Android Security - whay do you do?


Well-Known Member
I just read this article Smartphone apps could be sharing your private data which basically talks about the possibility that some free apps could be harvesting info from your phone.

What can be done for security? How do you know if you have one of these apps?


Well-Known Member
Short of using only apps you've built from source after personally vetting the code, basically nothing. The panicked security stories haven't even touched on the possibility of multi-part exploits, like app #1 (with access to your contacts and /sdcard) writing them to a file, and app #2 (with access to /sdcard and the internet) reading and POST'ing it.

Free, non-opensource software will NEVER be "secure", and any perceived security for commercial software is a theatrical illusion more than anything. That's just the way it is, and the way it's always been.

Is Android Market perfect? Hell no. Far from it. The answer isn't to make it more restrictive, but to make additional information available to users (via searches, filters, and viewable parameters) so they can ignore it or use it to make more informed decisions.

Case in point: a "bank" app. Suppose you go install an app right now for Chase, Citi, or some other bank, from Android Market. What assurance do you have that it actually came from that bank and hasn't been tampered with? Yes, it was signed... but how do you view the app's cert and validate its authenticity? AFAIK, you can't. The only safe way is to download the .apk directly from your bank's website and install it... assuming, of course, that you aren't unfortunate enough to be a jailed AT&T customer who isn't allowed to do that.

At the end of the day, all you can really do is be alert. If an app is free and looks like it's "too good to be true", it probably is. Visit the author's website and sniff around. Google him. Think of him as a salesman in a bazaar, and evaluate both him and his merchandise accordingly.