Wednesday, January 19, 2011 - 00:22

New exploits in Android Market

There are certain things that you can actually wait for to happen and this is one of them. Google is running the market in a way that's doomed to hit the wall and it has nothing really to do with liberal politics vs. Apple's ... ah well. Let's call those restrictive.

It's about supervision and that's something you can't omit - for whatever reasons. If you are somewhat of a responsible reseller you might want to know what you are actually distributing, which includes that you have a closer - or at least superficial - look at what you deploy. Having a quick deployment cycle is specifically nice for developers. You dish out an app or an update and there it is in the store shortly thereafter. But it's a nightmare for most users even though those have a basic interest in rapid deployment cycles as well. But you should only deploy what you can take responsibility for. And frankly. That's something Google should know about already.

So...what happened. Apparently a publisher by the names of Myournet, Kingmall2010 and we20090202 copied - read pirated - more than 50 existing apps, repacked them with a trojan and republished them under a different name in the market. Google already reacted - apparently on a very short fuse - and removed the apps in question together with the publisher within a refreshing short reaction time. As of now however Google is not actively removing the apps from users' devices.

Google's initial reaction was quick but unfortunately it's nothing to praise.

A single publisher posts 2 dozen apps in a rather short time frame and no one thinks this is a tiny little bit strange? Is there a possible situation where the alarm should go off any louder? On top of it this shows how much apps are actually controlled before they end up on stage...not at all. You could rather easily test for this specific exploit automatically. It's not a brand new zero day thing he came up with. it's a known issue. And it's one that must not pass by unnoticed since it's actually rather easy to detect.

In fact there's an app for it. You can do it on device but apparently not before it's deployed. Shame on you Google.

If Google wants to avoid bad karma they should rapido fix whatever they implemented to prevent this...if they actually implemented something.

It's not about access restrictions or What Apple does™. You don't need to jail the market to have a somewhat safe ecosystem. But the more liberal you are with what you allow, the more vigilant you have to be. You don't get style points for deploying first. If things go condition red you'll look sloppy. And frankly. That's exactly what you are.