Chrome, the now three-year-old web browser from Google, appears destined for domination with its rapidly expanding user base. Android phones are now selling at a faster rate than Apple iPhones. Much of this may be attributed to Google’s open attitude in Chrome and Android development. But there is a price to be paid for this flexibility.
Google’s open platform philosophy is generally a good thing. It creates a familiar environment for the people who expand existing functionality through the development of new applications and the customers who download and use those applications.
Scammers have exploited these channels - the Google Chrome Web Store and the Android Market - to push software vulnerabilities upon unsuspecting users. Microsoft, with their Windows 7 Marketplace, and Apple, with their App Store, strictly police all submitted content. This hasn’t made their stores immune to vulnerabilities, but in the rare case that something slips through, they react quickly to pull down the offending content. Apple can even push a fix without interrupting their clients’ functionality, and Microsoft is developing similar technology. An Android user’s recourse is typically to factory reset their phone.
As one example, a legitimate application can be downloaded from the Google Chrome Web Store, reverse engineered, and then rebuilt to contain software exploits. It is then redeployed back to the store under a similar name in the hopes that people will confuse the product and download it instead of the original. This sort of attack is hard for a casual user to detect. Once the compromised application is run, all sorts of problems can occur, from allowing other programs to be run remotely to compromising your Facebook account.
Of course, Google has the talent and the capital to do something about all of this, and it has. Although individual reports vary as to their responsiveness, Google recently launched an online service called Bouncer. Bouncer scours the Android Market, looking for malware and infringing software, flagging some, removing others. But there’s no reason to relax. The best solution is to protect yourself. Here’s how.
First of all, double check the permissions required by an application. Applications that require permission to send e-mails may not actively be attempting to screw your phone up, but they could start sending unwanted advertising e-mails to your friends. Customer reviews, although not foolproof, can also be a good indicator. A popular application is likely to have many reviews. For instance, if you go to download a copy of “Angry Birds” and there are less than 20,000 user reviews, you might want to be suspicious. Be sure to download applications only from Google. Third-party marketplaces exist, but if they’re located in Russia or China you can bet their primary motivation is not the security of your personal information. As always, if you’re clicking on a link in an e-mail, be sure you trust the source and know where you’re going.
Google’s widespread popularity certainly attributes some of its success through its open and inclusive philosophy. There are many things they do well. As users increase, so too do exploiters. What Google does for now suffices, but they’re going to have to tackle the issue head-on sooner or later. If Google can find a working solution about halfway between where they are now and the extremes adopted by Apple and Microsoft, they’ll having a strong edge for their platforms.
Published on April 5, 2012