Who am I?
Software architect working in Symbian/S60 area since 2000 and still being enthusiastic about mobility. Please visit my introduction page on Forum Nokia Champions web page.
Calendar
Recently...
Categories
- Qt [1]
- Operators [1]
- Mobile Monday [1]
- Market [4]
- Security [3]
- Open Source [1]
- Palm [2]
- Mobile Monday [4]
- Symbian Foundation [5]
- Nokia [11]
- Android [16]
- Linux [6]
- Development [14]
- Innovation [1]
- Symbian [22]
- Windows Mobile [11]
- Platform Security [2]
- iPhone [19]
- UI [2]
- Mobile OS [16]
- Testing [3]
- Symbian C++ [11]
- Series 80 [0]
- Series 40 [0]
- S60 [14]
- Python [0]
- Open C [1]
- Messaging [0]
- Location Based Services [1]
- Java [3]
- General [17]
- Games [0]
- Flash [1]
- Event [5]
- Entertainment [0]
- Enterprise [4]
- Connectivity [2]
- CDMA [0]
- Business Opportunities/Services [22]
- Browsing [5]
Gabor Torok's Forum Nokia Blog
Malware on Android: It has begun
tote_b5 | 27 January, 2009 22:46
No, it's not going to be yet-another I told you so post. Though I did. :) You might have heard of the spreading of MemoryUp virus on Android-powered devices. There are numerous articles mentioning it (like this one ;), let me cite one of them from phoneArena:
"As strange as it may seem, a lot of users have complained of the MemorUp app..."
What is so strange in this? Android's security model is an open invitation to malware authors: anyone can write an application and distribute it freely on Android Market. The secret is that although every application must be signed, it's not mandatory that the certificate used for signing be certified by a Certificate Authority. In other words, you can self-sign your own application.Accountability is lost.
"We’re more worried about the fact that such a harmful application has found its way to Android Market and has stayed unnoticed until now."
"We’re more worried about the fact that such a harmful application has found its way to Android Market and has stayed unnoticed until now."
That's exactly how Android Market works. I'm surprised that you're surprised. Anyone can write and freely distribute their own programs that may even be a malware. Signing ought to prevent from mass virus distribution - as long as signing certificates are certified by CAs (authors can be traced back and prevented from continuing malicious activity). Which is sadly not the case, see above.
"If it has managed to creep inside, wouldn’t there be a chance for others?"
It's not a question, I'm sure there will be more. Even though self-signed applications are limited as to what they're allowed to do, MemoryUp has showed us that this restriction is not enough.
The question is rather what could be done against this phenomenon? One option is that Google leaves it untouched: it will turn out very quickly if a program is malware or not (well, unless if it's a timed bomb). Another alternative is be stricter on what a self-signed app can do and allow only properly (i.e. CA) signed programs to act freely (after user's confirmation, of course). The strictest option would, of course, be if self-signing was not allowed at all. I'm sure you've noticed that the last two options mean that developers would need to pay for (CA) signing. Which is against the principles of Android development.
Looking forward to Google's reaction,
Tote
Android, Security |
Permalink |
Comments (6) |
Trackbacks (0)
