Google’s Bouncer announcement last week marks a big change for the company, which took a notoriously hands-off approach to Android app security in the Android Market. Google’s anything-goes market was the major drawback to having an “open” mobile OS, and it allowed malware and spyware to pose as legitimate apps.
Bouncer scans each new app for spyware and other malicious code. Then it simulates how the program would run on an Android device to detect malicious behaviors. Finally, if and when a new type of malware is discovered, Google goes back and rescans all of the apps in the market.
“It's fair to say that Google’s iterative approach is at least as thorough now as [Apple’s and Microsoft’s],” said Alan Pelze-Sharp, an analyst for the Real Story Group, a buyer's advocate for enterprise IT in Olney, Md.
Bouncer is a step in the right direction, but the common refrain from IT pros is that Bouncer adds a nice additional layer of security -- and not much else. It certainly is not a reason to become lax on mobile device management and other security protocols.
Malware on a mobile device can cause serious damage to enterprises, because it can act as a back door to the corporate network. That access can lead to compromised network systems, allow cybercriminals to steal confidential data, and cost businesses a significant amount of money to recover from an attack.
Android app security in the Android Market
Apple, Microsoft and Google all take different approaches to securing their apps.
One way to look at the differences in approaches to app security is to think of it as a farmer’s market, said Andre Preoteasa, director of IT for Castle Brands Inc., an alcohol distribution company in New York.
“The Apple market verifies the food before it comes in,” he said. “This imposes a burden on the farmer, but gives the customer assurance the food is good. The Microsoft market has a regulator that scans the food right before you purchase it, for every single item. The Google market allowed you to buy the food in a laissez-faire style, except if the food has issues, you find out afterward.”
With Bouncer, Preoteasa said, Google is at least preventing the rotten food from being sold at market, and that can only be considered a good thing for IT admins and end users.
Lookout, Inc. a security research firm based in San Francisco, published a report last December estimating that more than $1 million had been stolen from Android users in 2011 as a result of malicious software downloads.
"While it's not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from the Android Market -- and we know the rate is declining significantly," wrote Hiroshi Lockheimer, a vice president of engineering at Google's Android unit, in a recent blog post.
Lockheimer wrote that avoiding a manual approval process is very important to Google, but that shouldn’t mean sacrificing Android app security. Further, he claimed Google has experienced a 40% decrease in malicious app downloads since Bouncer began patrolling the Android Market.
Android users should still be cautious about Android app security, because users can download apps that don’t have malicious code but act as Android Trojan Horses.
More on Android app security
Android security issues in IT
Android tablet security: OS features and Android security apps
Android malicious apps: How to tell secure Android apps from malware
RootSmart is a prime example of this. The app doesn’t contain malicious code and could pass Bouncer inspection, say industry watchers. Once the user installs the app on his or her device, the app can install malware. RootSmart hasn’t been spotted in the official Android Market, but users who install apps from other sources need to be aware when downloading them to their devices.
Besides utilizing the Bouncer program, Google also made security improvements to Android enterprise features with the release of Android 4.0 Ice Cream Sandwich. Among the new security features are full-device encryption, a VPN application programming interface, face-recognition security and new memory technology.
According to Android Developer, however, Android 4.0 is only running on 1% of Android devices. By comparison, nearly 60% of Android devices are still using version 2.3.