1. Download our Official Android App: Forums for Android!

Why social engineering is so effective

Discussion in 'Android Apps & Games' started by ardchoille, Aug 24, 2011.

  1. ardchoille

    ardchoille Android Expert
    Thread Starter
    Rank:
    None
    Points:
    333
    Posts:
    3,684
    Joined:
    Mar 8, 2011

    Mar 8, 2011
    3,684
    1,940
    333
    Male
    Ordained Minister
    Seattle
    I just saw a post about the new android market and it includes a link to download the app from a file sharing site. I'd like to explain why this can be dangerous.

    Malware
    Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.

    File Sharing
    File sharing sites, such as Megaupload, offer apps that are easy to download and install. The downside to this is you don't know what's inside the app and these sies rarely, if ever, decompile apps and check them for malware. The apps these sites offer could be laced with code that grabs your every keystroke (SSN, mother's maiden name, etc.) and send the information to an identity thief.

    It's not difficult to decompile an android app, write in new code, recompile and upload it to a file sharing site for users to install on their phones - android developers do it all the time. The difference lies in who altered the app and why. If someone gives you an app ask where it came from. The person giving the app away could have downloaded it without thinking about the security of their phone. The best practice is to only install apps from a trusted source.

    Android Market
    Google has the ability to remove an app from the android market if it's found that the app is malicious. Google can also remove the app from android phones if they feel the need, though they always inform users before this happens.

    Trusted Sources
    God bless Forums, android phones would go EOL much sooner if it weren't for 3rd party developers. Installing an app outside of the android market is a questionable practice. However, you can mitigate the risk by researching the developer. If the developer of the app in question is well known and has a good reputation then I'd say it's worth the risk. If the developer is unknown, and you really want the app, ask the developer for the source code so that you can audit/compile the app yourself - or ask someone else if they can do this for you. Be very suspicious of an app to which you are not allowed the source code. It's not enough to simply obtain and audit the source code without compiling from the sources because the source code and the actual app could be two different things. If a well known developer posts a link to a file sharing site then I'd say it's safe but avoid installing apps when you're not sure who developed the app.

    Permissions
    The default package installer on android devices will list the permissions an app is asking for prior to installing the app, always pay attention to these permissions. If an app is asking for full internet access, stop and ask why. Does a flashlight app really need internet access in order to function? No, it does not. Why would a flashlight app be asking for full internet permissions? The only thing I can think of is the app has the ability to send your private information to someone else. Should you install this app? Not for all of the tea in China.

    It's your phone and your information, keep it safe. There are people out there who pay money for social security numbers, mother's maiden names, dates of birth and the like.. don't become a statistic. Information security is a journey, not a destination.
     

    Advertisement

    amlothi, EarlyMon and Mostly Harmless like this.
  2. EarlyMon

    EarlyMon The PearlyMon
    VIP Member
    Rank:
    None
    Points:
    5,218
    Posts:
    57,631
    Joined:
    Jun 10, 2010

    Jun 10, 2010
    57,631
    70,445
    5,218
    New Mexico, USA
    Well said!

    This is exactly why we prefer that fellow members post to a dev site where the dev says, Hey, I uploaded this! - as opposed to just linking the dev's download link.

    Just linking the download is easy and fast - but in general - go to a trusted source.

    Phandroid.com has run a download link for the new Market in their new stories (they do that sort of thing fairly often), with the dev source fully cited - so, posting to the Phandroid story for this sort of thing is also a good practice.

    Again, nicely said archoille! :)
     
    ardchoille likes this.

Share This Page

Loading...