Amazon App Store Requires Security Compromise

Android phones, like this Motorola Defy, can install apps from sources other than Google's official Android Market. But doing so poses security risks. Photo: Jon Snyder/Wired.com

Amazon’s new app store offers some killer deals and can make it easier for customers to purchase Android software. However, installing it reduces overall security for Android devices, some security experts say.

The root of the issue is the requirement to allow installations from “unknown sources,” in order to put Amazon’s Appstore app on an Android phone. Amazon instructs customers that this option must be enabled to install apps sold through the Amazon Appstore.

Selecting that option immediately puts Android customers at risk to malware that could come from sources that go unchecked by Google and the general Android community, said Charlie Miller, a security researcher well known for finding exploits on mobile devices.

“As soon as you flip that switch and go away from the Android Market, which is the one place where most people go, then you are putting yourself at some risk,” Miller said.

Amazon and Google did not respond to requests for comment.

That’s not to say Google’s official Android Market has been impervious to viruses. The Android Market was infiltrated recently when a malicious hacker injected a virus into the code of 21 popular, free apps and then republished them in the Market. The hacked versions of the apps contained code that stole user data and had the ability to download more code after it was installed, potentially hijacking devices.

Google responded immediately to the exploit and used a “kill switch” to remotely remove the infected applications from customers’ Android phones. The company also issued a security tool for people to remove the exploits caused by the malicious applications.

Although Google’s Android Market fell victim to a security exploit, it is still more secure to allow your Android device to install apps only from the official Android Market, explained Andrew Brandt, lead threat research analyst at security company Webroot. If malware were to make its way into the Amazon Appstore, Amazon does not have a kill switch to remotely remove apps from Android devices like Google does, he explained.

Miller added that the benefit of Android’s official market is that it’s one central location to get apps, tenaciously moderated by the Android community, which is safer than going out into the wild to find software, like you would with Windows. By exposing yourself to third-party stores, you’re subjecting yourself to less legitimate sources.

Brandt noted that weakened security is not unique to Amazon’s Appstore, because any third-party app store living on Android must require customers to allow installations from unknown sources. There is no other method to add third-party app stores on an Android device.

However, this security issue magnifies if you consider that Amazon, a retail giant who has millions of customers with registered credit cards, is telling Android owners to disable that security provision. Also, many Amazon customers aren’t as tech-savvy as the typical Android nerd seeking to unlock special functionalities on their phones.

“Without giving people the full context of the security involved in that decision [to install from unknown sources], I think it’s a little irresponsible,” said Brandt, regarding Amazon’s method.

To be fair, Amazon claims it carefully curates apps that appear on the Appstore, so the chances of malware appearing in the store are slim. However, installing the Amazon Appstore on an Android device also requires tapping on a shortened URL sent from Amazon, which could easily be spoofed.

Additionally, when you download an app from the Amazon.com website, you receive a URL in the form of a text message; these URLs could also be spoofed to redirect to malware.

Bottom line, becoming an active Amazon Android Appstore shopper reduces the security of your Android device, especially if you don’t know what you’re doing.

At the end of the day, however, when using Android the level of security depends on the user’s skill level.

“The real question is do dumber users need Big Brother to keep them from installing dumb things?” said Jonathan Zdziarski, a security researcher who specializes in mobile hacking.  ”I’m sure a lot of people are buying these [Android] devices without knowing anything about them. They are more likely to fall victim.”