back to article Google adds evil-code scanning to Play Store

Google is cleaning up its app store to limit the amount of malware and age-inappropriate content. For the past two months the advertising giant has been quietly running a new scan of all applications for code that breaks its terms of service. Today it announced the program's existence, noting that the scanning is both …

  1. DougS Silver badge

    Apple's process isn't fully automated

    Human review is required as well, that's why there's a delay between submission and approval for the App Store. The Play Store is automated so apps are approved more quickly but automated scanning can only go so far (malware authors are clever)

    1. Tom Chiverton 1

      Re: Apple's process isn't fully automated

      And it's still trivial to bypass, just don't enable the bad code until some future date or other external factor.

      1. DougS Silver badge

        Re: Apple's process isn't fully automated

        The bad code is still greatly limited in what it can do because of the iOS permission model and sandbox, unless you find an exploit for that. If you do, Apple can remotely disable your app everywhere so your ability to attack is pretty limited.

        1. wolfetone

          Re: Apple's process isn't fully automated

          I don't know what Apple do, but they do not test the apps that are submitted to the App Store.

          I built an app for a client that ran on Android and iOS, and I used Appcelerator to achieve this. It worked perfectly on Android, and it was alright on the simulator for iOS (I don't have an iPhone). It wasn't until I submitted the app, and it was accepted and published on the App Store, that my girlfriend tried it out and she found an app breaking bug. The whole thing crashed.

          Further to this, in the submission, I gave them details on how to test the app and what they could expect. Using the app generates an email which is sent to both the user and the client - no emails were generated. Not because it didn't work, but because the app simply wasn't used.

          So it's fine to try and pass off Apple's App Store as the standard bearer, but to me it's absolutely no better than Android in the way they review apps.

          1. wowfood

            Re: Apple's process isn't fully automated

            I highly doubt apple test every app manually, what probably happens is a slew of automated tests, if any major "This is dodge" flags crop up, the app gets binned, but if they don't get any majors, but do get one or two "This could be dodge" flags, I imagine then it goes to manual testing.

            I say this simply because it's to expensive for them to manually test everything.

          2. SuccessCase

            Re: Apple's process isn't fully automated

            @wolftone You have submitted an app without testing it on a device. OK we will let that pass as its' your risk.

            You seem to think the lack of a callback email from your app indicates Apple didn't test it. I can assure you they are not going to test app submissions of never seen before code whist connected to the Internet. Not a chance. The last thing they want is apps from bad actors attempting to report back data that informs the author what has been tested by the App Store team - or worse, tries to report back on their test centre network configuration. I'm sure you understand why. Especially if such data involves a secure link they can't see inside of. They will run the app first on a closed intranet and check if it attempts connections to the right kind of services before testing on a connected network, if indeed they feel they need to ever bother with the latter.

            They will also be scanning for conditional code that might change the purpose of the App at a later date, though it can be difficult to find such if it is well disguised.

            You seem to be implying Apple should have done your testing for you and their testing is somehow deficient because they didn't and you released a broken app ! I would suggest it's not a good idea to advertise your approach to QA and app release to the public at large on the Internet.

            Apple are perfectly prepared to let an App developer hang himself with his own code. They learned some time ago when to intercede and when not to. Their testing will check for system compromising crashes (crashes can interrupt file write operations and can in certain circumstances lead to filesystem corruption), unreasonable resource usage, will check your app doesn't probe the sandbox in unreasonable ways. If your app is simply badly coded and untested on the device, that's your lookout and though they reserve the right not to, they are perfectly prepared to let such apps through - especially since they so often get flack when they reject apps if the submitter thinks the bugs are minor. Indeed it's easier for them to release all apps that do no harm to the system, and avoid the impression they are taking any responsibility for App QA.

            So their testing is there to protect Apple, the iOS system and the user. Not you, your app or it's functionality or even your business - that's your lookout.

