Google vanishes Android apps from citizen phones Google has reached out over the airwaves and removed a pair of applications from users' Android phones, saying the two apps violated its terms of service. Like Apple, Google has a "kill switch" that allows it to remotely remove mobile apps that have already been installed by end users. The tool is mentioned in the terms and …
As a Nexus One owner, I'm glad they have and use this facility. All the evidence so far says they've only used it to protect users, so I don't see a problem.
Until there's at least a shred of evidence they even intend to use this feature maliciously, I will be much happier knowing it's there and used than not having it.
The two applications were designed to be able to pull remote code down to rootkit your device. They phoned home and at any time could brick your phone or worse.
One app was designed to be a fake app for promoting twilight. Although they were only proof of concept be a security researcher - they could have been used for malicious purposes if the backdoor had been exploited.
The researcher was actually impressed that the apps were remotely removed.
I agree with you, Mr AC.
What options were available to Google? Leave the app until it does do some damage, or be proactive and remove it before it does? I'm glad they chose to take the sensible approach and remove it. TBH, though, they are damned if they do and damned if they don't.
It's not as if the apps actually did anything other than lie dormant until instructed to start doing naughty things. Nobody has lost out on this (apart from Google undeservedly getting some bad press). Luckily for those who downloaded the apps, they were POCs written by researchers - I wonder how many programs aren't as obviously rubbish yet have the same capability, e.g. is that app to show how little battery life is left really legit, and does that torch app really need to access the internet as well as all your personal data?
Would there be such an uproar if you switch the platform and imagine this being a rogue application being deleted by your antivirus solution?
Surely, by implication, and using the same arguments Google have employed, Microsoft could say they are protecting their customers by building a kill switch into Windows that allows them to pull or disable any piece of software they took a dislike to?
I don't much like the sound of that, and I don't even use Windows.
Actually, I imagine this would be much easier to achieve in a linux distribution such as Ubuntu, as most users will have used the packet manager to maintain their system so it will be far easier to remove apps during their next system update. Can't see this happening, mind, as everyone will just move to a different distro.
If Microsoft had introduced mandatory code signing, file quarantine, sandboxing and a kill switch for Windows XP (maybe 2000) they would have saved the world's economies millions or maybe even billions of pounds. They also would single handily kill the anti virus market. I for one wouldn't weep for the loss of Norton.
It's called vendor responsibility.
You should probably stop reading things on the Internet, if one single "news" post can sway you.
There is a black on white difference between how Apple and Google operate their stores/marketplaces.
Apple, they review everything, reject lots and it may take upto a month for you app to appear.
Google, it appears straight away, no review, it's ready to sell.
Clearly a recall switch is more important for Google, and it more likely to have to be used. Any idiot can work that out.
As a user and a developer, I much prefer Googles setup.
While I don't entirely like this sort of thing, I can understand the reasons for it existing - aside from anything else, with a Marketplace where software vendors can charge for their products, Google would likely face the pointy end of some sort of class-action lawsuit if it became apparent that they *didnt* have something like this at their disposal.
The question I've got is whether the remote-nuke option can be deployed on handsets where the user has opted to install software from non-Marketplace sources. *THAT* would be a bigger issue, IMO.
"Hopefully, we never have to pull that lever," Jobs said, "but we would be irresponsible not to have a lever like that to pull."
Why? You are not my nanny and it is my phone! I am completely against this type of "protection". Explain clearly how to remove a "malicious" application and I will remove it from my phone if I want to.
As other people far brighter than me have pointed out we tried the give the users enough rope to hang themselves experiment, it didn't work: it's called Windows.
Just because you might be happy to do this, doesn't mean everyone will be. And there is a stack of evidence that left to their own devices many users to a very poor job of keeping their machines secure and free from threats.
Not everything people associate with Android is open source. Many of the google apps, including the app store interface, are closed. The open part of Android doesn't need a fork because it doesn't have access to the app store or its revocation procedure in the first place.
If you are using Cyanogenmod, just reflash the Cyanogenmod image, but do not flash the google apps image afterward, that way you are left with pure android without the additional google apps including the market and its killswitch.
Android itself is open source but I don't think the google apps themselves are, so you are unlikely to be able to remove just this one feature from the market, however it only affects things installed by the market so you can always copy the .apk files somewhere after installing, uninstall them, then reinstall using the .apk files.
The only thing that I am aware of aside from this that Google pulled from the market in US regions was wireless tether at the behest of T-mobile USA because them and all other US providers are extremely anal over tethering, but still hosted the installset for it freely available to download on google code's page so noone was really left out. They did not use a killswitch on it to my knowledge.
This was also a pretty clear cut violation of TOS as well, unlike Apple's "Steve Jobs has suddenly decided he doesn't like your app, has changed his mind about some feature your app has, might link to some 3rd party contect that we don't like or you've made something better than the built in apps and we don't want to get shown up so we pulled it with no warning" approach. It is things like this that mean that I'm likely to upgrade to a Nexus One instead of a new iPhone next month when the contract on my G1 expires.
If you really are paranoid about google/apple just get a Nokia 6310i and have done with it. If you are paranoid about everything perhaps mobile communications are not for you.
