New Post
Bouncer is supposed to prevent malicious apps from being placed in Play Store. Two legendary researchers explain how Bouncer can be circumvented
Discussion on:
View:
Show:
Thanks for another interesting article Michael. I always enjoy them. I've also heard that Apple reviews the code of all the apps in the app store so I thought it was interesting to hear that their static security review couldn't be confirmed by a major vulnerability researcher. Then again I don't buy into all the hype around Apple products either. If it looks like a computer and it's built like a computer (CPU, RAM, Storage, Network) then it has as many vulnerabilities as every other computer. Then it's only a question of how to harden the device appropriately through software. The only reason a calculator is any more secure than a computer is because it isn't connected to the internet so the avenues of attack are purely physical. There is nothing god-like about Apple computers. Having said that they do hand-select high-quality hardware and do a better than average job of testing it all together so that's a nice plus. But besides that the only other thing they have is the hype and it never fails to amaze me how many people buy into it (I have multiple coworkers who are Apple drones which is why it gets me so fired up).
The problem with all app stores is that unless you are writing everything yourself there is really no way to ensure that the apps are all malware free. Can and should security and review processes be better? Of course. But history has proven that for every stride we make in security the other side finds a way to circumvent it or simply finds a new avenue of attack. I guess my point is there are no silver bullets in the security world. There are only ways to mitigate the threat. Bouncer seems a good stride in the right direction but still has room for improvement.
The problem with all app stores is that unless you are writing everything yourself there is really no way to ensure that the apps are all malware free. Can and should security and review processes be better? Of course. But history has proven that for every stride we make in security the other side finds a way to circumvent it or simply finds a new avenue of attack. I guess my point is there are no silver bullets in the security world. There are only ways to mitigate the threat. Bouncer seems a good stride in the right direction but still has room for improvement.
Jon mentioned he was confident Google was already fixing the oops they found.
It was also great to hear that there is a human component involved in the review process as well.
I was trying to imagine what that person thought when the messages showed up.
What the heck?!? It's just unfortunate that they probably had no mechanism to reply. Even with only inbound communication I'm sure it made for entertaining office banter.
Google employee Phelps: "You'll never believe what just happened. One of the apps I was reviewing started talking to me."
Google supervisor: *Chuckles* "Oh really, what did it say?"
Phelps: "Well it asked how my day was going. I wasn't quite sure how to respond, I tried typing a reply of 'I'm fine. How are you?' but my command prompt told me that 'I'm' is not recognized as an internal or external command. So then I tried talking to it but of course it didn't respond."
Supervisor: "Interesting approach. Did it say anything else?"
Phelps: "Actually it did. It complimented my shirt. Then it told me I looked like a trustworthy sort and proceeded to explain how it was an alien intelligence trying to warn us of a take-over plot. It told me that the app was totally safe and to allow it into the market so it could warn more people. I almost did but then I noticed that their payment never went through."
Supervisor: "Did it share anything else?"
Phelps: "No it just stopped talking after that."
Supervisor: "I think we may be working you too hard. Maybe you should take tomorrow off."
Later over the phone.
Supervisor to Schmidt: "We have a leak in our task force. I think Phelps may suspect."
Schmidt: "We must accelerate our plans then. Glass must launch this year!"
Happy Tuesday.
Google employee Phelps: "You'll never believe what just happened. One of the apps I was reviewing started talking to me."
Google supervisor: *Chuckles* "Oh really, what did it say?"
Phelps: "Well it asked how my day was going. I wasn't quite sure how to respond, I tried typing a reply of 'I'm fine. How are you?' but my command prompt told me that 'I'm' is not recognized as an internal or external command. So then I tried talking to it but of course it didn't respond."
Supervisor: "Interesting approach. Did it say anything else?"
Phelps: "Actually it did. It complimented my shirt. Then it told me I looked like a trustworthy sort and proceeded to explain how it was an alien intelligence trying to warn us of a take-over plot. It told me that the app was totally safe and to allow it into the market so it could warn more people. I almost did but then I noticed that their payment never went through."
Supervisor: "Did it share anything else?"
Phelps: "No it just stopped talking after that."
Supervisor: "I think we may be working you too hard. Maybe you should take tomorrow off."
Later over the phone.
Supervisor to Schmidt: "We have a leak in our task force. I think Phelps may suspect."
Schmidt: "We must accelerate our plans then. Glass must launch this year!"
Happy Tuesday.
I like the bit about "Glass" Did you see the intro video about it?
And to be honest I'm kind of intrigued just to see how the product will eventually materialize and to see how people actually use it. I'm with most of the nay-sayers in thinking it will be a very niche market of people that ever buy it. But as anyone who wears corrective glasses can tell you it's a lot harder to walk out the door without your glasses on then it is to walk out the door without your phone. Microsoft has been investigating numerous ways to make screens and circuits bendable possibly even wearable. I think the concept has promise I'm just not sure Glass will be the next iPod. I personally love the concept of the Microsoft Surface (rebranded as PixelSense). But it hasn't materialized into a consumer device and with the cost it may never. Glass to me will probably go the same way. I'm still hopeful for both products though.
