Android Security

[The_app_main]

How worried are you all about security on the android platform? Don't you find it a little unnerving that anybody could upload and app to the android market and there is no verification of the app like on IOS platform. Anybody could write an app that looks legit but does devious things. All this along with there are very very few security applications and they are in the infant state. Don't you find it very dangerous? How do you try to maintain security on your android device? Don't download apps? Only download from known publishers? Or do you roll the dice and download anything? If you use a security app which one?

 

[landovr]

I always look at the comments for apps and how many downloads its had.

 

[A.Nonymous]

I always look at the comments for apps and how many downloads its had.

This. I also check out the reputability of the developer and look at the permissions the app is asking for.

 

[Glutz]

This. I also check out the reputability of the developer and look at the permissions the app is asking for.

I have an app named lookout I believe that I hope will do it's job. But,if you are concerned then go out and get angry birds.

 

[A.Nonymous]

Lookout is bogus IMO. Just the concept is silly. It scans apps you download from the Market for known malware. But Google pulls all known malware from the Market the second it's made aware of it. This makes the app basically pointless.

 

[Kaiser17]

Lookout is bogus IMO. Just the concept is silly. It scans apps you download from the Market for known malware. But Google pulls all known malware from the Market the second it's made aware of it. This makes the app basically pointless.

Exactly that's why I don't use it.. any antivirus is useless and just eats up ram and other resources.

 

[9to5cynic]

I was made aware of an Android and iPhone 'virus' during one of my classes this last week. Unfortunately, I couldn't understand anything the person said besides "Android" "iPhone" "Virus" and "Botnet"...

But I just check permissions. I look over comments. I think the lookout AV scanned for Windows signatures, so files you download from the internet are scanned with lookout to see if they have windows malware... but I could be wrong.

 

[Stuntman]

I generally rely on crowd sourcing to weed out bad apps. The user comments are a good place to start. It's good to look over the comments to see how others feel about apps.

It is also a good idea to stick with reputable sources and developers. Generally a well known app that is used by a lot of people will have a very slim chance of containing malware. Angry Birds or Facebook is most likely legit.

Also, check the permissions it asks. If a volume control app asks for full internet access, full access to your SD card or full access to send SMS messages, it is probably not legit.

I am personally not convinced that security apps for Android phones add much value in terms of preventing malware from getting on your phone. The reason is that I have read many articles about malware and Android. Although some of those articles suggest installing some type of security app, no articles I can find actually stated that such apps prevented some malware from getting onto the phone. Before I can recommend security apps for protection against malware, I need to see an independent source test security software by actively trying to install some app with malware on a phone and conclude that the security app stopped the malware.

Another reason I am suspicious of security apps is that I looked at one (I cannot recall which one) that I highly suspect to actually be malware itself. I found that some of the comments seem to be highly suspicious as if someone purposely wrote them himself to make it appear a lot of people like it.

Google does remove apps from the Android Market if it is malware. There is a mechanism that does help protect Android users.

 

[aysiu]

How worried are you all about security on the android platform? Don't you find it a little unnerving that anybody could upload and app to the android market and there is no verification of the app like on IOS platform. Anybody could write an app that looks legit but does devious things.

Do you ask these same questions of Mac users? After all, anyone can upload a .dmg file to a website that Mac users can download and drag to their Applications folders. Windows users can install any .exe file. And Ubuntu Linux users can install any .deb file.

All this along with there are very very few security applications and they are in the infant state.

So-called "security" applications offer very little in the way of actual security.

Don't you find it very dangerous?

Not really. No application can install itself without me explicitly installing it. How is that dangerous? Do I consider myself dangerous? No.

How do you try to maintain security on your android device? Don't download apps? Only download from known publishers? Or do you roll the dice and download anything? If you use a security app which one?

I follow the guidelines in this thread, and you should too:
http://androidforums.com/android-ap...ps-avoid-viruses-guide-those-new-android.html

Stop being paranoid and start being informed.