            1. SuccessCase

              Re: Apple's process isn't fully automated

              "The last thing they want is apps from bad actors attempting to report back data that informs the author what has been tested by the App Store team - or worse, tries to report back on their test centre network configuration."

              Indeed most likely, the app is run first on a simulator on a VM, then on a device attached to a VM with no outside connections to anything including other simulators/apps under test.

            2. wolfetone

              Re: Apple's process isn't fully automated

              @ SuccessCase

              The whole circumstance wasn't fantastic, and had to be done that way. The Android version was tested within an inch of it's life, so it was reasonable (for me anyway) to assume it would be fine on iOS as the same framework was used.

              And the email thing had to happen as theres a specific condition in the app that would generate the email, it's actually the core function of the app.

              But it's easy enough to insinuate that I'm relying on Apple to test my code before it's public - which isn't true. What I stated was that they don't test the apps at all. In my case the app was primarily a web app, so most of the heavy work was done by the server. But from my experience with this, I doubt Apple have any way to make sure the app is what I say it is and not some elaborate ruse to steal user information. And that is why it's concerning.

        2. David 164

          Re: Apple's process isn't fully automated

          Unless you find a way to stop apple from remotely disabling the app.

  2. Only me!
    Thumb Up

    About time....bring it on!!!!

  3. DelM

    Flagging installed apps?

    If we installed a dodgy app from the Play Store, will Google flag it somehow so we can tell? Or perhaps even delete/disable the app?

    1. Trevor_Pott Gold badge

      Re: Flagging installed apps?

      AVG Antivirus for Android does a lovely job of this.

      1. SuccessCase

        Re: Flagging installed apps?

        "Lovely job" and "Antivirus" are words that should not be seen together in a single sentence with a single subject and no negative clauses.

  4. cd

    "The high levels of malware found on the Play Store has long been a program - even being used by Apple to promote its own "safer" products."

    More, please, about the program Apple uses on the Play store. And why has is a better choice than have in that sentence.

    And let's have some comments about stupid Yanks and their inability to use English as well.

    1. Martin Summers Silver badge

      They were not saying Apple uses a program on the Play Store. It was a typo presumably. They were trying to say that Apple have long boasted their app store is safer as a marketing strategy against Android/Play Store.

    2. Anonymous Coward
      Anonymous Coward

      ""The high levels of malware found on the Play Store has long been a program"

      Fairly obvious to all but the condescending twat that the word was meant to be "problem", as in "you have a problem detecting typos."

      1. Anonymous Coward
        Anonymous Coward

        I take it as an implication that Apple too has had problems on their site with their products, or a typo. I can say this though, as long as you advertise "free" the way Google does, the longer you invite free everything, the longer you get free good AND bad things (I know it's not really free, but a scammer really might see the "free" in it).

        Considering how much I use the PlayStore for things I don't already know I want, I've never been too worried about this. I guess I should worry about it for other people, but I never signed up to be the Crossing Guard for all highways of the world, in this case that's Google's job. Whatever....moving on.

        Also, I haven't seen a stupid Yank comment in a while, but maybe because I'm a Yank and too stupid to understand it? Hey, if you take enough chemicals in a life time, things do go unnoticed :-)

  5. Vector

    Huh?

    "Google has made efforts in the past to limit malware - with some success - but third-party Android marketplaces still contains huge amounts of dodgy code. The new malware scanning should help that, and better protect customers who spend billions of dollars each year in the Play Store."

    How, precisely, is Google scanning the Play Store going to affect the third party marketplaces?

    1. DryBones
      FAIL

      Re: Huh?

      This x1000.

      This is the gaping, whistling hole in the story. All those third party app stores require you to manually turn on installation of third party apps that didn't go through the Play Store. Guess how many Android phones there are that use those stores. Hint: It's very close to the number of those listed as infected.

      Doing risky stuff (installing from cheap or Free Chinese app stores) can be risky, who'da thunk it?

      1. Robert Helpmann?? Silver badge
        Joke

        Re: Huh?

        ...installing from cheap or Free Chinese app stores... can be risky...

