Tuesday, August 17, 2010

Android: Let the mischief begin

No, it's not going to be yet-another I told you so post. Though, as with the vulnerabilities within the MAC I did. :) You might have heard of the spreading of MemoryUp virus on Android-powered devices. There are numerous articles mentioning it (like this one ;), let me cite one of them from phoneArena:
"As strange as it may seem, a lot of users have complained of the MemorUp app..."

What is so strange in this? Android's security model is an open invitation to malware authors: anyone can write an application and distribute it freely on Android Market. The secret is that although every application must be signed, it's not mandatory that the certificate used for signing be certified by a Certificate Authority. In other words, you can self-sign your own application.Accountability is lost.

"We’re more worried about the fact that such a harmful application has found its way to Android Market and has stayed unnoticed until now."

That's exactly how Android Market works. I'm surprised that you're surprised. Anyone can write and freely distribute their own programs that may even be a malware. Signing ought to prevent from mass virus distribution - as long as signing certificates are certified by CAs (authors can be traced back and prevented from continuing malicious activity). Which is sadly not the case, see above.

"If it has managed to creep inside, wouldn’t there be a chance for others?"

It's not a question, I'm sure there will be more. Even though self-signed applications are limited as to what they're allowed to do, MemoryUp has showed us that this restriction is not enough.

The question is rather what could be done against this phenomenon? One option is that Google leaves it untouched: it will turn out very quickly if a program is malware or not (well, unless if it's a timed bomb). Another alternative is be stricter on what a self-signed app can do and allow only properly (i.e. CA) signed programs to act freely (after user's confirmation, of course). The strictest option would, of course, be if self-signing was not allowed at all. I'm sure you've noticed that the last two options mean that developers would need to pay for (CA) signing. Which is against the principles of Android development.

Looking forward to Google's reaction,

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)