 

[Diabo]

I run DroidWall to keep apps offline that ask for internet access without needing it, and LBE Privacy Guard to tame apps that ask for too many permissions.

 

[The_app_main]

I always look at the comments for apps and how many downloads its had.

That's unfortunate for new developers like me Its a chicken and egg problem. I'm new and you won't download because nobody has downloaded the app and its just a big circle. Not saying your approach is not a good but it makes it hard for new devs like myself, not your problem though.

 

[substring]

That's unfortunate for new developers like me Its a chicken and egg problem. I'm new and you won't download because nobody has downloaded the app and its just a big circle. Not saying your approach is not a good but it makes it hard for new devs like myself, not your problem though.

Number of download is just one metric that we should use. In addition, we should also check on how long the app has been on the Android Market. If it has been there for, say, a month, and nobody has reported any problem, it should be relatively safe even though the download number is in hundreds. That's why I never download any app from unknown developer when it just come out. Yes, it can be a chicken and egg thing, but that is the only way for the consumers to protect themselves. In my humble opinion, being a developer myself (not on mobile app though), mobile app development is not a "get rich quick" scheme. It takes time to build a reputation and to build your wealth.

I won't rely too much on the user comments. Many of the comments can be entered by bots.

Frankly, you don't really need to install every app under the sun. That's why I keep saying about Apple's claims of like 100,000 app in App Store is really pointless. It is as pointless as my cable company has been telling me that I have access to hundreds of cable channels when more than 80% of them are plain garbage. It is the same thing on mobile app. The majority of mobile app on App Store and on Android Market are garbage. By installing the app that you really really need also help filtering out the malware.

Don't worry too much about security. There is no computer device that is totally safe unless it is unplugged and off the grid. Most of the security guidelines are plain common sense. You should be safe if you practice common sense.

 

[zuben el genub]

I generally rely on crowd sourcing to weed out bad apps. The user comments are a good place to start. It's good to look over the comments to see how others feel about apps.

It is also a good idea to stick with reputable sources and developers. Generally a well known app that is used by a lot of people will have a very slim chance of containing malware. Angry Birds or Facebook is most likely legit.

Also, check the permissions it asks. If a volume control app asks for full internet access, full access to your SD card or full access to send SMS messages, it is probably not legit.

I am personally not convinced that security apps for Android phones add much value in terms of preventing malware from getting on your phone. The reason is that I have read many articles about malware and Android. Although some of those articles suggest installing some type of security app, no articles I can find actually stated that such apps prevented some malware from getting onto the phone. Before I can recommend security apps for protection against malware, I need to see an independent source test secur












ity software by actively trying to install some app with malware on a phone and conclude that the security app stopped the malware.

Another reason I am suspicious of security apps is that I looked at one (I cannot recall which one) that I highly suspect to actually be malware itself. I found that some of the comments seem to be highly suspicious as if someone purposely wrote them himself to make it appear a lot of people like it.

Google does remove apps from the Android Market if it is malware. There is a mechanism that does help protect Android users.

I just checked out browsers and there's a couple that want most of those
permissions. Dolphin comes to mind. It's one of the browsers that work
on a tablet that can't do market,looks fairly decent, so checked it for the
phone - and it simply wanted too much. Tablet is wifi only.

 

[Diabo]

I just checked out browsers and there's a couple that want most of those
permissions. Dolphin comes to mind. It's one of the browsers that work
on a tablet that can't do market,looks fairly decent, so checked it for the
phone - and it simply wanted too much. Tablet is wifi only.

