Among the many, many, changes to the Android Market announced in recent weeks, Android users can now personalize their Market by filtering out apps marked as mature. Turning on app ratings will then block Android apps that have a maturity rating higher than the setting that a user chooses (Everyone, Low, Medium, or High).
Android Market filtering is great, but the problem is that it relies on developers to be honest and accurately rate their apps. Considering how many developers cheat search results by putting in keywords that have absolutely nothing to do with their app, trusting devs to be honest seems silly. That’s as crazy as letting the banking industry police itself.
I grow tired of seeing “Sexy Girl” wallpaper apps every time I search for new Android apps, so I set my Android Market to only show apps available to “Everyone.” But instead of blocking all of the crappy sexy apps, Everyone merely dropped the number of those apps from to 1,164 to 182. It’s good to see a decline that steep, but 182 is still a large number of offensive apps trickling into what should be a mature-free browsing experience. Read the rest of this entry
Sony still refuses to detail the exact exploit used to hack the PlayStation Network and its Qriocitystreaming service, but has admitted that as well as updating the software security of the network, it is physically “moving our network infrastructure and data center to a new, more secure location.” The changes are part of a number of steps Sony has been forced to take after reportedly pulling down the PSN after rampant piracy took hold.
According to reports earlier this week, a custom PS3 firmware allowed hackers to unofficially gain access to the PlayStation Network developer channels. There, they were supposedly able to use false – and unchecked – credit card details to make purchases. Sony’s only recourse, it was suggested, was shutting down PSN access altogether.
In a new Q&A – which overlaps considerably with Sony’s previous FAQ on the subject – Sony’s Patrick Seybold, Senior Director for Corporate Communications & Social Media, confirms that the company is working with both law enforcement and “a recognized technology security firm” on what is being viewed as a criminal act. According to Seybold, credit card data was encrypted and users are only being warned about it “out of an abundance of caution”; personal data, however, was not encrypted but was, he insists, “behind a very sophisticated security system.”
It’s that security system which has been breached, of course, a side-effect of what Sony hacker George Hotz suggests is likely down to “arrogance and misunderstanding of ownership.”
“Traditionally the trust boundary for a web service exists between the server and the client. But Sony believes they own the client too, so if they just put a trust boundary between the consumer and the client(can’t trust those pesky consumers), everything is good. Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server? This arrogance undermines a basic security principle, never trust the client … Notice it’s only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren’t crazy.” George Hotz
Sony maintains that certain services will be back online in under a week, though is yet to confirm which those services will be. The company is also facing a class action suit and what experts predict could amount to $24bn in credit card fraud.
A new explanation for the ongoing Sony PlayStation Network downtime has been suggested, with claims that Sony has taken the service offline so as to close a loophole that had been responsible for “extreme piracy of PSN content.” PSX-Scene‘s “Chesh” took to Reddit to outline how a new PlayStation 3 custom firmware called Rebug was used by hackers to gain access to the PSN’s developer networks. From there, it was possible to input fake credit card information and buy content without ever paying for it.
The security glitch, it’s suggested, is because Sony was not validating credit card information since the users were on its trusted private developer network. Sony allegedly responded by pulling the plug on the network completely; the “additional security” Sony representatives have admitted is being installed is apparently to combat this sort of hacking.
Chesh admits that the explanation is speculation pieced together from information throughout the PlayStation hacking community, however sources with access to the SCE devnet servers have apparently confirmed that Sony is telling developers that, moving forward, only 3.60+ debug firmware will be allowed onto the network. If developers want to retain their access then they not only need to upgrade, it’s claimed, but contact Sony too.
Rebug’s developers are not responsible for the credit card hack, though whether Sony will look kindly on them anyway remains to be seen. However, user credit card information is believed to be secure still.
Skype addressed earlier today the security vulnerability discovered last week in its app for Android and has rolled out a new version that should safeguard your information. The security bug could have exposed sensitive user information such as names, location, e-mail address, chat logs, phone numbers, and more to malicious third party software.
Skype’s Chief Information Security Officer, Adrian Asher, sent out an e-mail to users regarding the security exposure.
After a weekend of developing and testing we have updated a new version of the Skype for Android application onto the Android Market, containing a fix to the vulnerability reported to us on Friday. Please do update to this version as soon as possible in order to help protect your information.