If Google decides they don't like a particular app why couldn't they simply have set a flag that causes a pop-up to display next time you run it? It would say something like:
========================================================
"Google has determined that this app contravenes its terms of service and would like to remove it. You may elect to keep it as long as you understand that Google will not be responsible for anything it does.
Please Click one of [Remove] or [Understood]
This message will not be repeated."
========================================================
If necessary for legality the response chosen could be logged either on the device or over the web.
After all -- computers are supposed to make our lives easier. Not do things behind our backs without telling us.
Removing an app that I bought and paid for, from a phone that I bought and paid for, seems to me to be a clear-cut breach of the Misuse of Computers Act 1990 and/or the Criminal Damage Act 1971. Expecting me to agree to this as a condition of sale would run afoul of the Unfair Contract Terms Act 1977, as amended.
So, let me see here. Not only would you have had malware on your phone that you wanted to keep, but you paid for it, too. I'm not sure what point you were trying to make, but your post translates as "proud to be sheeple" and justifies all the nannying you're raging against.
Congratulations on your wonderful own-goal. Tosser.
While it might be a bit difficult to place a mobile device into the category of 'computer', a computer is, indeed, what a smartphone is, these days. Certainly the processing power on these gadgets is far in excess of what was available on desktops when a certain Computer Misuse Act was written - you know, the one that criminalises access to a user's computing device by a third party without the knowledge or permission of the owner of the device.
It seem to me that were Google to remotely remove any software installed on any UK phone that they would be breaking the law.
You mean like when you gave them permission by signing up to the terms and conditions of the Google application store?
It should also be pointed out that If you didn't agree with their terms and conditions then you don't have permission to access their store and so it would be YOU who would be in breach of the computer misuse act.
I take it you didn't read the piece in ElReg a day or three ago, where it was pointed out that because it is well known that most people don't read the fine print, and have no option to negotiate any way, it really isn't a contract, and anything remotely unfair can be challenged at a later date.
What Google did this time probably wouldn't get them in any trouble, but when they do it for an app that is useful to an individual, even if it does have some malware properties, then removing it without that users permission probably would be illegal.
(Disclaimer: IANA Jury - even lawyers could not give you a definitive answer on this sort of thing.)
I don't know if anyone noticed, but the Marketplace application doesn't work without background data transfer turned on - this might be one of the reasons why. So as long as you disable it while not explicitly browsing for apps, there's a chance that Google's remote install/remove facility will be nullified as well.
The problem here is partly that mobile phones have traditionally been controlled by the phone company. If you have your phone on a contract or PAYG you expect the thing to work and the phone company to be able to make it work or you don't pay the phone company to use it. The phone company has to keep the thing operating on the correct frequencies and transmit power levels or the phone violates wireless regulations and creates unwelcome interference. So the part of the phone that talks to the phone mast becomes a liability if it is software controllable, but in a manner which the mobile phone company doesn't control.
We now have mobile phones which run a selection of apps more like a traditional PC where the user of the PC is likely to expect to use software of their choosing as they see fit. But most mobile phone customers are probably not going to change the expectation that the mobile phone company are responsible for it all working or they don't pay the mobile phone company.
For other users it is possible to have computers with mobile phone functionality where the part of the mobile which runs applications either is sold and stays unlocked or can be unlocked or rooted, while the part which handles the wireless frequencies and power levels remains under the control of the mobile phone company. What is needed here is clearer understanding by the mobile phone companies of the needs of the minority of customers who want control over their systems, and clearer language describing these products so those buying them know exactly the level of support expected by the supplier and the area of their own responsibility in relation to malware and potential costs.
***"On the other hand the draconian, iron first dictatorship that is Apple has never used it's kill switch for the iPhone."***
Probably because the "draconian, iron first dictatorship" kills apps that might be subject to the "kill switch" before they appear on the App Store.
Its a bit of a two edged sword. If I have installed malware from the Android Market, I would want it removed from my phone ASAP. On the other hand, I would want to be sure only malware would be removed, and not just something Google disapproves of.
I would really like to see settings option along the lines of:-
"Allow Google to uninstall applications"
Always [ ]
Ask First [ ]
Never [ ]
"My next buy will be another china phone. They've got wifi, java--all the goodies. It costs less than half a comparable phone from the majors. And nobody has a kill switch for it."
No in China they probably just kill the user.
So this only happens if you download an app from Google's store AND acccept the TOS for the app or does this language in the TOS apply to the entire store? <obviously not an anroid user yet> But another reason to read or skim those TOS.
Actually give the freedom associated with the OS, I don't conisder it to be a terrible thing. Prevents someone from placing an app that could do damage to the phone or make the phone available for other uses to a hacker.
From the article, Apple does have the same switch in place so even though the Apple App store is always in lockdown, they have a panic button. Wasn't it with IP3G that a person was able to wipe their iphone remotely in case it was stolen? Would not be surprised if Steve Jobwell would send out that kill code to any iphone that has been jailbroken someday...probably sooner than later.
the apps actually were actual latent security threats, then Google did the right thing in pulling them, but badly botched the announcement. The announcement should clearly have stated they were potential security threats. Google choosing to go farther and say they were unaware of malicious intent on the part of the security researchers is optional. As a company I wouldn't get into trying to determine intentions. I would not denigrate their defenses but I also would not advocate for them either.
