Lawmakers Silent on Android App Security as Google Mulls Solutions
Members of Congress won’t weigh in on Android application security concerns, which mobile security experts say is just as well. Lawmakers familiar with mobile security issues said they haven’t fully studied the topic and aren’t considering regulation of the Android Market. Android app security remains elusive, despite Amazon’s screening efforts for its new Appstore, security experts said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Relevant committee and subcommittee leaders aren’t considering matters specifically involving Android, said representatives of their offices. Those include Sens. Al Franken, D-Minn., and Herb Kohl, D-Wis., chairmen of the Senate Privacy and Antitrust subcommittees, and House Commerce Committee Chairman Fred Upton, R-Mich. Congress hasn’t ignored the problems created by unsavory mobile applications, particularly those that help subvert law enforcement efforts. Senate Democratic leaders on Tuesday urged smartphone makers to block applications that help drunk drivers evade police. (See the separate report in this issue.)
Google said it removed more than 50 applications from the Android Market this month because they contained malware that affected users’ phones. The malware might gain access device-specific information and unique mobile identifiers known as International Mobile Equipment Identity (IMEI), said Vikram Thakur, a security manager at Symantec. This is not the first time Google has stepped in to curb malicious applications in the Android Market. The Geinimi Trojan virus, which affected Android users late last year, opened a back door to phones and remotely transmitted information about contacts and location. Google used a remote application-removal feature to clear devices.
A Google spokesman said the company will introduce “a number of measures” to prevent malicious applications and is working to fix underlying security vulnerabilities. The company wouldn’t elaborate. “The openness of Android is still very important to us, and we'll continue to rely on checks like requiring developers to register Google Checkout accounts in order to upload applications to Android Market,” the spokesman said.
It’s too soon for lawmakers to enter the fray, but intervention will become likely as the Android Market grows, said security and research groups. “There is a lack of education among congressmen because it is a new thing,” said Tim Armstrong, a mobile security researcher at Kaspersky Lab. “Technology is historically not well understood in Congress but I do think they will have to look at this eventually.” Fellow Aaron Brauer-Rieke of the Center for Democracy & Technology said that “there are thousands” of apps “out there, so it’s hard for regulators to jump in and police.” For now, regulators will make sure that no one can “lie or make deceptive statements to get consumers to install their apps,” he said.
It’s probably best that lawmakers don’t intervene in the rapidly evolving market, said app developers. “This is a very technical issue, and those clowns couldn’t get anything right,” said Rich Jones, an Android developer and founder of the Android Developers Union. “Besides, it wouldn’t stop anything. The best they could do is inconvenience legitimate developers while doing nothing to slow down the malware authors.” Limiting Google’s ability to take the best course of action is particularly dangerous in a fast-moving market like this, said Kevin Mahaffey, co-founder of Lookout Mobile Security and its App Genome Project. Any congressional intervention should be limited to promoting market incentives, he said. “There is an opportunity to encourage security throughout the ecosystem with incentives that keep it secure.”
Google could reduce malware distribution in the Android Market by doing routine random checks of published applications to judge their authenticity and security, mobile experts said. The company is able to assess and verify applications, but critics say the company doesn’t do enough oversight. “Google’s approach is like a neighborhood watch system,” said Mahaffey. “The company is taking steps in curating its own market but is also relying on users to keep watch.”
Application vendors such as Amazon could be more successful at oversight in the Android Market, said Lisa Phifer, president of Core Competence, a security consulting firm. “I think that many businesses would be happy to pay a bit more for apps tested and verified ’safe’ or that some legitimate software publishers would pay to play in such a ‘verified safe’ third-party market.” Amazon unveiled Tuesday its new Appstore, which enables non-AT&T Android users to buy and download applications to mobile devices. Amazon said its Appstore tests each application submitted to ensure that it does what it claims, and screens for known viruses and malware.
Amazon will not stop malware developers from exploiting consumers, and Android app buyers should remain cautious, analysts said. The Amazon Appstore can “certainly help,” if it’s diligent about looking at apps before they're released, “but it won’t be the cure,” Armstrong said. Not everyone is going to use the Amazon Appstore and the Wild West mentality of the Android app market will persist, he said. “That’s part of the attraction of Android,” Armstrong said. “There is so much customization and so few rules.”