01
Nov
nexusae0_dan-rosenbergs-presentation-on-android-modding-for-the-security-practitioner-is-a-must-read_thum

We knew that Android 4.2 would see the introduction of new security features both on your device and in the Play Store, but Computerworld got a chance to speak with Android's VP of Engineering, Hiroshi Lockheimer, about the platform's beefed up security measures, specifically Android's new real-time app scanning utility.

The scanner builds on the functionality of the Play Store's existing security features by bringing app-scanning security to the frontend, scanning incoming apps from third party sources (including apps like Amazon's App Store).

The service is of course "opt-in" – when you first install a third party app on your device, you'll see a friendly popup asking if you'd like Google to check on all your incoming apps for "harmful behavior." The decision to include this feature, according to Lockheimer, came down to the idea that "security [is] a universal thing. Assuming the user wants this additional insurance policy, we felt like we shouldn't exclude one source over another."

image

What's impressive about this service is the speed and efficiency with which it operates. As Lockheimer indicated, every sideloaded app triggers the service, which sends identifying information about the app to Google, where it is analyzed against a known list of apps. How is this list compiled? Lockheimer explains:

We have a catalog of 700,000 applications in the Play Store, and beyond that, we're always scanning stuff on the Web in terms of APKs that are appearing. We have a pretty good understanding of the app ecosystem now, whether something's in the Play Store or not.

Most of the time – if the app you're installing is identified as safe – you'll never notice the service exists. Lockheimer adds "the server does all the hard work. The device sends only a signature of the APK so that the server can identify it rapidly." Only if you encounter an unsafe app will your installation be interrupted.

Additionally, as Computerworld notes, Android 4.2 has a refreshed app installation screen with lighter typefaces and helpful heuristic icons.

wm_Screenshot_2012-11-01-21-48-14 wm_2012-11-01 21.45.40

Of course, all of this comes on top of Android 4.2's SELinux, Always-On VPN, and Premium SMS confirmation that Ron dug into in his teardown last month.

For Computerworld's full story, hit the link below.

Source: Computerworld Blogs

Liam Spradlin
Liam loves Android, design, user experience, and travel. He doesn't love ill-proportioned letter forms, advertisements made entirely of stock photography, and writing biographical snippets.

  • http://twitter.com/navjotbatra Navjot

    Hopefully this opens up more opportunities for Android in enterprise settings.

  • Caldera

    Hopefully they'll offer this security as a standalone app for people stuck on 4.0 or 4.1

    • http://www.facebook.com/people/Stephen-Burgess/731943267 Stephen Burgess

      Nobody is "stuck" on any version of android, even the worst phones on the market have ports of cm10 available. Anybody who considers themselves stuck deserves to be left behind

      • Vito Cassisi

        This couldn't be further from the truth. Not even flagship devices have bug free ports. Relying on custom ROMs is not ideal.

        • Brian G.

          CyanogenMod actually fixes bugs in the Android source code.

          • edzuslv

            actually in cm you have some problems with gps, wifi, etc too. :)

          • http://www.Mikereviews.co.uk/ Mike Brown

            Guys... Chill.

            Android has a few kinks... move on.

      • raazman

        No android left behind? Make it a law.

      • Caldera

        Well Stephen, my parents wouldn't want me tampering with their phones and voiding their warranty, so it would be nice if the security features could be ported to 4.0+ phones at least.

        • http://www.youtube.com/user/no6969el Noel Barcellos

          You would not be voiding their warranty... and what is this stupid trend that parents have to be tech dumb.

      • squiddy20

        And what about the thousands, if not millions, of people who don't even WANT to bother with root? What about those who aren't computer savvy? What about the people who don't want to have to learn even the basics, like what root, a custom kernel, or a ROM is? How many people even know what .zip is? Do they "deserve" to be left behind too?

        That's got to be one of the most childish views I've ever heard. There's plenty of phones that lots of people are using that DON'T have a bug free ICS port. Heck, just a year ago, I had a Samsung Moment. Despite an active dev community at SDX, it was "stuck" on 2.2.2 (ported from other phones), even though 2.3 had been around for upwards of 6 months. You can't say crap about "nobody is 'stuck'".

        • http://www.youtube.com/user/no6969el Noel Barcellos

          If you do not want to bother with root and you complain about being stuck on an older version then you sir/maam should have bought a nexus device. End of story. If it was before nexus devices came out you sir/maam have a super old phone. Remember you should only complain when your options are taken away not when you make the wrong (the cheap) decision and have to deal with it.

          • squiddy20

            1. So regular old joe's can't complain because they A) didn't buy a Nexus (which they might not even know or care about), B) don't want to or can't bother with root, a process that voids your warranty, and if you don't know what you're doing, could very well screw up your phone? That's just dumb. What you're proposing is the same as if I went to a car dealership complaining about engine noise, but then was told to stop complaining because I know nothing about engines. What kind of logic is that?
            2. What if a person WANTS Touchwiz or Sense or some other manufacturer's UI? In "your world", are they not aloud to complain? Sure they have root available, but I'll refer you back to point #1B.
            3. You've failed to see the point I was trying to make in the bit about my "super old phone". It was left by carrier/manufacturer on 2.1. Devs ported 2.2.2 to the phone from other phones. It still, to this day, doesn't have a fully functional Gingerbread port, let alone ICS. Root doesn't guarantee updates.
            4. You've also failed to answer a few of my questions. What if a person complaining about lack of updates isn't computer savvy? What if they don't know what a ROM or .zip is but lead a life buried in work, school, kids, etc? Additionally, you talk of making the "wrong (cheap) decision", but what if that's the only option available to them? Do you not realize that there are Android phones being offered by carriers for FREE? How do you expect the not-so-well-off person to afford a $200 or more phone? Good god you are ignorant of the world around you.

