Google Play changes bring cautious optimism on Android security

Google's decision to have Android apps on Google Play updated only through the online store will likely improve security on the mobile platform, but by how much remains to be seen, experts say.

Google recently changed its Play Developer Program Policies to say, "an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism." The APK, or Android application package file, is the format used to distribute and install apps onto the operating system.

The move makes it much more difficult to turn a benign app into a malicious one once it leaves Google Play. When apps could be updated through a third-party server, unscrupulous developers could install malware or have the upgrade gather more personal data than the previous version.

"Security-wise, this is definitely a good move," said Xuxian Jiang, a mobile security researcher at North Carolina State University.

How much more security the policy change brings will depend on the technology Google uses to authenticate updates. Best practices would have every app and update with a digital certificate that would tell the Android operating system that the code is from Play.

Apple uses certificates to authenticate iPhone and iPad apps and upgrades, which are only available through the company's App Store.

Managing the certificates will add costs to the running of Google Play, but anything less would just make it easier for hackers to trick the operating system, said Kurt Stammberger, vice president for market development at Mocana and a certified information systems security professional.

[Slide show: 10 tips for Android security]

"Google will have to maintain a relatively robust and complex certificate infrastructure, and that's not easy or cheap," he said.

Until Google says how it will authenticate updates, no one outside the company can know how significant the change is from a security perspective, Stammberger said. "The devil is in the details."

Having updates signed by Google Play would make it much more difficult for someone to download an app from the store, reverse engineer it to create a malware-carrying counterfeit and then resell it on another store, said Guntner Ollmann, chief technology officer for IOActive.

The one downside of having everything coming from Google Play is the potential delay in getting an emergency patch to fix a security flaw, Ollmann said. Nevertheless, the positives outweigh any negatives from the new policy.

Android is the No. 1 target for cybercriminals, who distributed malware through forums or rogue app stores, particularly in Asia and the Russian Republic. Recently, security researchers discovered bogus email with links to the Stels Android Trojan being distributed through the Cutwail botnet, the world's largest for distributing spam and malware to Windows PCs.

Most of Android's security problems stem from Google allowing anyone to create their own store for providing apps. "While they are taking a hard stance by not allowing updates outside of Google Play, it really doesn't change the fact that anyone can provide a self-signed certificate for apps they develop, place them on third-party stores and cause just as much havoc," said Daniel Ford, chief security officer for Fixmo.

Until that problem is addressed, Android will remain more vulnerable than Apple's competing iOS plaform. "While this is a step in the right direction, as long as users can download Android apps from unmanaged sources, Android malware will continue to proliferate," said Stacy Crook, an analyst for IDC.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsappsAndroidData Protection | WirelessNorth Carolina State UniversityAppleconsumer electronicsGoogleGoogle Playsecuritymobile securitysmartphonessoftwareAPKdata protection

More about AppleGoogleIDC Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts