Google Pressured 90,000 Android Developers Over Insecure Apps (pcworld.com) 50
An anonymous reader quotes PCWorld:
Over the past two years, Google has pressured developers to patch security issues in more than 275,000 Android apps hosted on its official app store. In many cases this was done under the threat of blocking future updates to the insecure apps...
In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.
100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.
In the early days of the App Security Improvement program, developers only received notifications, but were under no pressure to do anything. That changed in 2015 when Google expanded the types of issues it scanned for and also started enforcing deadlines for fixing many of them... Google added checks for six new vulnerabilities in 2015, all of them with a patching deadline, and 17 in 2016, 12 of which had a time limit for fixes. These issues ranged from security flaws in third-party libraries, development frameworks and advertising SDKs to insecure implementations of Android Java classes and interfaces.
100,000 applications had been patched by April of 2016, but that number tripled over the next nine months, with 90,000 developers fixing flaws in over 275,000 apps.
Why is this a problem? (Score:5, Insightful)
This write-up sounds awfully negative, but if your software is so bad that it can be auto detected to be insecure, you belong in the penalty box until you make it right. Be respectful of users' data.
Re: (Score:1)
Re: (Score:1)
No. Fake news is news that's been deliberately fabricated, often to make its purveyors money, and doesn't attempt to relate to the truth. For instance, "child sex ring in some Washington pizza shop" - there's just no relationship to the truth and whatever their reasons for publishing such nonsense, it wasn't an attempt to inform anyone of anything that could plausibly have been said to have been real. Real news may be inaccurate or flat-out wrong, but real news is intended to be based on some sort of truth.
Re: Why is this a problem? (Score:1)
Re: (Score:2)
To be clear about how tinfoil hat this is, the "code word" for the pizza show owner was "pizza" which seems like a word that, I don't know, a pizza shop owner might just want to use for their routine business.
Re: (Score:2)
If "software, according to some lame heuristic, shows a typical sign of being bad", more likely. "Hey look, this guy is using sprintf! Some people use it wrong, so surely it means he must also be using it wrong, thus his software is bad! Fix it, or else!"
Re: (Score:2)
This write-up sounds awfully negative, but if your software is so bad that it can be auto detected to be insecure, you belong in the penalty box until you make it right. Be respectful of users' data.
It's a "bad thing" because a large corporation was able to exert influence over a bunch of third-party developers on a supposedly Open mobile operating system platform. Much like Apple reviews apps and can take action against developers that are breaking rules, Google is showing they can too. So, even though the actions had a positive impact for users and the overall Android platform, it's not good because "EvilCorp can control me". The fact this is Google's Play Store has no bearing on the legitimacy of th
Re: (Score:3, Insightful)
Google has always exerted influence over developers that use the Play Store. Why do you act like this is new? Android may be "open" but the Play Store is not and never has been.
Re: (Score:2)
The only "bad thing" here is that some developer can't even be bothered to patch known security issues out of their code. It seems unlikely Google would have started to impose deadlines if a significant number of developers weren't simply ignoring those security alerts. The program was originally started with no action required on the part of developers. Obviously, that didn't work out so well.
I see nothing wrong with Google requiring a minimal effort to maintain security if developers wish to be listed
Re: (Score:2)
The only "bad thing" here is that some developer can't even be bothered to patch known security issues out of their code
Oh, I don't disagree. I was replying to the parent's puzzlement as to why the article has a negative tone, that's what I meant by "at least that's the only thing I can take away from this" since I had to search for that reasoning someone might have. Because otherwise I don't see anything wrong here.
Re: (Score:2)
Ah, I see. Re-reading again, the last sentence makes that more obvious.
I'm wondering now if the negative tone was actually intentional or not, because TFA sounds a bit more neutral. I think much of it comes from the word "pressured" in the headline (which the article doesn't use). It makes it sound as though Google is sending goons to app developers' homes to... "encourage" them to upgrade their libraries.
"That's a lovely app you have there. It would be a real shame if something were to happen to it."
Re: (Score:2)
Get thee to Unknown sources.
Re: (Score:2)
Let me make it more explicit:
Pay for a domain, web hosting, and advertising. Obtain a TLS certificate for your domain through the Let's Encrypt button of your web host's control panel. Offer your application as a self-signed apk file for download through your website, along with instructions for users to enable Unknown sources or use adb install to add the application to a device.
Google takes security seriously (Score:1)
I've worked at Google and at two security companies and Google is the only company I know that actually takes software security seriously. In the 'security' companies security is pure theater, they do have security teams but their powers are on paper only, in practice they are merely seen as little annoyance by the development teams. The security teams mostly go with whatever you tell them, and even if they know that the reports you are filing are omitting issues they have to take it at face value. It is ev
I fixed mine by removing google ads... (Score:1)
... which quietly adds more permissions yhat most apps will ever need
Misused access rights (Score:2, Interesting)
All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.
Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.
Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions the
Re: (Score:1)
And access to your camera, microphone, picture gallery and location. There is no way every app needs these permissions. If Google is really serious about security, they will only allow apps to require these types of permissions under very strict protocols.
Re: (Score:1)
disk?
Re: (Score:1)
To be fair, they attempted to fix this in Android Marshmallow, now apps can be fine-grained in their permission requests, such as only requesting camera access if some rarely-used camera-based feature is requested by the user.
But a lot of apps just don't bother with that, and either still use the old permission model, requesting permissions when installing, or request all permissions at startup and refuse to run otherwise.
Re: (Score:2)
THIS is what Google should be enforcing.
Otherwise it's blatant phishing,
Re: (Score:2)
That's because not many phones are on Marshmallow yet. As of now, just over 30% of pho
Re: (Score:2)
They're asking about access to the external sdcard (not root access to the entire phone).
Because while every app has access to internal memory, if the app deals with any large amount of data like pictures, videos, mp3s, or games with lots of graphics, it could easily fill up all the internal memory on your phone.
Re: (Score:2)
All the apps require all the rights. If I do not give them the permissions they won't run. So I have no choice, I have no security then and I cannot store any valuable data on the phone.
Why the apps are lying they need global files access to only store their own data? I have found in some Android SDK doc they can store their own data even without global files access.
Other apps could provide functionality without that specific feature but they refuse to run at all unless they get all the permissions they ask for.
Even opening local files could be done safely by an Android-provided dialog box, without giving uncontrolled permissions to the whole disk.
Apps used to need full access to the sd card to write any files there, and it's relatively recent that they don't have to. Mostly it is lazy /ignorant developers. You should probably not use apps that require this.
And you really shouldn't use the accusation "lying" unless you're pretty sure it's deliberate and malicious.
Not a bad thing.... (Score:1)
Pressured? Or strongly encouraged? To make their apps more secure. To protect customers, Why is this bad?