        Yeah, but how else can you get the Chinese version of Plants vs Zombies?

    2. Dan 55 Silver badge

      Re: Huh?

      Malware scanning is available for apps installed outside of Play Store as part of Play Services, see Google Settings > Security > Scan device for security threats.

    3. JLV Silver badge

      Re: Huh?

      > How, precisely, is Google scanning the Play Store going to affect the third party marketplaces?

      Good point, but if you'll pardon me, an equally interesting question is:

      How, precisely, is the fact that the third party marketplaces aren't scanning gonna affect Google Play's sales volume?

      Seriously, why should Google care overmuch?

      Can't say I am over-impressed with Google if I accept the main contention of this article, that being that they haven't been doing their homework very much on their own store.

      Still, color me paranoid, but my Nexus was not rooted and it's only been getting the few apps that I do install from the Play Store. Precisely because my trust is fairly limited. I mean, even if you keep it to just your emails and contacts, that's a fair bit of sensitive stuff, innit?

      It should be pretty obvious that installing random software from random sources can occasionally have random results. Anti-virus and malware scanners? Hah! How much have they actually helped in the wild? Take all the AV vendors for Macs - they get few native viruses to play with, but that's no guarantee that they will catch them if they do show up - quite the opposite in fact. They can just slap a "you're protected" message on your screen and collect your $. Remember the guy who had a fake AV on Android a while back?

    4. Michael Habel Silver badge

      Re: Huh?

      How, precisely, is Google scanning the Play Store going to affect the third party marketplaces?

      Considering the... Apparent lack of "age-inappropriate" Apps on the (German), Play Store... YMMV! I usually find myself having to visit these so-called "Third-Party App Stores". lol

  6. Dan Paul

    Google Apps

    How about some Google control over the permissions that these apps ask for?

    Somehow I don't like that a simple clock has permission to use my camera and contact list

    1. Richard 12 Silver badge

      Re: Google Apps

      Yes indeedy.

      Why should I need to root my device in order to selectively allow/deny applications unnecessary privileges?

      That is one thing Apple do a little better.

    2. Anonymous Coward
      FAIL

      Re: Google Apps

      Agree:

      Take a random Touch app I just checked (high-powered torch). A fucking joke.

      Here are the permissions:

      Device & app history

      retrieve running apps

      Location

      approximate location (network-based)

      precise location (GPS and network-based)

      Photos / Media / Files

      modify or delete the contents of your USB storage

      read the contents of your USB storage

      Camera

      take pictures and videos

      Wi-Fi connection information

      view Wi-Fi connections

      Device ID & call information

      read phone status and identity

      Other

      receive data from Internet

      control flashlight

      change system display settings

      modify system settings

      view network connections

      full network access

      prevent device from sleeping

    3. Steve Evans

      Re: Google Apps

      And why does the facebook app have permission for, well pretty much everything?!

      So much so, that since I got Lollipop (and lost Xprivacy) I've only used m.facebook.com to interact with the crowd, I won't have their app anywhere near my phone without a leash!

  7. Michael Thibault

    There's hope... always hope

    >it remains remarkable that it has taken Google so long to institute decent security screening.

    A bit presumptuous, no?

  8. Shannon Jacobs
    Holmes

    Follow the MONEY. Oh wait. Can't do that.

    If the google were sincere then the most obvious thing they could do would be to offer to display the developers' financial models. I'm not saying they have to forcibly expose the money, but they should give the honest developers an option to explain where the money is coming from, and where possible, they should explain why they think it's true or false. Imagine a "Financial Model" tab with the developer's explanation of the money at the top, and the google's uneditable reaction at the bottom. This would let us make meaningful and informed decisions about the apps in most cases.

    In most cases, the developers would be able to select from a relatively small number of standard models. For example, if the developer says it's ad-supported, then the google can say whether or not they have actually been paying money to the developer without giving out exact numbers. Maybe the developer claims to be independently wealthy, but all the google can say is "We don't know." That's still useful in deciding if you want to download the app. Perhaps the financial model is "Produced for a class project", then at least we will know not to count on long-term support if the app seems likely to need any.

