Google Play changes bring cautious optimism on Android security
Making app updates available only via the store will improve security on Google's mobile platform, but experts are not sure how much
By Antone Gonsalves
May 01, 2013 — CSO — Google's decision to have Android apps on Google Play updated only through the online store will likely improve security on the mobile platform, but by how much remains to be seen, experts say.
Google recently changed its Play Developer Program Policies to say, "an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism." The APK, or Android application package file, is the format used to distribute and install apps onto the operating system.
The move makes it much more difficult to turn a benign app into a malicious one once it leaves Google Play. When apps could be updated through a third-party server, unscrupulous developers could install malware or have the upgrade gather more personal data than the previous version.
"Security-wise, this is definitely a good move," said Xuxian Jiang, a mobile security researcher at North Carolina State University.
How much more security the policy change brings will depend on the technology Google uses to authenticate updates. Best practices would have every app and update with a digital certificate that would tell the Android operating system that the code is from Play.
Apple uses certificates to authenticate iPhone and iPad apps and upgrades, which are only available through the company's App Store.
Managing the certificates will add costs to the running of Google Play, but anything less would just make it easier for hackers to trick the operating system, said Kurt Stammberger, vice president for market development at Mocana and a certified information systems security professional.
[Slide show: 10 tips for Android security]
"Google will have to maintain a relatively robust and complex certificate infrastructure, and that's not easy or cheap," he said.
Until Google says how it will authenticate updates, no one outside the company can know how significant the change is from a security perspective, Stammberger said. "The devil is in the details."
Having updates signed by Google Play would make it much more difficult for someone to download an app from the store, reverse engineer it to create a malware-carrying counterfeit and then resell it on another store, said Guntner Ollmann, chief technology officer for IOActive.
The one downside of having everything coming from Google Play is the potential delay in getting an emergency patch to fix a security flaw, Ollmann said. Nevertheless, the positives outweigh any negatives from the new policy.
Android is the No. 1 target for cybercriminals, who distributed malware through forums or rogue app stores, particularly in Asia and the Russian Republic. Recently, security researchers discovered bogus email with links to the Stels Android Trojan being distributed through the Cutwail botnet, the world's largest for distributing spam and malware to Windows PCs.
Most of Android's security problems stem from Google allowing anyone to create their own store for providing apps. "While they are taking a hard stance by not allowing updates outside of Google Play, it really doesn't change the fact that anyone can provide a self-signed certificate for apps they develop, place them on third-party stores and cause just as much havoc," said Daniel Ford, chief security officer for Fixmo.
Until that problem is addressed, Android will remain more vulnerable than Apple's competing iOS plaform. "While this is a step in the right direction, as long as users can download Android apps from unmanaged sources, Android malware will continue to proliferate," said Stacy Crook, an analyst for IDC.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.