I fear that all that Bouncer debate leads to some kind of wrong questioning. In my opinion, the first question should be whether to trust Android.
The deep integration of various Google services in this system makes me feel very skeptical about it???sprivacy. My tablet is pretty nice, but even without installing any third party app, data leakage is so obvious, that the real question could be: Should we trust Google?!
Don't misunderstand me: I don't think Google peeks on us more than some other. They all do, and they all become greedier on our personal data every day...
Of course, my question should be asked for every operating system, every software, and every service-of-any-kind provider we use, especially if our data could be stored (sometimes without our knowledge or consent) in the cloud.
I do not have answers, but in the meantime I never transfer any personal or sensitive information of any kind on my Android (nor on some other non-Android) devices.
Be a paranoid and your data will not be "gone with the wind"...
The deep integration of various Google services in this system makes me feel very skeptical about it???sprivacy. My tablet is pretty nice, but even without installing any third party app, data leakage is so obvious, that the real question could be: Should we trust Google?!
Don't misunderstand me: I don't think Google peeks on us more than some other. They all do, and they all become greedier on our personal data every day...
Of course, my question should be asked for every operating system, every software, and every service-of-any-kind provider we use, especially if our data could be stored (sometimes without our knowledge or consent) in the cloud.
I do not have answers, but in the meantime I never transfer any personal or sensitive information of any kind on my Android (nor on some other non-Android) devices.
Be a paranoid and your data will not be "gone with the wind"...
We can be as safe and paranoid as we can, but unless you are completely off the grid: no doctor, SSN, credit card, etc. Someone can break in a database somewhere and possibly get your info.
of our personal devices, from hardware manufacture to OS and app software, to the network it runs on there's not really a way to ensure our data remains on the device. From country spying on country to corporation spying on corporation anything could be embedded into the hardware or software. It comes down to trust. Intel has banned the use of siri by employees. Are they being paranoid? Yes but possibly with good reason. It would be a relatively small matter for Apple, Google, or even Microsoft to find someone's cell phone number, identify the actual device, and monitor communications to that phone. I don't think I'm important enough to warrant that amount of attention and for the most part as a consumer I trust that the devices are only being used as advertised. That is possibly naive. But I don't have every box of Cheerios I open analyzed to make sure it's not poisoned or accidentally contaminated either so I guess I like to live on the edge. Eventually it comes down to simple cost to benefit ratios. The benefits of using the device out-weigh the potential costs whether real or imagined. Having a smart phone is just too blasted convenient.
Check out what the hot IT job is now. It's database experts. They glob all the data together and using magical algorithms put two and two together.
I find my self trusting MS more and Apple/Google less and less each day. Redmond probably doesn't deserve it, but they haven't been caught with their hands in the cookie jar lately. Or at least it has not be published lately. This is just a personal perception of mine. No basis in reality, of course. 
is that they've made a lot of the mistakes these other companies are now making: Apple with it's patent wars, google with it's intrusiveness as two prime examples. Apple and Google will probably mature with time. Of course it could be that Microsoft just got better at hiding it's illicit activity but I'm hoping they outgrew it instead. I think the fear with Google may be based mostly on the fact that they have rather spectacularly managed to index the internet. That doesn't necessarily translate into them indexing our data although it easily could.
All one has to do is try and find something that Microsoft hasn't affected to realize...
and the justice department stepped back. When Microsoft wasn't lobbying and they were making $$$ but not giving millions and millions to the Justice Department they were getting investigated for anti-trust on a monthly basis. Then MS started the PAY OFF to our government thugs and mysteriously they were automagically not in hot water any more that is until the European governments found out how much the Microsoft pay off to the US government was.
Now that Microsoft pays off most of the big governments in the world they are once again "compliant" and we havent heard of much Anti-Trust suits against MS.
When government gets too big countries and corporations suffer.
EVERY TIME!
Now that Microsoft pays off most of the big governments in the world they are once again "compliant" and we havent heard of much Anti-Trust suits against MS.
When government gets too big countries and corporations suffer.
EVERY TIME!
Hi Michael,
thanks again for another great article. Most always enjoys your stuff.
Very interesting to see the blending of automated risk flagging with a human review step. Probably the only way to be thorough though the fact that Android apps can always pull down new code means that if an app developers update mechanism was compromised, we would be in the do do.
thanks again for another great article. Most always enjoys your stuff.
Very interesting to see the blending of automated risk flagging with a human review step. Probably the only way to be thorough though the fact that Android apps can always pull down new code means that if an app developers update mechanism was compromised, we would be in the do do.
I found the human touch interesting as well. My next thought was how often is it required?
*who* was the other person that they encountered during their research? It wasn't necessarily someone on the Google payroll, it seems to me.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