We have had no reported examples of 3rd party malicious application mis-using information from the Skype directory on Android devices and will continue to monitor closely. Please rest assured that we do take your privacy and security very seriously and we sincerely apologize for any concern this issue may have caused.
With this update also brings Skype calling to U.S. customers over their 3G data connections. This lets users on all carriers in the U.S. to make Skype calls, which was only allowed on Verizon until now.
Android phones are as open to viruses as Android is open to app developers and phone makers. A recent batch of malware in the Android Market suggests as much when attackers managed to obtain data of thousands of people, sparking a wave of questions regarding Android’s security. It wasn’t the first time people have ask how safe is Android, and it definitely will not be the last.
Google responded to the Android Market security breach by noting that it quickly removed the affected apps, suspended the developers, and remotely deleted the apps from affected phones. Google believes only device identification data was leaked, but there’s a possibility that other private information may have been released. An update to the Android Market is also being sent to undo the exploit.
It’s good that Google responded so quickly, but this attack leads people to ask “Is Android safe?” At the moment, I would say yes. I’ve literally used thousands of Android apps and have yet to come across any that were malicious. By using common sense and paying attention to the security permissions requested by every app that I install, I’ve thankfully managed to avoid any security threats (knock on wood).
I’ve dismissed previous so-called virus outbreaks as misleading representations or scare campaigns by security companies; that is not the case here. Android is more susceptible to attacks than other operating systems, and it will continue to be that way because of two key factors.
The Android Market is the Wild, Wild West
The Market is mostly controlled, but with more than 150,000 apps to track, it’s easy to see how the inmates might sometimes run the asylum. Francois Deslandes, the developer of Pure Calendar Widget, recently contacted us saying that someone had managed to post a fake version of his app in the Android Market. The fake app used the same name and title as the real Pure Calendar, but it asked for the ability to send messages and share personal information that Deslandes never included in his app. Someone managed to replicate Pure Calendar for the sole purpose of tricking others into downloading and turning over information.
While other app stores have burdens to entry or include a pre-screening process, the Android Market requires only $25 and clicking “Publish” to see your app available within minutes. Though Google does monitor the Android Market and rely on reports from users about defective products, it’s not a fail-proof system. Something malicious can spread to thousands of people before it is discovered and removed. The Android Market also hosts dozens of apps that violate copyright laws and Google’s terms of services, a sign that plenty of apps fall through the nets of Google’s security sweeps. Most are eventually taken down, but not right away.
Malware is a numbers game
In the Mac vs. PC debate, I often hear people say that Mac’s are better because you don’t have to deal with virus threats. Actually, Mac’s are susceptible to security breaches, too. You are less likely to face a malware attack on Mac OS because people who devise these exploits tend to focus their attention on PC’s, which account for 90 percent of computers.
Android may face a similar fate in the smartphone wars. Because the most popular smartphone OS is Android, and smartphone adoption increases so rapidly, it makes sense for hackers and malware creators to focus their attention on the platforms that will yield the best result. There’s less of an incentive to attack iPhone users if the App Store has an infamously harsh screening process (that’s not to say that iOS is impenetrable). Someone could hide their code in a webOS or Windows Phone 7 app, but what’s the point if those two systems combined don’t add up to the number of Android users who could be affected by your attack? Android provides nefarious programmers with the right amount of freedoms and user base to make it the most attractive to attack.
The freedom Google affords developers creates a better system for choice. However, that freedom has an unfortunate side effect of creating a world difficult to police. Preventing a bonafide malware outbreak is a tall order that Google has mostly done well to fill.
I feel confident in saying that Google will continue to monitor the Android Market and protect Android phones from most dangers. That doesn’t mean it will be successful in blocking every potential attack, so it’s wise to remind you about how to prevent attacks.
- Download only from trusted sources. If you want to sideload apps, do only because it’s an APK from a trusted distributor (Gameloft, Getjar, etc.) or developer from a forum you frequent (XDA). Avoid links sent via SMS, email, or wares sites, or app repositories.
- Read the security permissions. We can’t stress this enough. Security permissions give clues about what type of app you are downloading and should be checked before installing anything. Read more about it here.
- Avoid high-risk apps. When you see apps promising material that is illegal (free MP3′s) or questionable (sexy babes), you’re more likely to end up in trouble. Get your music and smut somewhere else