Don’t download from third-party app stores: it’s not so much a rule of thumb for keeping our devices secure as it is the most elegant marketing slogan the world has ever seen.

Google put the Bouncer, their in-market app scanner, to work in 2011 — the same year that the Amazon Appstore opened its doors. The story of Amazon’s successful entry into the app space tends to center on their exclusive distribution of the third release in the wildly popular game series Angry Birds, but a big part of it was the promise of a better, more carefully curated experience than was being offered by Google’s app outlet, then known as the Android Market. Amazon’s submission process is similar to that of Apple in that apps are checked prior to going live to ensure that they don’t impair a device’s functionality or put sensitive user data at risk.

After the Bouncer got to work, there was a 40 percent drop in the number of potentially malicious apps in Google’s Android Market, which soon rebooted itself as Google Play. In a sense, it was competition from a third-party app store that made Google’s official marketplace a little safer.

Competition benefits the user. Though Android fans can’t abide Apple’s heckling about Android’s malware problems, the continued emphasis on the issue from Google’s competitor has undoubtedly benefited Android users. Earlier this year, Google admitted that the Bouncer’s one-time check-up was insufficient against malicious apps’ increasingly sophisticated analysis-avoidance techniques and announced that it would continuously check apps on Android devices for malware signatures through a new tool called Verify Apps. Knowing that the key to retaining its massive market share means changing perceptions about Android, Verify Apps scans all apps on devices, whether these are downloaded from the Play Store or from a third-party app store.

The Verify Apps database is updated regularly as Google discovers new harmful signatures, and the continuous scanning enables Verify Apps to catch any malware that may have slipped past the Bouncer, or a third-party app store’s own security checks. Additionally, Google has the ability to remotely remove any rogue applications from user devices, whether these are installed through Play or a third-party app store.

Competition benefits users. When you’re the only game in town, you don’t have to care about users. They’ll keep coming because they have no choice. When you’re the only game in town, you can dictate what content users can and cannot access.

When competition moves in, you have to care.

As users, we have the power to keep competition in the rink. But in order to do this, we need a better rule of thumb than “don’t download from third party app stores.”

Level Yourself Up

In late 2012, Google became aware aware of a vulnerability in mobile payments that enabled malware to generate revenue by sending premium text messages. Within days of this discovery, Google had bundled a fix into the latest version of the Android operating system Jelly Bean 4.2, and sent a security update down the pipeline for devices running earlier versions.

But five months later, malware was still exploiting this loophole on affected devices. According to Juniper Network’s Third Annual Mobile Threats Report, a whopping 73 percent of malware was using and benefiting from this tactic in 2013. What happened?

The patch went into the pipeline, but the pipeline is more of a toll road for a lot of Android users. This toll road has two choke points: device manufacturers and wireless carriers. Before they can send anything down to users, manufacturers have to work on their own firmware to make sure that Google’s update is compatible with their customizations. This is then passed down to carriers, which make necessary changes ensure everything jives with their specifications. Only after this is done do carriers send over the update to users over their respective networks. Making these modifications takes time, an issue that is exacerbated by the number of different Android phones that each carrier offers.

The result is a fragmented Android ecosystem, where many users have a lot less protection than others. KitKat 4.4, for example, was released late last year but, as of June, was only running on 14 percent of Android devices. And this a jump: in April, six months after its release, KitKat had only reached 8.5 percent Android devices. Some 58 percent of users are still using the previous Android release Jelly Bean, while 14 percent remain on four-year-old Gingerbread and 12 percent on three-year-old Ice Cream Sandwich.

Fragmentation is the driving force behind Google’s decision to release Verify Apps, its malware scanner and removal tool, as part of the Google Play Services app. Like everything else in the tech giant’s apps package, Play Services is not open source, so there are no customizations for manufacturers or carriers to make. But unlike other apps, Play Services has its own update mechanism that is completely independent of the Play Store, which enables Google to issue updates — including security updates — instantly. This offers some level of protection, but doesn’t address all issues, so it’s important to check for updates, and download and install them as soon as they become available.

