Reply to post:

Cryptocurrency-crafting creeps crept crafty code into Google App Store

Lee D Silver badge

Because, despite what every antivirus manufacturer will try to tell you or insinuate, there is NO WAY to prove that a program isn't malicious.

Even with the source code, you can hide things.

If you allow Internet access, it could have any kind of state machine operating only when, say, a certain DNS records appears on a particular domain, etc.

Today's programs are so large that disassembly is ridiculously difficult, even for a language like Java/Dalvik.

There is no way to certify that a program is "safe". Short of complete, 100%, every byte mathematical analysis compared against a specification which, in itself, it's agreed couldn't possibly be subverted to perform malicious intentions. And even then, it's no guarantee that you've done that right.

And nobody on Earth has the money to afford to be able to do that for every app in the app store, certainly not on any kind of timely basis.

The only way you can ensure stuff like this isn't malicious is to not give it the opportunity - i.e. permissions. No permission to run in background, no permission to consume more than 5% CPU, no permission to download from the Internet, etc. etc. etc. Then it's just a matter of determining whether such an app has ever done something it shouldn't ever have permission to do (i.e. by compromising your system).

Fact is, everyone "just allows all", like they did for Vista and UAC because they don't want to think that "Connects to Internet" and "Can access your photos" could possibly result in "Uploading all your photos to the Internet for people to laugh at". They just want to know where North is, or order a takeaway, and they couldn't care less about security.

Case in point - Alexa, Siri, et al. "Let's give permission for a device to sit in our house uploading every conversation to the cloud so that maybe once in a blue moon it responds to 'What's 2 plus 2?' so we can geek-out to our guests".

Honestly, never understood why I can't REFUSE permission (including making it impossible for the app to determine whether or not I really did allow permission, e.g. faking persistent storage and resetting after every use, etc.) for everything and/or grant only a tiny subset of permissions actually requested by the app.

And that INCLUDES those stupid pushed-apps from the manufacturer's themselves. Tell me why you just pushed Samsung Music to my phone, Samsung? I literally do not have another music app as I don't listen to music. But it's just been forcibly downloaded, including notification permissions, no way to uninstall or disable (both greyed out), and access to my camera, storage and mic WITHOUT me granting that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020