John Oberheide, a security researcher had recently demonstrated a possible security loophole within Android apps by cloaking a fake application offering preview snapshots of the expected “Twilight Eclipse” film. He had somehow succeeded in getting hundreds of users into downloading the software. An ill minded developer could have easily used this technique to plant malicious software on users’ devices.
The experiment from John Oberheide was intended only for demonstration purpose of a possible security loophole within Android. However the research itself could have tempted hackers to try their own programs whether it be for fun or knowledge. But still the fact remains that Oberheide was successful in getting his non-harmful software into more than 300 user devices. Since he had presented his research at the SummerCon hacker conference, it represents the genuine intentions of the security researcher.
Google totally neglects
Google totally downplayed the whole situation stating that Google had deleted both the apps using the newly introduced method to remove apps remotely. However the question still burns, what if some less friendly developers succeed in cloaking destructive exploit codes within fake applications. In this particular case, what if Oberheide provided some real pictures which would make it a more convincing fake application. Most likely the users would keep the apps if they found them to be useful and meets their expectations.
Google initiates a security measure
The “remote application removal” has been introduced to the Android apps market in order to maintain apps within. Its all fine until one wonders that the demo botnet apps were exposed only when the developer himself produced the relevant research results. However the Android security lead, Rich Cannings implies that that the apps were practically useless, neglecting to comment on the particular apps proving the concept.
Would Google have known?
There were very little chance that Google or the users would have been aware about Oberheide’s botnet apps, had Oberheide not presented his research work. Furthermore Oberheide points out that, if a more convincing application, such as a game was cloaked without being caught in Google’s radar, the consequences would be alarming.
Has Google done enough?
Google has tried to emphasize Android’s security standards, downplaying the demo botnet apps. But a better approach would have been to work along with the situation, accepting the facts as they are and finding possible solutions for the security problems in hand, rather than just bypassing the issues with ignorance. The ‘remote application removal’ is useful only after the app is found to be malicious. This does not by any means eliminate the security risks that have been pointed out by the research of John Oberheide.
Malware problems are not unique to Android apps. On the other hand no operating system is perfect and risk free, whether it be mobile OS’s or any other platform. Works of security researchers are like double edged swords when it comes to integrity of the platform in focus. Thus Google and others are reluctant to always comply with research facts related to security issues of any of their software or platform.