Editor’s Note: This post first appeared on March 3, 2011 on Josh’s prior blog. It is being restored and re-published here due to its popularity.
If you haven’t heard, there were a couple dozen Android apps pulled from the market in the last 48 hours because, it turns out, they were not legit and contained malware.
That’s great they were pulled, but there are several hundred thousand Android apps out there. It’s not out of the realm of reasonable thinking to conclude that there probably are more apps out there with malicious intent. If there aren’t now, maybe tomorrow.
Here’s how to protect yourself…
Yes, there are so-called anti-malware tools such as Lookout, which is great, except they don’t prevent as much as react to problems after the fact. Besides, good security, is about defense in depth.
So here’s how to protect yourself. None of these are technical, but more about prudence.
- Try not to be an early adopter of a new app. In the Android Market (and in AppBrain), it is easy to see how many folks have downloaded something. Whether accessing the Market from your phone or from your web browser, there is a counter that provides a range labeled either “downloads” or “installs.” A rough rule of thumb is that if there are <50,000 than the application hasn’t had a serious looking into. This doesn’t mean that all apps with low download or install counts are bad — many are simply newer or serve smaller niches — but it does mean you should carefully consider other criteria before installing that application.
- Visit the app developer’s web site. If there is one, it is listed in the market entry for the app. Is there even a web site at all? Does it appear reasonable and appropriate for the type of application? Is there a company behind it? If there is just a single developer behind it (which is totally fine and quite common), is that person clearly identified on the web site? Or is the developer missing in action?
- Look at the app’s ratings and in-market reviews. While it is quite possible for well rated apps to be malicious, it is less likely. Don’t consider an application safe nor dangerous on this criteria alone, but consider it another indicator when combined with other items on this list.
- Who is listed as the publisher/developer? If it is a well known application, does the developer name make sense? Does it match up with the name mentioned on the developer web site?
- Check the “Permissions” of the app _before_ installing it. Is the application asking for reasonable permissions? For example, if you install the Metal Detector app, it is a decent sign that it isn’t asking for Internet access (which would be unnecessary for its purposes). Permissions are easily confirmed on the web (via the official Market and AppBrain.com) prior to attempting to install. Unfortunately the official Market app on the phone itself only displays this information after starting the installation process (though it is still before actual installation takes place so you get the opportunity to review and change your mind). The Appbrain on phone app does list the permissions on the description itself (at the end) which is one reason I suggest installing the Appbrain app.
- Use Appbrain.com and/or install AppBrain on your phone. The web site in particular makes it easy to track down similar apps. Poke around a bit at similar applications. If you see two apps with the same descriptions and/or screenshots, but from different developers, this is a red flag. The recent (3/1) malware discoveries were in apps that were copies of legit apps. The screen shots were even the same.
- Does the description of the application include a list of “Recent changes” also known as a “changelog”? This is a good sign that there is a legit developer, who cares, behind the app.
- Can you find a review on a widely-recognized blog or web site? (hint: a site with a large active community and regularly published new, original, and quality content)
- Don’t install an app the first time you see it. Make a note of it and come back to it in a few weeks (if it’s no longer there, be happy you waited).
- Uninstall apps that you decide not to continue using and that you find yourself no longer using. You can always re-install them later. The fewer apps left around on your phone, the less you have to keep track of.
- If it is an option, ask your friendly Android “geek” to give the app you are looking at a “sniff test.”
- Finally, back up the critical data on your phone. This is a good idea anyway, in case your phone dies, gets lost, or is stolen. If you suspect your phone has been compromised, change all of your passwords, not just the one for your email. After all, you’ve probably accessed other services, apps, and web sites, with usernames and passwords associated with them, from your phone.
An important thing to remember is that none of the above are a guarantee that an app is good nor bad. They simply, when considered in combination, make it more likely that you’ll avoid installing something malicious. Technically speaking, even an otherwise trusted application from a trustworthy source could contain malicious application code.
Security is not absolute. It is a process not an event. Despite technology such as anti-virus scanners, you can’t simply install a “silver bullet” solution and forget about it. More than anything, security is about diligence, verifying, and treading carefully. Even with technology, it still comes down to us humans choosing to take responsibility for protecting ourselves.
I hope you found this helpful.