back to article Apple needs silver bullet to slay App Store's escaped undead – study

Online software bazaars – such as Apple's App Store and Google Play – need to claim responsibility for "dead applications" and notify people when their programs have been revoked or removed, a study by security firm Appthority recommends. “Dead apps” are those that have been removed from an app store, but remain on devices – …

  1. The_Idiot

    Who did that? I see you at the back, Jones Minor...

    "Online software bazaars – such as Apple's App Store and Google Play – need to claim responsibility for "dead applications" and notify people when their programs have been revoked or removed."

    OK - heck, I might even agree.

    But then it morphs to:

    "When these evil programs are found and thrown out of stores, they should be thrown out of devices, too, it's recommended."

    If said 'throwing out' is by the device owner/ user? Absolutely. But if said throwing is done remotely by the App Store owner, or device provider? Without, perhaps, the device owner's approval or knowledge, because the relevant OS, software or device access protocol has been modified to permit such actions? Woah there, Nellie.

    After all, it might be said to be one small step for an App, and from that small step no giant leap to data. From 'Provider X deleted 'my' (don't get me started on 'you didn't buy it - only a license to use it') Apps' to 'Apple ate my music!' Streaming jukebox wipes 122GB – including muso's original tracks' (it's here on El Reg - feel free to find it, read it and form your own opinions).

    1. ThomH Silver badge

      Re: Who did that? I see you at the back, Jones Minor...

      It'd be nice if there were an intermediate option of running in a much stricter sandbox than normally allowed too, such as being permitted to remove network access permission from an app if it is no longer available. I can imagine the policy reasons for not offering that control generally — how many ad-supported games would be affected? — but if the app is withdrawn then the user should get a bump in control.

    2. DougS Silver badge

      Re: Who did that? I see you at the back, Jones Minor...

      Pretty sure that both Apple and Google have acknowledged that they have the ability to remove apps from a user's phone. They would hopefully only use it in extraordinary circumstances, such as really bad malware or something that was really illegal (i.e. if an app was found to contain some child porn images, for instance)

      http://gizmodo.com/5034007/apple-can-remotely-disable-apps-installed-on-your-iphone

      http://phandroid.com/2010/06/24/google-can-remotely-remove-apps-from-your-phone/

  2. Haku

    This app will self destruct in 5....4....3....

    I'm with The_Idiot over this issue, remote wiping of apps without your concent or approval can lead to very bad things happening.

    I used to have an Android app on my phone+tablet that allowed me to change the settings on a Mobius action/dash camera, until one day I was forced to do an update because it turns out it had a mandatory monthly update check built-in, and what did that new update do? It completely disabled the app, until weeks later a new update was available with a fully working version, which was no longer free.

    It's precicely this sort of crap that has made me turn off automatic app updates, because too often the new version has a 'new' and 'improved' layout which usually worse than the previous version, and useful functions are sometimes removed.

    Also I no longer use my Mobius as an action camera, it has been relegated to a dash cam (which it's very suited for), I now have a Xiaomi YI & SJCAM SJ4000+'s which sit in gimbals much easier, and no such update issues with their control apps.

  3. allthecoolshortnamesweretaken

    Exactly. Mind you, a notification along the lines of "App XYZ was removed from the bazaar because reasons" would be nice. Especially if the reasons had anything to do with security.

    But, and to quote John Cleese, this is a big but: it is my device and I deceide what apps get installed or uninstalled, thak you very much.

  4. gnasher729 Silver badge

    When there were rumours that Apple might have the ability to remove apps from your phone, there was a huge outcry, about censorship and so on. And now you say that Apple should not only have the ability to remove apps from your phone, but should actually do it?

  5. bryces666

    Beat me to it. Definitely notify users of the problem with their installed app, but never auto remove, leave it up to the user.

    1. chivo243 Silver badge

      @bryces666

      +1 for a sensible and rational reply. Let the owner of the device decide what software runs on his device. If the user wants his banking details slurped, their choice. If a user wants his device mining bitcoins for someone else, it's their choice. If the user wants...

  6. David 132 Silver badge
    Flame

    Should be a cardinal rule...

    ...Never, ever, EVER delete files from a user's device (phone, PC) without a) authorization and b) creating a backup (e.g. quarantine).

    Example: for a short while, there was a version of VLC on the Apple iPhone app store. I grabbed it immediately, because, well, it's VLC and it knocks every other media player program into a cocked hat.