Arm Yourself

It is unbelievable that only five percent of smartphones and tablets are protected by a security tool or scanner considering Google only just now has made a security tool available. This should have been our first move upon unboxing, but unfortunately, many people don’t yet understand that phones and tablets are computers and so don’t think that scanners are necessary — even as they do everything from checking their bank accounts to accessing sensitive data on their devices.

But they are necessary — very necessary. At the end of last year, researchers at Indiana University Bloomington discovered that certain malicious apps can use system upgrades to confer additional access privileges to malware. This type of attack, which exploits vulnerabilities called pileup flaws, is extremely dangerous because, aside from granting itself permissions to access user credentials, voicemails, call logs, notifications from other apps, text messages, etc., it can replace official apps (including Google’s) with malicious versions that steal sensitive user data. Additionally, an attack of this nature could prevent the installation of Google Play Services — breaking all Google apps that rely on it and disabling Google’s ability to scan, identify or remove problem apps.

Researchers compared exploit opportunities provided by Samsung, Google, and AOSP (which stands for Android Open Source Project and refers to phones running on the most basic version of the Android operating system. This is what you would refer to as a “vanilla” phone, while the modifications to Android made by Google and Samsung result in what you would call a “stock” phone. Yes, I too am sorry that the modified version of “vanilla” is not “kinky.” But perhaps that moniker is best reserved for the wicked geniuses who build and run their own firmware).

Researchers found that AOSP and Google phones pose a much smaller risk than Samsung’s proprietary Android firmware.

exploit opportunities on vanilla and stock phones

Basically: the more stuff you put into your firmware, the bigger the security risk to the phone. It is known.

After identifying the vulnerabilities, researchers developed a number of apps capable of exploiting these flaws and submitted them to Google Play and Amazon Appstore, along with other popular Android marketplaces. Here’s the real surprise: the malicious apps got in.

The researchers removed them before downloads occurred and notified Google right away. The tech giant dropped a patch into pipeline on January, but as we’ve discussed, it’s a process getting these fixes through the choke points.

You need to take matters into your hands.

When the dragon flies over Helgen, you don’t stand around awaiting execution. You throw on some gear. This is no different. And as it happens, you’re in luck. The same researchers that looked into pileup flaws released a free app in March called Secure Update Scanner (SecUP) that scans for such exploits and directs a user to remove them before a device is updated. You can pick it up on SlideMe, 360 Mobile Assistant, Amazon or Play.

And that’s not the only weapon you have at your disposal. AV-TEST, one of the biggest players in antivirus research, regularly compiles lists of the best security apps and shares extensive notes from its tests. Click on any app on this list to read a more detailed description of its capabilities and select one based on your needs. Many of the apps are free or work on a freemium model, where a user gets basic coverage for free but needs to pay for additional features.

Not installing SecUP and a sturdy security app can only be likened to randomly finding a Daedric sword and simply walking on by. YOU’RE PACKING IRON. Pick it up.

Don’t Forget to Block

If taking active measures to fight malware can be likened to improving your weaponry, then using common sense is like picking up perks along the blocking skill tree. You still need a weapon to ensure a fair fight, but effective blocking reduces damage potential. When it comes to your device, there are three ways to block a strike:

PERMISSIONS PERK: You should always check the permissions that an app is asking for. That doesn’t mean glancing them over and vaguely wondering what they mean before clicking Accept. Steven Blum at AndroidPit has an excellent list defining permissions. Read it. Familiarize yourself. If you are about to download an app, think about the permissions it’s asking for. Do they make sense based on what the app is supposed to do? If they don’t, or you’re not sure, check the app’s reviews before you download it.