Dolphin permissions:

- Network communications/full internet access: no web browser would work without it
- Your location: for HTML5 sites like maps.nokia.com. Dolphin has a setting in its menu that lets you disable location.
- Read browser history and bookmarks: to import the bookmarks from the stock browser to Dolphin. You wouldn't want to add them all manually, would you?
- Storage: Without this permission you wouldn't be able to download pictures and other files to your SD card. You wouldn't be able to back up your settings and bookmarks to SD either.
- Prevent phone from sleeping: this keeps your phone running if you watch a video inside the browser (you don't tap the screen while the video is playing), or download a file in the background. You don't want your phone to fall asleep while it's downloading a hotmail attachment, and you don't want to keep tapping the screen to keep a download or a video running.
- Network communication/view network state: For obvious reasons a web browser wants to know if there's a live internet connection. If your connection dies in mid-download you don't want your browser to suck your battery dry by sending packets to a connection that doesn't exist.
- Control vibrator: Don't know why Dolphin wants to shake your phone. Feedback in HTML5 games? This is a harmless permissions that can't do any damage.
- Install shortcuts, set wallpaper: To send bookmarks to your home screen, and change your background picture when you long-tap an image and select "set as wallpaper."

Dolphin really doesn't ask for anything that a web browser shouldn't ask for. It does not read your contacts or messages, it does not read your IMEI or phone number, it does not try to close other apps or install stuff on its own. It only asks for permissions that are needed to work as a web browser. Any other browser will ask for the same things.

 

[A.Nonymous]

But I just check permissions. I look over comments. I think the lookout AV scanned for Windows signatures, so files you download from the internet are scanned with lookout to see if they have windows malware... but I could be wrong.

This is also ridiculous. A virus written for Windows isn't going to have any effect at all on Android. If you're concerned that something might jump from your Android phone to your computer, then a good AV program on your computer will prevent that. Having an AV app on your phone is pointless.

 

[arnold22]

But Google pulls all known malware from the Market the second it's made aware of it. This makes the app basically pointless.

Unless you download from other markets and APK from the web.

 

[A.Nonymous]

Unless you download from other markets and APK from the web.

Which you'll have no problems with if you use legal sources and common sense.

 

[Diabo]

All you need is one bad dev to upload something evil on a legit site like the xda forum or sourceforge. Google won't help you then, but an av app might save you.

Just because a site or market is legit doesn't mean it's safe.

 

[arnold22]

Which you'll have no problems with if you use legal sources and common sense.

Even with common sense and legal sources you can still run into trouble. Just look at other platform (Windows, Linux, Apple...)
I personally do not use lockout or some other anti virus for my phone but it does serve a purpose for some individual like those who are less tech savy.

 

[Lombardi]

Reed the number of downloads? Millions? read the comments and permissions, stay away from the deviant apps, apps that are used for doing wrong or no good, gore...
I don't have THAT many apps, the ones I have are very useful and purposeful, not just a bunch of games and spyware crud... usefulness...

 

[The_app_main]

Reed the number of downloads? Millions? read the comments and permissions, stay away from the deviant apps, apps that are used for doing wrong or no good, gore...
I don't have THAT many apps, the ones I have are very useful and purposeful, not just a bunch of games and spyware crud... usefulness...

So what would you suggest a new legit devloper like myself do? If I have 0 downloads for my first app then people like yourself won't download, therefore I won't get other downloads and I'll never look "legit" to somebody like yourself.

 

[wayrad]

All you need is one bad dev to upload something evil on a legit site like the xda forum or sourceforge. Google won't help you then, but an av app might save you.

Just because a site or market is legit doesn't mean it's safe.

The "antivirus" apps don't even get updated to detect a new piece of malware until the news has already broken. The user community at a site like xda would spot something like that in a heartbeat - while the "antivirus" developers were too busy collecting money from the Market to even know it existed.

