Google‘s response to a bout of Trojan-horse applications targeting its Android operating system shows how much and how little power it exerts over that platform.
The key part of Google’s latest reaction, announced in a blog post Saturday night by Android security head Rich Cannings, is the remote removal from users’ phones of applications identified as malware. These rogue applications are offered through Google’s Android Market under such sketchy names as “Hilton Sex Sound” but also more-serious monikers such “Scientific Calculator.” They can transmit a phone’s electronic identifying number and also download additional, unidentified code in the background.
Google has discussed this remote-removal feature before (see, for example, Cannings’ June blog post for Android developers) but had not used it on so many apps at once until now.
You hardly ever see an operating-system developer reach down to a user’s computer to yank an existing app and then install an update without prior notice to the user about either action.
It’s even less common to have that same developer exert so little control over what programs it distributes in its own software store. The Android Market operates on a trusted-developer model: Once you’re in, you can publish and update software at will, with users’ primary guide to an individual app’s quality being the one-to-five-star ratings and reviews left by other users.
(Reading through those assessments on the small screen of a phone quickly grows tiring. You’re better off inspecting a new app’s critiques in the Web version of the Market that Google introduced last month.)
As an Android user, I appreciate how Google isn't trying to curate the Market’s inventory in the way that Apple does with its App Store, where it’s attempting to legislate not just safety but quality with its restrictive rules for iPhone and iPad apps. I’ve heard similar thoughts from Android developers who like not having to wonder if each new release--and each patch to an existing release--will get held up in app store review limbo.
I’m okay with the risks of malware slipping through, because I know to read the reviews of a new app and, if in doubt, to look it up on other sites. That’s how I’ve always treated new applications on any computer I’ve used: Mac, Windows, Linux, Palm, whatever. You don’t just download any shiny new toy, because it might turn out to be a Trojan.
And yet: When a company hosts somebody else’s application in its own, private software store, you’re right to expect some minimal level of oversight.
Cannings’s post promises changes to the Market to crack down on malware but doesn’t define those actions: “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market.”
Over at ZDNet, my friend Steven J. Vaughan-Nichols asks the obvious question of Google: “Wouldn’t it have been better to do minimal checking on software before letting it on Android Market?” Indeed. Google doesn’t even have to require that, but if it simply offered a malware-free certification option, I suspect that many developers would gladly opt for it. They might even pay extra for that stamp of approval.
Vaughan-Nichols--who also pronounces himself “not crazy about the idea that Google, or anyone else, can reach out and rip software out of one of ‘my’ devices without my say-so”--identifies another issue with Google’s Android security strategy: its dependency on wireless carriers.
Although the current version of Android, 2.3, doesn’t have the vulnerability exploited by this malware, most Android phones don’t run it. And Google can’t make them offer updates to 2.3. Many phones haven’t even gotten an upgrade to 2.2 ,the improved release Google introduced last May.
In this situation, I recommend a skeptical approach to adding new apps. Others, such as Vaughan-Nichols, advise getting anti-virus software for the phone. But no matter what, Google needs to improve its management of its Market. As Android gets more popular, the temptation for malware authors to attack its users will only get worse.
What would you recommend Google do? Share your suggestions in the comments.