REPUTATION PERK: There’s strength in numbers, and not just because together we have more swords. Numbers also mean more reviews for apps. It can be a drag to read a bunch of irate comments about glitches and bugs, but reviews can be a lot of help if you’re ever uncertain about downloading. Have any users had malware issues with the app? If an app is so new that it doesn’t yet have comments, wait a bit before you download. Patience isn’t a virtue: it is one of the most useful skills in your combat toolbox. You know this, Dovahkiin.

PROVENANCE PERK: It’s a good idea to familiarize yourself with the places from which you download apps. Reading a store’s Frequently Asked Questions for developers will let you know just how much checking they do during their apps approval process. If there isn’t much of an approval process, browse around and see what measures they’ve put in place to protect users. No security measure is perfect, not even the Bouncer, so don’t get complacent even if the measures your store of choice is taking seem excellent.

THIEVES GUILD: Sorry, there is no Thieves Guild. Don’t pirate apps. Piracy isn’t just stealing from developers who deserve better, it’s also the best way to get malicious code into your phone. Not that you wouldn’t deserve it if you were stealing, sneakthief.

Deploy Speechcraft

We’ve covered how good it is for consumers to have variety in terms of stores. Do your part. If you support a third-party app store, give them your business as much as possible and write useful app reviews whenever you can. If they don’t have security measures in place, let them know that they can do better. Lobby for change on their blog and social streams. They can do better. More importantly, it’s in their interest to do better. Just don’t forget to do your part, too. We’re in this together — when Sovngarde beckons, and all that.

Save Frequently

Even if you know in your bones that legendary difficulty is the only way to game and scoff at F5, your devices aren’t a game. You need to back them up.

Google will give you a hand with that — by default, Google backs up your contacts (which you can sync later, or access via the Google Contacts page after you log in to your Google account online), Chrome stores bookmarks and keeps a history on non-incognito browsing across devices, Google Calendar keeps all your events, Gmail keeps your e-mail and IMs (unless chat history is disabled), the Play Store keeps a list of the apps you have downloaded, and enabling Auto Backup on Google Plus lets it automatically upload your photos and videos to the cloud (where they remain, available only to you unless you decide to share them with anyone else on the social network).

A number of third-party app stores, like Amazon and MiKandi, also keep track of the apps you have downloaded and, like Play, enable you to download them again without having to pay for them once again.

But then there are text messages, which aren’t synced to Gmail chat logs even if you merge texts and IMs using Hangouts. Games and certain apps store progress and files locally sometimes. Basically: a lot of important things are covered, but these things are by no means all things.

If anything that isn’t covered is important to you, or if Google’s options aren’t what you’re looking for, you would do well to consider looking into a backup app. A number of security apps pull double duty doing backups, so when you’re browsing for one, think about grabbing one that has this capability. It might put you in the paid bracket, but it’s worth it if it means saving stuff that’s important to you.

HUN KAAL ZOOR

There are risks to owning an Android device but the freedom enabled by being on Android is worth it, especially if you don’t believe that Google (or anyone else) should dictate the kind of apps you can and cannot have. Provided that you take the necessary precautions, no amount of fun and exploration is far from your reach.

Just remember that the wonderland you enjoy is one that’s constantly being enlarged by hardworking developers. If you’re a fan of an app, pay its creator, write reviews, and give your business to the stores that let them bring their ideas to life without a stifling morality clause. Even if you can’t code to save your life, you can be a valuable part of this ecosystem by doing your part as a consumer.

Photo credits

Skryim Cavity patrol” by keneden, via CC License on Flickr.

4 COMMENTS

  1. […] Regardless of what recent articles and comment sections suggest, checking Unknown Sources does not an idiot make. After all, Amazon’s own app store is a third party source, yet is owned by one of the world’s most recognized companies. And despite a strong effort to bill itself as the only safe Android app store, Google Play has found itself victim to shady developers and malicious apps as recently as just this week. We clearly need a better rule of thumb than “don’t download from third party app stores.” […]

LEAVE A REPLY