          • Bill Brasky

            This is why I got a Nexus phone.

      • Justin Swanson

        You are forgetting all of the devices that are made for specific countries/carriers that don't fit into the CM paradigm. I don't have anything against any custom ROMers but they aren't universal to all phones. I live in Korea and almost all (if not all) phones here are built custom for the country because of DMB (tv OTA service). Therefore CM doesn't work on any of those phones. I believe Japan is very similar in that they are very specific about the phones and the hardware, which turns it into a different model and voids any hope of running most custom ROMs.

      • hot_spare

        Wrong.

  • Deltaechoe

    oooo, more new android stuff to dive into

  • kelly mullenax

    I agree no android left behind... but some features are just to much for older phones specs.... android is still a young company still has some basics to get down to...im rooted on my gs3 have had several phones. Gingerbread has the market share and key features should keep getting upgraded for that version and not be left behind.. as a normal user not depending on rooted phones with custom ROMs and kennels.

  • http://twitter.com/psych2L Joseph Lee

    I hope this cuts down on the Norton/McAfee fear mongering

    • http://www.Mikereviews.co.uk/ Mike Brown

      no, they needs the fear to sell their product. now WE can let our friends and family now that Android is a safer platform.

  • oohoooh

    You can't go wrong in security with a guy with 'Lock' in his name

    • Simon Belmont

      I know a guy that brews beer for a living. His name is Bud Weiser.

      I'm not even making this up. Perfect name for the job and a great conversation starter.

      • oohoooh

        I suppose his son is called Bud Light

        • Simon Belmont

          Haha. I dunno about that.

          That'd be pretty funny though. Good one.

  • GazaIan

    Man I love AndroidPolice

    • http://www.Mikereviews.co.uk/ Mike Brown

      Preaching to the choir!

  • http://twitter.com/nirvanaman_1985 sam

    I wanna know if app encryption is enabled on 4.2 as they disabled shortly after 4.1 launched due to it being buggy.

    • http://www.Mikereviews.co.uk/ Mike Brown

      heres hoping that the kinks are being worked out

  • Amer Khaznadar

    What would happen if the device wasn't connected to the internet at the time of installing an apk. Also, I can't help but wonder how will this service handle cracked apps.

    • http://www.Mikereviews.co.uk/ Mike Brown

      when is your phone not able to connect... we have wifi and 3g all over. not being connected is a minority issue.

      • Amer Khaznadar

        Minority or not, it is still an issue. Not all Androids (whether phones or, more importantly, tablets) are connected at all time, so I believe that it is a fair question to ask how that scenario would be handled.

        • Jei Arc

          that is very specific scenario, i would think if you are installing via play store or sideloading there would at least be a wifi, unless you disable wifi and then try to sideload :S or disable both wifi and wireless and then try to sideload!! :S I agree with Mike it woudl be a real weird scenario.

        • http://www.youtube.com/user/no6969el Noel Barcellos

          This is how I look at it. Most things that are going to cause harm need to have the internet to do the harm unless on your device its collecting a whole bunch of whatever but not sending it to someone. When you finally connect this is when the stuff would happen.. which is why before you go online with an unknown application installed you should scan it. Just relaunch the installation APK and it should check it.

    • John O’Connor

      I can't imagine a situation other than sideloading where you wouldn't have some type of internet connection. obviously an app has to be downloaded from somewhere to install.. I don't know too many if any people that carry a usb dongle and memory card full of apk files

      • Guest

        Yea sometimes I'm on the phone and I want to take a picture.. we all deal with that.

  • Albin Hermansson

    So... will cracked apps still work? Or is this the end of piracy? Hope so!

    • http://www.youtube.com/user/no6969el Noel Barcellos

      They should as they just have code removed or redirected. This checks if apps have extra privileges and what not. Its different but I do not want to have to type too much so this is my explanation.. enjoy.

  • Matt

    sounds good but ill stick with avast!, i think it is reliable plus i like the built in firewall. it isnt needed, but helps me sleep like a baby

  • franciscoprofesor informatica

    72% of all Android apps on Google Play access permissions they shouldn’t

    https://www.bit9.com//files/1/Pausing-Google-Play-October2012.pdf

    • Google_is_the_Higgs_Boson

      I'm not sure if thats true. I know what your talking about tho... I've came across some apps that wanted accesses to things I have no idea why it would need it... It might have to do with certain features we have no idea the app has... Or features being under certain permissions... I've built a couple apps, but Ihaven't came across any permissions that seemed weird... You can look me up in google play, under "kodiak 211" if you want...

  • toby

    holy christ! a Japanese german! can you say " best engineer ever"

Quantcast