1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Amazon's app store compromises Android security

Discussion in 'Mobile Phones & Devices' started by starbuck, May 27, 2017.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    It's dangerous to go alone outside Google's protective walled garden, but it's the price you pay for free software.

    e6f144b0e91087b2577e343702cfca37.jpg

    Ask almost any security expert, and they'll tell you switching on "unknown sources" on your Android phone or tablet is one of the worst things you can do for device security.

    But that's exactly what Amazon has asked its app store customers to do for years.

    The heart of the problem is Amazon's requirement to allow installations from "unknown sources" -- that is, any app or game that hasn't been carefully vetted by the Google Play app store.
    That's because while almost all of Amazon's apps are already in Google Play, the retail giant's own third-party app store, dubbed Underground, isn't allowed.

    Opening your Android phone or tablet up to apps and games outside Google's protective walled garden also makes your device infinitely more vulnerable to malware.

    And that's no secret.
    We're not even the only ones to notice it -- some noted the security issue back in 2015 when Amazon Underground first launched.

    When asked to comment, an Amazon spokesperson confirmed that Underground had since been installed on "millions" of Android devices.
    That's in part because some of Amazon's own apps for Android are only available through Amazon Underground, such as Amazon Prime Video -- the company's competitor to Netflix.

    The spokesperson added that "customers should take care only to download content from sources they trust, like Amazon."

    But it's not Amazon's app store that's the problem -- it's the giant hole you have to punch in Android's security to get it installed in the first place.

    0359491bf0fbc527d81675b6260c408b.png

    We spoke to several prominent security researchers and experts, and they all agreed that opening up "unknown sources" is a bad move for security.

    Joshua Drake, VP of Platform Research and Exploitation at Zimperium, who was credited with finding the Stagefright bug that affected millions of Android users, said that installing apps from unknown sources is "a significant source of malware in the Android ecosystem."

    Andrew Blaich, a security researcher at Lookout, agreed.
    He said: "By allowing unknown sources, a user is removing the first line of defense in stopping themselves from installing a malicious app that can be delivered from a number of sources, including malicious website links, phishing attempts and others of which we've seen happen in targeted attacks like ViperRat and other broader non-targeted attacks."

    Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said in an email: "There are a lot of nasty Android apps out there and only downloading apps from official sources is key to a safe mobile computing experience," he added.

    The battle for access to app stores isn't new.
    Because mobile device and software makers like Apple and Google get to dictate the terms to who can and can't access their platforms, competitors like Amazon will resort to begging their customers to essentially forego some security for access to its own app store.

    And while Android has always been the more open platform for apps and games compared to iPhones and iPads, which have built a reputation for security thanks to Apple's strict app store requirements and code checking, that is soon set to change.
    Drake added in his email that Google's upcoming Android O will allow third-party app stores without requiring blanket access to the whole phone, effectively making it harder for malware to install.

    When reached, Google wouldn't comment on the record.

    Amazon's app store currently has 800,000 free apps, thanks to the company's incentive to developers to submit their apps.
    The company said last month that though it's shutting down its namesake developer program, which allows the millions of Amazon Underground users to download apps and games for free, the app store itself is "not going away" any time soon.

    Given the security risks, your best bet is to uninstall the app -- pronto -- and switch off "unknown sources."
    Anything else is putting you at risk.


    Source:
    http://www.zdnet.com/article/amazon...s-of-android-devices-at-risk/#ftag=RSSbaffb68
     

Share This Page