    But - as I recall - one of the VLC developers complained that the Apple store Terms of Service weren't compatible with the GPL license of his code, or something like that, and so it got pulled.

    According to the reasoning of this study, Apple should have immediately yanked the VLC app from my phone, too, I guess?

    Another example - the "Magical Jellybean Key Finder" tool, which for many years on Windows was the best way to extract your Office / Windows product key from the Registry. Always got detected by Defender as malware (because OMG IT READS PRODUCT KEYS FROM THE REGISTRY) and deleted - although at least Defender had the decency to place it in Quarantine for subsequent whitelisting and restoration.

    I am so sick of OS and device vendors thinking they know best. Let me make my own decisions and go to Hell in my own way.

    1. Charles 9 Silver badge

      Re: Should be a cardinal rule...

      "I am so sick of OS and device vendors thinking they know best. Let me make my own decisions and go to Hell in my own way."

      And what of the myriad who outnumber you and don't know better? Would you condemn them to join you in your handbasket?

      1. james 68

        Re: Should be a cardinal rule...

        I would - better that they learn something from their mistakes than live in ignorance. Hell never mind their mistakes, better just that they learn something.

        1. Charles 9 Silver badge

          Re: Should be a cardinal rule...

          "I would - better that they learn something from their mistakes than live in ignorance. Hell never mind their mistakes, better just that they learn something."

          And if they're not in a position to learn?

          1. james 68

            @Charles 9

            To be relevant to this conversation then they are in possession of an internet connected device, these days that's pretty much the definition of "in a position to learn".

            1. Charles 9 Silver badge

              Re: @Charles 9

              Nope. They could have an iPhone and not realize it's Internet-connected. People can buy an iPhone because everyone else has one, but what do they use it for? To make phone calls, maybe do texts, PERIOD. And yes, I see these kinds of people every day of my life (usually the older generation), so I know they're out there. These are the kinds of innocents I talk about: those who get devices not knowing any better and not in a position to learn. To do as you say is to go all Darwin on them, which like I said isn't considered very civilized behavior.

              1. james 68

                @Charles 9 (again)

                If they're only using it for phone calls then your argument is moot as they are not downloading apps.

                1. Charles 9 Silver badge

                  Re: @Charles 9 (again)

                  But what about the apps already in there? Couldn't they be hijacked by a malicious update?

                  1. james 68

                    Re: @Charles 9 (again)

                    You mean the apps provided by... Apple? If Apple is in a position where they are revoking and removing their own software because it has been abandoned by it's creator (hence the actual content of the article) then the owners of Iphones have bigger worries than Safari disappearing. Since Apple is so tied in to the Iphone their collapse would leave the users with barely functioning paperweights.

              2. John McCallum
                Unhappy

                Re: @Charles 9

                You mean that we should not use the iPhone to make PHONE calls? Confused it is a phone is it not?

          2. Adrian 4 Silver badge

            Re: Should be a cardinal rule...

            Then you teach them.

            In the case of these orphaned apps, that might mean temporarily disabling in a way akin to the Windows method of marking an internet download as untrusted. When you try it use it, it warns you it's been disabled and offer you the chance to continue it, stop it, or uninstall it.

      2. John Bailey

        Re: Should be a cardinal rule...

        "And what of the myriad who outnumber you and don't know better? Would you condemn them to join you in your handbasket?"

        What of them indeed.

        A revolutionary concept I know.. But how about..

        They do the right thing, or.. They face the consequences.

        Actions have consequences.

        So do inactions.

        And denying people the ability to make decisions makes them even more helpless.

        1. Charles 9 Silver badge

          Re: Should be a cardinal rule...

          "What of them indeed.

          A revolutionary concept I know.. But how about..

          They do the right thing, or.. They face the consequences.

          Actions have consequences.

          So do inactions."

          The thing with INaction, though, is that sometimes inaction is because they lack the knowledge to make a proper judgment. You could essentially be condemning people for something that is truly no fault of their own other than ignorance. That's frankly a very cold and uncivilized view of the world that's destined to doom innocents.

    2. Dan 55 Silver badge

      Re: Should be a cardinal rule...

      There should be a difference between malware being pulled and the developer deciding to pull the app.

      You should be notified beforehand and be given chance to download and make a backup which later works on any device you own, present and future. But it doesn't work out like that, you're not notified so you may delete your own copy thinking you can get it from the store later and/or you don't get backups of app code made from your own phone and it's not on the store any more.