As for all those posters saying you ought to have complete control over the phone you bought, I'd like to collect my nickel when your phone gets compromised because of other compromised phones on the system and Google having and using a kill switch would have saved YOUR phone. Of course, I know I won't, so just STFU.
If you want total control over your app installations just install them manually! All you have to do is tick a box in the menu to say you know what your doing.
Personally I like the way google has it set up. The market is a sandbox like system. And if something goes wrong google can pull the app. However, if I REALLY want it. I just install it myself. That way google have no control over it (for better or for worse). How is that not the best of both worlds?
Cynar
I hadn't realised that Google had gone the way of Apple and made it possible to dictate what I might have installed on my phone. Same goes for the Amazon book removal thing.
I really care less about the bullshit justifications too. I either get 100% personal choice and control of what I install (of what's been developed of course :P) or I'm not interested. The idea that the developer of the OS can dictate to ME, whether I can keep something I chose to install is frankly disturbing. So consequently I'm definitely and firmly staying 100% away from any vendor that operates such kill switches. Sad disappointment to see Google go Apple style.
Bad move. Don't care about your bloody good intentions..the flaming road to hell is paved with them.
Foolish control freaks.
I'm glad that Google (& Apple... does MS?) have this safety net in place to be honest. How does anyone know 100% there is no malicious payload coded in an app?
If I was to code a genuine looking game/app on the Iphone/Android platform that everyone loved (think free section... lets face it we all download the free version 1st) that after 4/5 months of use did something malicious & there was nothing that could be done.... How bad would this look on Google/Apple?
If your still moaning about them being control freaks. Please note you can still get phones that don't use Android/iOS. Plenty to choose from :)
Damn,
I didn't realise that there are genuinely folks out there that think to be nannied is a good thing :P.
Sorry but I'd rather take care of my own uninstallations than have some company decide for me that I might not be competent to sort it out for myself. IMHO that nanny needfulness hasn't done the UK much good...yep, that might seem a bit like joining two slightly unrelated things together, but to me requiring a 3rd party to look out for me like this is definitely heading in the direction of less personal responsibility+choice and more "please I need some nannying..."
:-) :P
Lot of people here saying that Apple have never used their kill switch. They have.
Admittedly, on a misappropriated advance model and not a consumer owned device, but they have.
Also to note: Google here pulled 2 apps. The Apple kill switch use completely disabled the device.
For the really paranoid android users, go into the settings menu and have a look at the permission sets of some of the deep OS level apps.
You have it badly wrong. Apple used remote wipe, a separate and different feature to the kill switch for applications. The remote wipe functionality is an Exchange or MobileMe service and used if you phone is lost or stolen.
The Kill Switch described here refers to the ability to wipe a single application from everyone's phones.
Oh and by the way, remote wipe is being added to Android phones with the 2.2 Froyo update.
A kill switch is a legitimate last line of defence for app stores. Do you think Apple doesn't have this facility? Do you think most other online app stores don't either? Fact is that most stores that phone home have some way to kill apps or "update" them into oblivion.
Even something as humble as a web browser can block Firefox maintain blocklists which let them disable plugins and extensions. It's already been used to disable a Java plugin which had an in the wild exploit. They've don't it before and doubtless they'll do it again.
If you don't want someone remotely killing malicious apps on your phone, then don't get them from the marketplace. You have a choice on android. Get apps direct from the maker, or even from some dodgy pirate site. But don't come crying if your phone starts calling premium rate numbers in Senegal. You've gone outside the system and you forfeit any protections it may have had to prevent this happening.
of tinfoil hatted, whinging paranoid tards.
When Google have remotely removed something that a) you've actually downloaded and installed on your phone, and b) was in any way useful to you and not useless malware - then you can come back and legitimately complain. Until then please STFU.
That's the app I want. Or maybe the one that asks me for authorization before doing the dirty deed, so I can decide if they should destroy my phone apps-- or not. Oh, and tell the minions of evil that the app was removed, whether it was removed or not....
Why have open source if you can't make it work the way you want it to anyway?
You've obviously skimmed the comments listing here, so I'll help you out with what's been said in multiple posts. Please try to pay attention.
You can install apps yourself, and supposedly can turn off the background channel that such updates are done through. This is the best approach, IMO. Those that just want it to work and don't mind having their apps looked out for can be blissfully ignorant. Those that are power users can turn off the delivery channel and download and install their own apps. You decide if you're a casual user, or a power user, and act as appropriate.
No, I haven't tried it, because I have an iPhone and am still in the midst of a contract that I am for the most part content with. Might pick up an Android tablet once one comes out and proves that it isn't pants. If I can tether it to the iPhone and sync both with the Windows PCs, that'd finally be getting somewhere.
Oh, prediction. If it hasn't already happened, some carmaker is going to come up with the bright idea that they can integrate a tablet docking port into the dash, and have it substitute for the LCD touchscreen. They can make an app for that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
