Home > Uncategorized > Android app security important: Say Google Engineers

Android app security important: Say Google Engineers

Android is the prime target for mobile malware. During a session about Android security and privacy at the close of Google I/O on Friday afternoon, Android security engineer Jon Larimer attributed the security gap to a “the fundamental lack of transparency.”

“People are getting more and more distrustful of apps that ask for access to their personal data without any clear reason on what you’re planning to use it for,” Larimer added. “Mobile devices are very powerful now, but they’re also a treasure trove of very private personal data on the phone’s owner.”

Larimer instructed the few hundred developers attending that particular seminar that apps need to “respect the data” on Android devices, reminding them that people actually don’t generally like giving out personal details to strangers. That concept shouldn’t be any different on mobile devices.

“When a user allows your app to access some aspect of their phone, they’re trusting you with it,” Larimer asserted.

Some of potential culprits behind mobile attacks include “unscrupulous marketers” who want to mine mobile devices for data, and Black Hat spammers who will pay big bucks for collections of detailed personal data. Larimer explained that a user’s phone number and email address could be harvested for spam, as well as the people on their contact lists.

In fact, Larimer argued that every single component of an app can be exposing data if you aren’t taking the necessary precautions, whether it’s the log file, settings file, the web service, or the data being transmitted over the network Then again, developers have a lot more to worry about than just the apps they develop, such as insecure wireless networks and cases of lost and stolen devices.

Larimer also pointed out that if your app requests permissions, a security vulnerability in your app can grant other apps access to the protected data or component without permission. Just as when it comes to users protecting their own security, developers can implement a few simple methods that could work security wonders.

“It’s often easier to write a secure app in Android than it is to write an insecure app,” Larimer posited.

For instance, Google engineers advised uploading a privacy policy for an app letting users know what you’re going to do with your data.

“It should spell out exactly what data you collect. And I really mean exactly,” Larimer said. He also acknowledged maintaining developer account security so other people don’t publish apps for you and Google Authenticator for two-factor authentication.

Android software engineer Kenny Root also cited using an Application Signing Key, which works exactly as described: a unique key that unlocks a designated app.

(source: http://packetstormsecurity.org/news/view/21186/Google-Stresses-Importance-Of-Android-App-Security-At-I-O.html)

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s