Malware and open source and my Droid

 I was reading news today about malware discovered for the Android operating system (see “Malware: Android Apps Threaten Mobile Security” by David Coursey).  As a Droid owner, who is slowly but surely getting lured into the tool, I’m concerned about the quality of software that I use.

I’m pretty careful when I download software for my PC.  I try to check up on projects and not just grab things that have no track record.  Generally, I look to make sure that it has a project web site with source code and that people are active.  I have heard individuals talk about malware rampant in the open source community, but I’ve not seen evidence of it myself.  I even searched for news.  I figured that news that open source malware was roaming around would be picked up and pretty wide-spread if there was much to report.  Nothing there.  To be honest, that really was what I expected to find.  I find that the open source community is pretty good at policing its own. I don’t think that a true open-source malware project would have a very long life.  Someone would spot it and do something about it pretty quickly.  If anyone has news to the contrary I’d really like to know.  (…please, only real news with sources, not something that you heard from a guy who knows this guy who knows this dude…)

Now back to the Droid.  I have this phone with a Market application which lists all kinds of applications.  As the story above mentions, an Android developer created some 50 fake banking applications designed to phish banking login data from your phone.  I would think that an app like that would set of alarm bells for me automatically.  I receive SPAM emails about such things and I find them pretty obvious.  What was unclear to me as well is whether these apps were included in the official catalog, or in the 3rd party catalog.  The Android application market allows you to turn off 3rd party applications, which are the areas that I might expect the dodgier applications.  I can still get them.  I just have to find and install them on purpose rather than having them on the impulse list.

Bear in mind that even though the Android system is pretty open, the applications that they host are not necessarily open source.  That means that some of the policing that might be done by the community won’t happen for the closed applications (a feature of closed-source, commercial software).  Each of the applications has ratings and comments, which provide some evidence to the user that software might be dangerous, but you have to be at least a little savvy about it.

Google has taken a different approach than Apple on how to handle their applications.  Rather than vetting applications and the selecting whether they should be allowed to be in the marketplace they have made the marketplace pretty easy to sign up for.  Developers pay a fee to include their apps, so there is some level of tracking, unless you sign up with a stolen credit card.  (…and who would do that?)  Google has also given themselves permission to pull your applications and ban you if they discover that it’s bad, but they don’t define a responsibility to monitor and detect this activity themselves.  Here’s a section from their developer agreement:

“Google Takedowns.  While Google does not intend, and does not undertake, to monitor the Products or their content, if Google is notified by you or otherwise becomes aware and determines in its sole discretion that a Product or any portion thereof or your Brand Features; (a) violates the intellectual property rights or any other rights of any third party; (b) violates any applicable law or is subject to an injunction; (c) is pornographic, obscene or otherwise violates Google’s hosting policies or other terms of service as may be updated by Google from time to time in its sole discretion; (d) is being distributed by you improperly; (e) may create liability for Google or Authorized Carriers; (f) is deemed by Google to have a virus or is deemed to be malware, spyware or have an adverse impact on Google’s or an Authorized Carrier’s network; (g) violates the terms of this Agreement or the Market Content Policy for Developers; or (h) the display of the Product is impacting the integrity of Google servers (i.e., users are unable to access such content or otherwise experience difficulty), Google may remove the Product from the Market or reclassify the Product at its sole discretion.  Google reserves the right to suspend and/or bar any Developer from the Market at its sole discretion.”

There’s a few thoughts that I have… and these thoughts are mine as a user of the Droid and of open source software.

1.  I’m much more comfortable with knowing that the source of software is available.  My ability to detect badness in the source is probably limited, but at least I can compile it myself if I want. And my observations combined with others will help sound an alarm for something that’s not right.  I really think that works and works well.

2.  I’m not a fan of a marketplace getting to decide whether an application should be allowed to exist, though I don’t want software to be used criminally.  Apple’s approach is too harsh for me.  I’m undecided about Google.

3.  People should care and pay attention to the software that they use.  I have heard about malware embedded in free closed-source packages, or on “warez” sites, sites that host pirated commercial software that can be downloaded for free.  It’s as bad a habit to just download software from a blinking icon without looking into it at all as it is to eat anything laying on the sidewalk that looks interesting.  The current trend is to treat users as though they don’t and shouldn’t know about the technology that they use and that approach gives them absolutely no defensive instincts against bad guys.  I don’t think that everyone should be an uber geek, but people shouldn’t be so afraid of technology that they let themselves be pushed around into making bad choices.

I’m a fan of my Droid and I’m happy with my choice… but I’m having to think a little bit as I use it and create some new resources for keeping myself safe.  It’s my responsibility to do so.

Leave a Reply

Your email address will not be published.