      Of course the best solution would be that the last version is held on the app store for those who have already bought or downloaded it. Don't know how legal that is though.

      1. gnasher729 Silver badge

        Re: Should be a cardinal rule...

        There is also a problem with small developer who put an app on the store for any reason and stop supporting it. I have to pay £79 a year to be / stay a registered iOS developer, and if I stop paying, my apps will be removed. They stay on your device, but you won't be able to download them again. If you backup your phone to your computer using iTunes, there will be a copy in your backup, and if you replace your phone with a new one you can restore your phone from that backup and the app will be there. If you rely on iCloud backup, apps are not backed up, just the fact that you own the app, so apps that are gone from the store won't be restored. Even if you paid for them.

    3. gnasher729 Silver badge

      Re: Should be a cardinal rule...

      VLC was different though. The problem was that one of the developers of GPL licensed code that was part of VLC didn't want the app on the App Store and claimed it wasn't allowed to be there. But according to the GPL license, any violation of the GPL license doesn't affect you after downloading it. Once VLC was on your phone, you absolutely had the right (according to the GPL license) to have it there and keep it there.

      Amazon had a problem like that when someone put an unlicensed copy of "1984" of all books on their store for sale, and they did delete copies from user's devices. In that case it was quite clear that these books on your device constituted copyright infringement (the customer was tricked into paying for an unlicensed copy, which doesn't change the fact that it was unlicensed), but I don't think anyone would claim these books put the user at risk.

    4. kmac499

      Re: Should be a cardinal rule...

      Quite right too..

      Though it smacks of the other bunch of cardinals who reviewed books and if they decided that a book was unfit for the unwashed masses, not only burned it, but burned those who wrote it, owned it or read it.

  7. ecofeco Silver badge

    Once again, "complicated" seems to be the order of the day

    Send a warning to the user that the application is no longer trusted with link back to the App Store for verification. Let them decide if they want to delete it.

    See? That was easy wasn't it? I know, it doesn't make for a lucrative consultation bill or speaking engagement or book and even an article, but there you go.

    1. Charles 9 Silver badge

      Re: Once again, "complicated" seems to be the order of the day

      It also raises the risk of "verification fatigue" (like click fatigue).

  8. Aodhhan Bronze badge

    Take responsibility

    Ahhh... the new generation, once again refusing to take responsibility.

    If you download an application, then you're responsible for ensuring you have the latest version, patches, etc. How lazy do you have to be, not to take 2 minutes to see if that application you're using is up-to-date every 30 days?

    If you have more than 10 applications on your phone, you likely aren't using them all... so get rid of the ones you don't use. You can take 3 minutes to re-download it later on if you decide to use it again. Having a huge amount of space to store things doesn't mean you have to.

    If you expect Apple or Google to maintain your applications, then you have to accept they will have root access to your phone 24/7. Which means, a hacker could use this same method as an attack vector.

    Let me guess... the majority of the people who expect Apple/Google to maintain their applications are the same ones who backed Apple against the FBI. Being ignorant and lazy is no way to get through life!

    1. Charles 9 Silver badge

      Re: Take responsibility

      "Let me guess... the majority of the people who expect Apple/Google to maintain their applications are the same ones who backed Apple against the FBI. Being ignorant and lazy is no way to get through life!"

      For some, it's the ONLY way to go through life. Any other way is a one-way ticket to insanity or murderous rampage, with potential consequences for you and everyone else since no one lives in complete isolation.

  9. Mr.Bill

    not quite

    "The mobile security firm further argues that Google's Verify Apps feature addresses malware, but it can't stop all malicious code from running, especially since security patching on the platform is somewhat lagging"

    Generally with malware we are talking about apps that were granted permissions by the user but abuse them. This is specifically looked for by the Verify Apps feature and can be updated at the play store level via GMS.

    Android security patching has to do with OS level updates to "exploit" "virus" type bugs that typically give root access and then of course, all bets are off. An example was stagefright. Google also looks for apps that could take advantage of unpatched root exploits but again, the GMS verify apps/play store can look for this behavior too.

    The biggest potential issue involves receiving and 'running' files such as media files (stagefright) that are specifically crafted to take advantage of an exploit, not really play store apps. Even there, typically there are other layers of mitigation (explicit and implicit) that make affecting significant #s of even unpatched users still quite unlikely.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019