c*******9 发帖数: 9032 | 1 Security researchers at Sophos are urging Google to remove automatic over-
the-air installation of apps as
a feature from its new web store, noting that it makes the silent addition
of malware and spyware to
Android users' devices far too easy.
Google announced its new web-based Android Market last week at its Android 3
.0 Honeycomb
introduction, as part of an effort to kickstart slow Android app sales,
something the company said it was
"not happy" about.
However, just days later security firm Sophos has issued a warning that says
Google's implementation of
app sales via its website is flawed because there is no acceptance step by
users on their phone.
Unlike Apple's iTunes Preview website, which allows users to browse for apps
on the web but then directs
them to iTunes to securely complete their purchase, Google's new web-based
Android Market allows users
to select and buy apps directly on the web site and then have the apps
remotely installed on their device,
something that is touted as a unique feature.
What if somebody else installs an app on your account?
Purchased apps are then streamed directly to the user's handset and
automatically installed. The problem,
researchers say, is that there is no approval mechanism that would indicate
to a user that apps are being
installed. Therefore, if a third party were able to access a user's account
information, they could easily
install apps on the user's phone without that person being aware this was
even happening.
Additionally, apps on Android have far broader access to features on the
phone; Google leaves the security
ramifications related to apps up to the user when the app is being purchased
. For example, an app that
wants the ability to read all data on the phone, send fee-based SMS messages
, and track the user's location
must note these requests in Android Market, leaving it up to the user to
decide if those requests are
justified or reasonable.
However, because the new web store makes it easy for a malicious third party
to bypass these choices and
simply install apps behind the users' back, Android users must now be extra
vigilant to monitor what apps
are installed on their phone, because there is no curation by Google and no
installation approval on the
device itself.
In contrast, iOS apps must first pass Apple's review process and then the
user must manually download the
apps through iTunes or directly from their iPhone via the App Store app;
Apple never beams apps directly to
users' devices for unattended, quiet install.
Fishing for Passwords
Android's new security problem requires users' passwords to be intercepted
by a malicious third party.
Apple's iTunes users have already been regularly targeted by multiple
attempts to either guess, crack or
simply "phish" their passwords by malicious users seeking to obtain access
to their accounts.
The difference is that with iTunes account information, all a malicious user
can really do is make
unauthorized purchases. This has created a booming market for stolen iTunes
account credentials, inducing
Apple to take steps to require users to select harder to guess passwords and
to verify their credit card
information on new devices the first time they are set up. This has greatly
reduced the value of stolen
iTunes accounts, as it prevents thieves from making purchases using new
devices unless they have the
accounts' full credit card information.
In contrast, with a stolen Android Market account, malicious parties can not
only make purchases, but also
set up targeted, powerful malware that is "sold" to the user without their
knowing and silently installed on
their device wirelessly with no notification. These apps can then track the
user, access their calling
information, collect all kinds of sensitive information on their phone, and
then upload it to foreign servers
before the user is even aware that a new app was installed.
"The result of all this is that a Google password suddenly becomes even more
valuable for potential
attackers, and I would not be surprised to see even more Gmail phishing
attacks as a consequence,"
Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use
stolen account credentials for the
purposes of sending spam but to install malware on the user's Android
devices instead."
Oops I did it again
"Google should make changes to the remote installation mechanism as soon as
possible," Svajcer warned.
"As a minimum, a dialog should be displayed on the receiving device so that
the user must personally
accept the application that is being installed."
Until Google takes notice of the problem, Svajcer recommended that Android
users choose a strong
password. The millions of new Android users will also want to make sure they
don't fall for phishing scams
the way millions of iTunes users have. Rather than facing refundable
unauthorized purchases, they could
find their personal smartphone loaded up with malware, recreating the
security meltdown similar to the one
Microsoft faced with Windows XP.
http://www.appleinsider.com/articles/11/02/06/googles_android_m
threat.html |
|