PINDROP BLOG

Google Data Shows Dangers of Third-Party App Stores

TENERIFE–Google’s position in the Internet world is a unique one. In one or another, the company controls or sees much of the traffic on the network and owns one of the larger computing arsenals on the planet. It’s also in control of a decent chunk of the mobile world, thanks to Android’s popularity, and securing that ecosystem is a tremendous challenge in both complexity and scope.

But getting a handle on just how large the Android security challenge is can be difficult. One good window into the issue is to consider that there are about 1.4 billion Android users right now, or roughly the same number as the population of China. Many of those users get all of their apps from the Play store, Google’s official app repository. Google security engineers and executives encourage users to treat Play as their main app store, and with good reason. The company has put a lot of security resources behind and in front of Play, including an app scanner that looks for not just outright malicious apps, but also what Google calls potentially harmful apps.

PHAs are apps that the company finds have potentially harmful behavior, undocumented behavior, or other functions that could harm a user’s device or compromise his privacy. Google scans more than 2 million apps every week, looking for PHAs, Elena Kovakina of Google’s Android security team said in a talk at the Kaspersky Lab Security Analyst Summit here. Much of what the Android security and privacy team do is based on the information they obtain through this scanning process.

“It turns out that using only Play is ten times safer than side loading too.”

“This is a massive data set and we base our security moves on this feedback loop,” Kovakina said.

One of the main threats to the security and integrity of Android devices is sideloading, or installing apps from third-party app stores. This is common practice in many countries, especially China and India, where alternative app stores flourish. The apps in those stores don’t go through the scanning and vetting process that apps in the Play store do, so there’s little in the way of barriers for attackers or shady developers trying to get their apps onto users’ phones.

The sideloading problem is mainly an Android one because of the way Apple has set up its hardware and software ecosystems. The iPhone generally won’t allow users to install apps from anywhere other than the App Store, unless the device is jailbroken. But Android is an open operating system, so users have the ability to install whatever apps they choose, something that makes life much more difficult for folks like Kovakina.

The data Google has collected shows that users who install apps only from the Play store have far fewer PHAs installed on their devices than users who also sideload apps.

“It turns out that using only Play is ten times safer than sideloading too,” Kovakina said.

The countries with the highest usage of third-party apps also tend to have the highest percentage of PHAs on devices, Kovakina said. Iran, India, and Indonesia typically have the highest rates of PHA installation, with about 2%-2.5% of devices having at least one PHA installed, she said.

Image from Flickr stream of C_osett.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated