Sydney Morning Herald
The study tested the 13,500 most popular free apps from the Google Play Store and found that 1074 – almost 8 per cent – used incorrect or inadequate coding.
Researchers at the Leibniz University of Hannover and the Philipps University of Marburg, both in Germany, tried to hack a sample of 100 of the vulnerable apps. They were able to exploit 41, of which there are at least 39.5 million users worldwide, according to the Google Play Store.
"We could gather bank account information, payment credentials for PayPal, American Express and others," says the study.
"Facebook, email and Cloud storage credentials and messages were leaked, access to IP cameras was gained and control channels for apps and remote servers could be subverted."
The risks are therefore based on multiple possibilities. These stats are also an indicator of currently known vulnerabilities. There are new types of malware coming onstream all the time, so the risk factor has some further ramifications.
The problem is inadequate coding. Typically, Android apps are about as secure as possible, but coding weaknesses are pretty much certain to be targeted.
Opinions in the industry are mixed. Some consider that Apple is too closed-off and that Google’s more open options are better, even if quality is sometimes an issue with apps.
Apathy is not a response
The problem with this academic view of serious risks to consumers is that the opinions in the world of malware are likely to be less ambivalent. The “online geniuses” have shown themselves to be a lot less than agile when it comes to dealing with threats.
It’s hard to figure out the logic of a “There’s a problem and maybe someday someone will fix it”. Being charitable to online crime and taking forever to fix things has made it what it is. You don’t use an egg to break a rock.
The net needs to be on the same page with all forms of online threats. These threats need to be exterminated, not turned into yet another employment agency for people who have jobs for life because they don’t fix problems.
Will they get serious about it? Why start now?
The naiveté of so many big companies in talking tough about online crime and achieving nothing has to be questioned. If you assume the usual profile of all the major online problems which have never been fixed, “sell more security software while doing absolutely nothing” as the main priority, that’s no more acceptable than it is wise.
For one thing, it doesn’t work. Billions of dollars are going out every available socket and nothing much gets done about it in terms of solving anything. These guys couldn’t (and probably wouldn’t) fix a flat tyre, let alone a global problem. They’ve shown that time and again.
Selective apathy pays, results don’t, apparently. Meanwhile, the public, that famous philanthropist, is paying for its own personal disasters and lazy security.
There’s no excuse for this situation. Either the required code is in place on an app or it isn’t. It’s very easy to check, too. Google could require app developers to ensure the presence of correct coding and simply refuse to allow the apps to operate until they do have that code. They have the natural right to require compliance.
Granted that some apps do more crashing than running and are made by people who may or may not walk upright, getting these cretins to pay attention could be hard to do. But turning Android into a “no go” zone for consumers is hardly a great outcome.
So what’s it going to be? Get it right, or just “slob on”, as usual? If anyone’s expecting the Cloud to work, getting it right is the only option.