Which Android Apps Are Safe?
Friday, November 9, 2012, 4:29 PM
I have always heard stories about new Android security issues, but to be honest, I usually ignore them and chalk them up to “some guy installed a random rogue app and it stole his contact list.” Typically, my philosophy has been just don’t install random apps or apps from non-reputable sources, and you don’t have anything to worry about, but I have recently found out that many Android exploits, which take advantage of security flaws, can also be found in popular or well-known apps available from legitimate marketplaces.
In a recent study, researchers inspected 13,500 popular Android apps downloaded directly from Google Play. They discovered “security vulnerabilities related to transport layer security (TSL) and secure sockets layer (SSL)” in 8 percent of the tested apps. For those of us who don’t speak geek, this means that regular apps from reputable sources and publishers can also be infected and exploited.
The detected vulnerabilities could enable hackers to launch a man-in-the-middle (MITM) attack, which means that a “bad” application can get access to the network data and intercept sensitive information like login credentials and banking information.
Some IT staff at midsize businesses use mobile device management (MDM) software to control what apps workers can download or access in an attempt to stop their users from installing these bad apps.
The bad news, however, from the study is that even Android apps that appear safe could still be susceptible to these MITM exploits. The researchers, for example, discovered an antivirus application—one with over 1 million installs— that contains this or a similar exploit.
The problem is not to be blamed entirely on the Android OS; much of the blame can be placed on the actual app developers. Many of these vulnerabilities come from incorrect programming methods or lack of understanding when it comes to things like SSL/HTTPS and other network encryption protocols.
Regardless of who causes the problem, it is the consumers, small businesses, and organizations that are installing and using these apps that are at risk of losing confidential or personal data.
Google claims to have plans for an “app scanning” technology that will verify that specific security standards are implemented on apps distributed in the Google Play Marketplace; however, right now no one knows when or if that technology will really emerge.
Android is still getting its arm around this whole security thing, and until it is under control, I suggest that IT departments should consider limiting access to Google Play and other app stores on Android devices, and allow their users to run only pre-approved and authorized apps.
I work for ContentWatch and all opinions expressed here are my own.