由买买提看人间百态

boards

本页内容为未名空间相应帖子的节选和存档,一周内的贴子最多显示50字,超过一周显示500字 访问原贴
PDA版 - Google's Android Market web store opens new malware threat
相关主题
One in Ten Google Play Apps are MaliciousAndroid大牛进!
Chinese-Made Smartphone Comes With Spyware, Security Firm Says劈柴三哥最新论调:没法保证安猪系统是安全的!
股沟又来行为艺术了现在的chromebook已经基本满足我的需求了
crazy term of FB message appHTC Touch Pro 刷 NFSFAN WM 6.5问题
你们都在什么地方搜索Mobile Apps ?请教lumia 900玩爽的高高手,怎样给market place买apps加上密码?
Hacking experts find new ways to attack Android phones软软们帮忙看看。
原来用Android的男生比例要高得多android users
据说kindle把Android market的请求都给redirect到自己的markeandroid问题-password被browser忘记了
相关话题的讨论汇总
话题: android话题: google话题: apps话题: users话题: user
进入PDA版参与讨论
1 (共1页)
c*******9
发帖数: 9032
1
Security researchers at Sophos are urging Google to remove automatic over-
the-air installation of apps as
a feature from its new web store, noting that it makes the silent addition
of malware and spyware to
Android users' devices far too easy.
Google announced its new web-based Android Market last week at its Android 3
.0 Honeycomb
introduction, as part of an effort to kickstart slow Android app sales,
something the company said it was
"not happy" about.
However, just days later security firm Sophos has issued a warning that says
Google's implementation of
app sales via its website is flawed because there is no acceptance step by
users on their phone.
Unlike Apple's iTunes Preview website, which allows users to browse for apps
on the web but then directs
them to iTunes to securely complete their purchase, Google's new web-based
Android Market allows users
to select and buy apps directly on the web site and then have the apps
remotely installed on their device,
something that is touted as a unique feature.
What if somebody else installs an app on your account?
Purchased apps are then streamed directly to the user's handset and
automatically installed. The problem,
researchers say, is that there is no approval mechanism that would indicate
to a user that apps are being
installed. Therefore, if a third party were able to access a user's account
information, they could easily
install apps on the user's phone without that person being aware this was
even happening.
Additionally, apps on Android have far broader access to features on the
phone; Google leaves the security
ramifications related to apps up to the user when the app is being purchased
. For example, an app that
wants the ability to read all data on the phone, send fee-based SMS messages
, and track the user's location
must note these requests in Android Market, leaving it up to the user to
decide if those requests are
justified or reasonable.
However, because the new web store makes it easy for a malicious third party
to bypass these choices and
simply install apps behind the users' back, Android users must now be extra
vigilant to monitor what apps
are installed on their phone, because there is no curation by Google and no
installation approval on the
device itself.
In contrast, iOS apps must first pass Apple's review process and then the
user must manually download the
apps through iTunes or directly from their iPhone via the App Store app;
Apple never beams apps directly to
users' devices for unattended, quiet install.
Fishing for Passwords
Android's new security problem requires users' passwords to be intercepted
by a malicious third party.
Apple's iTunes users have already been regularly targeted by multiple
attempts to either guess, crack or
simply "phish" their passwords by malicious users seeking to obtain access
to their accounts.
The difference is that with iTunes account information, all a malicious user
can really do is make
unauthorized purchases. This has created a booming market for stolen iTunes
account credentials, inducing
Apple to take steps to require users to select harder to guess passwords and
to verify their credit card
information on new devices the first time they are set up. This has greatly
reduced the value of stolen
iTunes accounts, as it prevents thieves from making purchases using new
devices unless they have the
accounts' full credit card information.
In contrast, with a stolen Android Market account, malicious parties can not
only make purchases, but also
set up targeted, powerful malware that is "sold" to the user without their
knowing and silently installed on
their device wirelessly with no notification. These apps can then track the
user, access their calling
information, collect all kinds of sensitive information on their phone, and
then upload it to foreign servers
before the user is even aware that a new app was installed.
"The result of all this is that a Google password suddenly becomes even more
valuable for potential
attackers, and I would not be surprised to see even more Gmail phishing
attacks as a consequence,"
Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use
stolen account credentials for the
purposes of sending spam but to install malware on the user's Android
devices instead."
Oops I did it again
"Google should make changes to the remote installation mechanism as soon as
possible," Svajcer warned.
"As a minimum, a dialog should be displayed on the receiving device so that
the user must personally
accept the application that is being installed."
Until Google takes notice of the problem, Svajcer recommended that Android
users choose a strong
password. The millions of new Android users will also want to make sure they
don't fall for phishing scams
the way millions of iTunes users have. Rather than facing refundable
unauthorized purchases, they could
find their personal smartphone loaded up with malware, recreating the
security meltdown similar to the one
Microsoft faced with Windows XP.
http://www.appleinsider.com/articles/11/02/06/googles_android_m
threat.html
1 (共1页)
进入PDA版参与讨论
相关主题
android问题-password被browser忘记了你们都在什么地方搜索Mobile Apps ?
你们用MITBBS阅读器都没问题吗?Hacking experts find new ways to attack Android phones
我决定从此就只买iphone了, android真loser阿原来用Android的男生比例要高得多
pptv有android版本吗?据说kindle把Android market的请求都给redirect到自己的marke
One in Ten Google Play Apps are MaliciousAndroid大牛进!
Chinese-Made Smartphone Comes With Spyware, Security Firm Says劈柴三哥最新论调:没法保证安猪系统是安全的!
股沟又来行为艺术了现在的chromebook已经基本满足我的需求了
crazy term of FB message appHTC Touch Pro 刷 NFSFAN WM 6.5问题
相关话题的讨论汇总
话题: android话题: google话题: apps话题: users话题: user