Why Google’s Malware Bouncer Is Not Enough

Google recently revealed that it had a malware scanner for the Android OS that automatically scans the code of apps uploaded to the Android Market. The service, which Google gave the codename of ‘Bouncer’, is said to look for behavior that are deemed unacceptable by the company. But the problem with Android Apps go beyond just scanning for malware.

According to the post:

The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

While the malware bouncer system may be a step in the right direction, there is a more dangerous aspect of apps in the Android market that needs to be fixed and that is the permissions that applications demand before they can be installed. A quick look at the permissions required by some applications on the market immediately shows that security in the Android space will continue to be an issue.

For example, why would a text editor require access to phone records and GPS location information? One can understand needing network (Internet) access to push some ads, but access to phone records and logs? The same goes for any category from  games to business use applications.

It is this permission free-for-all that got Symantec into some controversy recently when the company announced the discovery of apps in the Android Market that it deemed malicious. The apps, according to Symantec, were able to change the default home page in the web browsers of the “infected” devices, add bookmarks, and place shortcuts – actions one could easily associate with browser hijackers, and it is doubtful that users who installed these apps were expecting the applications to perform those actions without “explicit” consent.

And there lies the problem because technically, the user may have “explicitly” given permission when he or she clicked on “OK” or “Install. This issue arises because as in anything that requires clicking through, most users blindly click through messages boxes  without bothering to read through what they are consenting to. A quick browse of apps on the the android market will show several applications that request unnecessary permissions before they are installed.

For example, here is the permission requirement of an app called password notes, which is supposedly meant to “protect your notes with password”:

This application has access to the following:

Your location
coarse (network-based) location
Access coarse location sources such as the cellular network database to determine an approximate device location, where available. Malicious applications can use this to determine approximately where you are.
fine (GPS) location
Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.
Network communication
full Internet access
Allows an application to create network sockets.
Phone calls
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

Really? Access to GPS and phone records etc. for a note app?

Granted, Google does give this warning about permissions:

Permissions: Android provides a permission system to help you understand the capabilities of the apps you install, and manage your own preferences. That way, if you see a game unnecessarily requests permission to send SMS, for example, you don’t need to install it.

But the company needs to remove the onus from users and demand to know from the developers why “a game unnecessarily requests permission to send SMS”. After all, it is the Android name and the integrity of Google that is at stake here.