I just purchased a smart phone running Android last week, so of course I’ve been eagerly running through Google Play (the Android app store) every evening, looking for apps I never even knew I needed. Just. One. More.
As of writing this, there are nearly 1.4 million apps in Google Play, and it grows every day. Google’s hosting them, so they must be safe, right?
The general rule I follow is to assume any app could be malicious, then try to prove that it’s unlikely.
Here are a few things you might consider before hitting that install button.
Do you trust the download site?
Stick with well-known stores. That means Google Play (or the Apple Store, Microsoft Store, etc). If you find a collection at a site you’ve never heard of, or a one-off app on a random website, is it a place/person you trust?
For example, the Google Play Developer Distribution Agreement reserves the right to monitor and remove malicious or otherwise harmful products from its store:
7.2 Google Takedowns. While Google does not undertake an obligation to monitor the Products or their content, if Google is notified by you or otherwise becomes aware and determines in its sole discretion that a Product or any portion thereof or your Brand Features . . . is deemed by Google to have a virus or is deemed to be malware, spyware or have an adverse impact on Google’s or an Authorized Carrier’s network . . . Google may remove the Product from the Store or reclassify the Product at its sole discretion. . . . If your Product contains elements that could cause serious harm to user devices or data, Google may at its discretion disable the Product or remove it from devices on which it has been installed.
Unfortunately, there’s no indication how proactive they are, if at all. Any automatic scans they might perform on their million+ apps rely on heuristics, which might result in false negatives, and stuff may (and sometimes does) slip through. Sometimes, quantity over quality is even encouraged in online stores, to the detriment of users. Assume apps could contain malware – guilty until proven innocent.
Do you have the default security options enabled?
Google prevents malicious apps from being installed on your Android device via Google Play, by scanning apps as you install them.
To protect you against the effects of malicious third party software, if you download and attempt to install an Android app onto a Device, the Device may send information about the app and its source to Google. Google will use the information to compare against a database of known malware to determine if the app is harmful or likely to be unsafe. Google may warn you if it considers the app to be unsafe, or block its installation on your device if it is known to Google to be harmful to devices, data or users.
That’s some interesting phrasing. There’s no mention of apps being clean in the store – rather, they’re apparently scanned by every device that chooses to install them. Does that seem odd to anyone else?
Check these settings, which should be set by default:
- Enable malware protection in Android (Settings » Security » Verify apps), keeping in mind that scanners can occasionally report false negatives (aka they don’t catch everything), especially with a brand new vulnerability.
- While you’re at, disable unknown sources (Settings » Security » Unknown sources), to prevent apps from being installed from sources other than Google Play (you can always enable it, if you find an app elsewhere that you want to install, then disable it again).
What are you granting access to?
In an effort at being more transparent, many devices and programs provide a set of permissions, from which anyone creating an app must select what their app requires. That is then reported to the user prior to installation, to give them a heads-up.
Unfortunately, Android’s permissions are broad and poorly phrased. Still, when you review the list of permissions, ask yourself, “Considering what this app does, are these permissions reasonable?”
Example: Sonic Dash
Here’s an Android app with good reviews, but the list of permissions should raise some flags. There could be legitimate uses for all of these, but this is pretty clearly an app that’s trying to do too much. Why do they want my location? My app history? My device ID?? The reasons could include tagging high-scores with location, and taking some action (like pausing the game) when there’s an incoming call. Or not… it’s difficult to tell.
Example: Crosswords Lite
Alternatively, here’s one that doesn’t request a darn thing.
I’m far more confident that the second app is not overstepping its bounds.
Example: Trello API
Ideally, it’d be nice to if Google fixed their list of permissions, to make them more granular and user-friendly to read.
For example, when a service integrates with the Trello API (in this case, a Chrome extension called “Boards for Trello”), we get to see exactly what the app needs, and even what it will not have access to.
- Read all boards? Makes sense. It provides a drop-down with your boards, from which you can quickly select and open one in a new tab using the standard Trello interface.
- I wouldn’t expect it to create/update cards or use any other of my personal account info, and it explicitly states that it cannot. That’s great.
What are others saying in the reviews?
Always look at reviews (and the number of reviewers) and the average rating. Even a cursory glance may warn you about any issues.
Here’s a poor app that never should have made it into the store, and certainly shouldn’t still be in there. It apparently doesn’t work, and may even be malicious (there’s no reason to be asking for passwords).
Why are you being asked for a password?
Extensions may need to integrate with other services or websites. The accepted, secure way of doing this has been authentication through APIs. The app should request whatever access it needs from the site it’s trying to connect to, and then that site should prompt you to login and grant access to the original app.
If an app asks you to enter your user name and password directly into it (such as in the bookmarks app above), that’s a HUGE warning beacon. If it’s not malicious, then it’s just plain lazy programming. Any site worth their salt will provide an API to connect to for such purposes. I read about one site at least, Pinboard.in (a bookmark manager) that’s actively blocking third-party sites from submitting user’s passwords.
No way should you allow third-parties to have your password just for the purpose of passing it along to another service. At worst, they could log it and do whatever they want on your behalf. It’s completely insecure. Such was the case with a trojan Netflix app several years ago, which tricked users into entering their credentials.
Are issues being actively addressed by the author?
Check to see if the store displays reported issues and how many were addressed. If there are a high number of issues and nothing seems to be getting done, it may be an abandoned project. At the very least, there may be security issues in the app that are being reported and ignored.
You may have to dig a little deeper and visit the author’s website. You can find that information near the bottom of the page in the Android store. Do they have a way to submit bug reports, or to request support?
How is the author recouping costs?
Developers don’t mind making a few bucks off an app. And if it’s a good app you find useful, then they absolutely deserve it! An app that requires external resources, like a server to store information on, can actually cost the developer quite a lot of money.
How is that money being recouped? Are there in-app ads providing revenue (very common)? Are there in-app purchases to buy (also common, esp in games), or a “paid” or “full” version with extra features?
If an app has no ads, no in-app upgrades, no paid version, nothing obvious that helps the author recoup costs – especially if it requires access to every permission available – watch out. It could just be a generous individual who loves giving away freebies, but like the saying goes, “If you’re not paying for it, you’re not the customer. You’re the product being sold.”