 

[zuben el genub]

Dolphin permissions:

- Network communications/full internet access: no web browser would work without it
- Your location: for HTML5 sites like maps.nokia.com. Dolphin has a setting in its menu that lets you disable location.
- Read browser history and bookmarks: to import the bookmarks from the stock browser to Dolphin. You wouldn't want to add them all manually, would you?
- Storage: Without this permission you wouldn't be able to download pictures and other files to your SD card. You wouldn't be able to back up your settings and bookmarks to SD either.
- Prevent phone from sleeping: this keeps your phone running if you watch a video inside the browser (you don't tap the screen while the video is playing), or download a file in the background. You don't want your phone to fall asleep while it's downloading a hotmail attachment, and you don't want to keep tapping the screen to keep a download or a video running.
- Network communication/view network state: For obvious reasons a web browser wants to know if there's a live internet connection. If your connection dies in mid-download you don't want your browser to suck your battery dry by sending packets to a connection that doesn't exist.
- Control vibrator: Don't know why Dolphin wants to shake your phone. Feedback in HTML5 games? This is a harmless permissions that can't do any damage.
- Install shortcuts, set wallpaper: To send bookmarks to your home screen, and change your background picture when you long-tap an image and select "set as wallpaper."

Dolphin really doesn't ask for anything that a web browser shouldn't ask for. It does not read your contacts or messages, it does not read your IMEI or phone number, it does not try to close other apps or install stuff on its own. It only asks for permissions that are needed to work as a web browser. Any other browser will ask for the same things.

1. I might not want the same bookmarks. I might only use a browser for one site. And another browser for general.
2. I don't use maps, so I don't care. Only turn stuff on long enough for the weather sites to store it. Astronomy usually lets you add coordinates.
3. I don't save cookies and history.
4. I don't watch videos.
5. I can change the background from Gallery, I don't need wallpaper.
6. I set the permissions per site in FF. I don't have to make them permanent.
7. Wifi tells you if the connection is gone.
The other problem with wanting all this, it that things might not work right on a wifi only tablet. Some do, some don't. There is no GPS, and no network connection.

I want a stop button to stop any download dead if I don't want it. I haven't updated Skype and don't intend to. It's working, and I don't care about video calling. If I want that, my Ubuntu box does it just fine, and a larger screen to boot. Market keeps putting it in downloads and I never check it.

 

[Diabo]

If you don't want to import bookmarks Dolphin doesn't force you. If you don't enable location in Dolphin's settings it will never read them. If you don't want to save cookies Dolphin won't save them. Etcetera.

Just because you don't want to use those features doesn't make the permissions less legit. Without those permissions Dolphin would be a watered down browser that nobody would use because it'd be unable to do the things that most users want their browser to do.

Any app that gets the permissions "internet access" or "storage" can wreak havoc on your phone if it wants to. Whether it can shake your phone, set a wallpaper, or keep your phone awake to play video is irrelevant when it comes to security. The key permissions that can compromise privacy and security are required by every web browser.

 

[chanchan05]

1. I might not want the same bookmarks. I might only use a browser for one site. And another browser for general.
2. I don't use maps, so I don't care. Only turn stuff on long enough for the weather sites to store it. Astronomy usually lets you add coordinates.
3. I don't save cookies and history.
4. I don't watch videos.
5. I can change the background from Gallery, I don't need wallpaper.
6. I set the permissions per site in FF. I don't have to make them permanent.
7. Wifi tells you if the connection is gone.
The other problem with wanting all this, it that things might not work right on a wifi only tablet. Some do, some don't. There is no GPS, and no network connection.

I want a stop button to stop any download dead if I don't want it. I haven't updated Skype and don't intend to. It's working, and I don't care about video calling. If I want that, my Ubuntu box does it just fine, and a larger screen to boot. Market keeps putting it in downloads and I never check it.

1. And what of those who do want to use the same bookmarks and never want to open the stock browser again?
2. And what of those people who do use maps?
3. Again, what of people who do save history?
4. What of people who watch videos?
5. So you download, then open gallery. I can do it right on the browser without the hassle
6. Again some people are different
7. And what of people who have unlimited data plans?


Dolphin doesnt know how YOU use your browsers, but it does know how browsers work on PCs, and in trying to emulate the PC browsers' functions it needs those permissions. Just because YOU, one of thousands of people who use Dolphin dont use those features, would make Dolphin make their browser less useful to those who want those features. There are people who use dolphin to facebook instead of the app, what if they want to check-in? Each person uses their phones differently. No one cares if your usage is different from theirs.