they do not address the real problem of phishing and only serve to limit the platform. This isn't a fault with Android, this requires the user to initiate the attack, nor is it self replicating.

My vetting process is simple. . . (4, Insightful)

JSBiff (87824) | more than 4 years ago | (#30718806)

Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*? I'm only gonna do online banking from the website or apps provided to me directly from my bank. I'm not gonna download anything from the Android market, from some random user, and do banking with it. Who thinks that it's a good idea to do 'banking' with an app by a random developer? I mean, *maybe*, maybe if it was someone large and established, like IBM, Google, Microsoft, or Apple, I *might* consider using third party software, but certainly not anyone I've never heard of before.

um...I tried to post this story last week (1)

stephen.schaubach (156426) | more than 4 years ago | (#30718856)

http://slashdot.org/submission/1146708/mobile-phone-banking-apps-for-fun-and-profit?art_pos=2 ...writes "While checking out Google's Android app store I searched for a banking app to use with my bank. I was surprised to see three mobile apps listed and none of them released from the bank itself. I cannot say what any of these apps are doing behind the scenes for sure but the mobile app could certainly swipe your credentials and connect you to the bank at the same time a lot more convincingly than any phishing site could. Is this the beginning of mobile app phishing? It's hard to believe nobody at the app store end is checking to see if the app has been legitimately released/signed from the actual bank it's representing. It makes me wonder what other apps are out there mining people's personal data, phishing, etc. and what can be done about this potential risk to safeguard the general public? Has anyone else run into similar situations? Anti-phishing software like Nokia's Free Anti-Phishing app or mobile Safari's similar feature wouldn't protect the mobile user from an application doing something in via code behind the scenes. Perhaps only a code walk-through or a legit certificate would remedy this situation. Any thoughts?"

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?