Thread: The Chinese want your Droid
View Single Post
Old 03-25-2011, 19:41   #4
Hand
Guerrilla Chief
 
Hand's Avatar
 
Join Date: Dec 2010
Location: Georgia
Posts: 875
Quote:
Originally Posted by Irishsquid View Post
I'm not AS worried about a virus packaged in the software as I am about the vulnerabilities inherant in the majority of apps when all software is user/community developed. What QA criteria are the devs using? I have no clue. I've actually thought about going into business reviewing code for Android market apps for security flaws.

Sirs,
This part will make you giggle a little. Android apps are 'safe', as in they run inside their own little virtual sandbox on your phone. Therefore one application does not get to 'play' with the resources of another application, unless given 'permission'. Your data's security though, is left to the whims of the developer. Developers can choose declaratively whether or not to allow their applications data to be available for other applications or services.

I am a bit rushed so I'm being very poinient, please forgive me. The important thing here is this; when you download and install an app on your device, the 'rules' of the Android framework specify that you inform the user what services the application requires to work. It will tell you "this application requires the following:
access to the internet,
access to services that cost you money,
access to your location,
etc....

Once you click OK, you acknowledge that any data that you enter into that program is subject to those things which you agreed to.
Can an unscrupulous developer write an app that links to facebook, then on the sly transmit information it has access to, to a server for other uses? Yes.

Can it take the credit card numbers that you entered to use for some 'secure' shopping app and do the same? Yes.

Strangely, the downloads/reviews/rating system on the app store are the main indicators to how 'trustworthy' a developer or software is.

As a developer, I by no means wish to shed negative light on my profession or peers. As a slightly paranoid human, I will be the first to say that your information could definitely be at risk.

Bottom line, don't trust an app until you have read every line of its source code OR if the app is well ranked and well reviewed. Its just like encryption, it's only good encryption when it has withstood the abuse and scrutiny of security professionals.

Respectfully and hurriedly
Hand is offline   Reply With Quote