    All in all, I've lost almost all of my respect for the google. I think they are EVIL now, and the real motto of today's google is "All of your attentions is belonging to us."

  9. Christian Berger Silver badge

    The problem is app stores itself

    It adds an element of commerce to it. Suddenly if you kick out an app, you will have someone loosing money who might want to sue you.

    Plus there is the problem that the classification of malware vs non malware is rather subjective. For example for Google and Apple an app to root your device might be considered malware. I for example consider apps without source code or apps which display advertisements malware.

    Google actually is the lesser evil here as I can just ignore their Crap store and go to fdroid which has at least some amount of quality control. With Apple I'm left to Apple's judgement which completely disagrees with mine.

    1. The Crow From Below

      Re: The problem is app stores itself

      "Plus there is the problem that the classification of malware vs non malware is rather subjective."

      No it's not, malware, by definition, is software that has malicious intent, advertising is not malicious it is a revenue stream for the people that you are taking for granted (the software developers). If you gave even two shits about supporting the community you claim to be taking full advantage of then you would change your attitude quickly. Not having the source code also does not make a product malware, but lets face it you are the sort of person that agrees with North Korea and China on how to review software, I suppose you want us to believe this can't possibly make you a bit mental!

      "I for example consider apps without source code or apps which display advertisements malware."

      Then you have completely misunderstood the meaning of the term malware. If you really think that and aren't just being a liar (which I suspect is the case) then please post a list of your computers hardware components and tell us how you managed to get the source code for every driver, every chipset and every piece of software you use. (drivers and software is fairly easy if you limit yourself to only the opensource stuff, but the code running at a lower level than the OS is much more difficult to get hold of)

      As a software developer who actually needs to do things like eat, drink and have a roof over my head all I can say to your attitude of calling my software malware is FUCK YOU.

  10. Anonymous Coward
    Anonymous Coward

    Age Ratings are fraught with danger... it needs multiple ratings such as

    Violence/Gore/Nudity/Sex/Profanity

    And they should all be separate ratings select-able by the admin for the play account.. I get annoyed with TV/movie guides that always clump Nudity & Sex together Nudity!=Sex..

  11. Michael Habel Silver badge

    Age inappropriate? ...And suddenly its 2009/10 again! Really Age inappropriate I must be missing out on the really good stuff! then again I have to access Google's Play Store though the anally retentive German* Domain. So perhaps I really have been missing out?!

    *We Germans are always thinking of the Children when it comes to blocking otherwise "objectionable content" from the little Ones Eyes. As anyone with Sky / Cable can tell you having to constantly press PIN numbers to unlock +16 Restrictions, and absolutely NO WAY to turn that sh-- off!

    And yet... We still have Newspapers with Models mostly without their Kit on, well the Top Half anyways....

  12. Joey M0usepad Silver badge

    billions?

    "customers who spend billions of dollars each year in the Play Store"

    wow who are those people?

    1. Jamie Jones Silver badge
      Joke

      Re: billions?

      I was one of the many who spent a billion last year...

      1. launcap Silver badge
        Coat

        Re: billions?

        > I was one of the many who spent a billion last year...

        He says, posting from his luxurious penthouse^W^W cardboard box.. :-)

  13. DianneHackborn

    Removing apps retrospectively if they are age inappropriate is not a good way to run an app store. Google Play is one of the few app stores that doesn't scrutinize apps going onto its app store which leaves developers guessing what is age appropriate or not. Such arbitrariness doesn't lend itself to good apps being developed since developers must be overly cautious to avoid getting the dreaded violations from Google that can lead to account suspension and possibly the loss of years of work. Google Play should model itself on other app stores like Apples appstore where an app must pass before they get accepted. If it doesnt pass then a developer has a chance to change what Apple doesnt like rather than an app being removed retrospectively as happens on Google Play.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019