Skip to main content

Amazon App Store Requires Security Compromise

Android phones, like this Motorola Defy, can install apps from sources other than Google's official Android Market. But doing so poses security risks. Photo: Jon Snyder/
Amazon’s new app store offers some killer deals and can make it easier for customers to purchase Android software. However, installing it reduces overall security for Android devices, some security experts say.
The root of the issue is the requirement to allow installations from “unknown sources,” in order to put Amazon’s Appstore app on an Android phone. Amazon instructs customers that this option must be enabled to install apps sold through the Amazon Appstore.
Selecting that option immediately puts Android customers at risk to malware that could come from sources that go unchecked by Google and the general Android community, said Charlie Miller, a security researcher well known for finding exploits on mobile devices.
“As soon as you flip that switch and go away from the Android Market, which is the one place where most people go, then you are putting yourself at some risk,” Miller said.
Amazon and Google did not respond to requests for comment.
That’s not to say Google’s official Android Market has been impervious to viruses. The Android Market was infiltrated recently when a malicious hacker injected a virus into the code of 21 popular, free apps and then republished them in the Market. The hacked versions of the apps contained code that stole user data and had the ability to download more code after it was installed, potentially hijacking devices.
Google responded immediately to the exploit and used a “kill switch” to remotely remove the infected applications from customers’ Android phones. The company also issued a security tool for people to remove the exploits caused by the malicious applications.
Although Google’s Android Market fell victim to a security exploit, it is still more secure to allow your Android device to install apps only from the official Android Market, explained Andrew Brandt, lead threat research analyst at security company Webroot. If malware were to make its way into the Amazon Appstore, Amazon does not have a kill switch to remotely remove apps from Android devices like Google does, he explained.
Miller added that the benefit of Android’s official market is that it’s one central location to get apps, tenaciously moderated by the Android community, which is safer than going out into the wild to find software, like you would with Windows. By exposing yourself to third-party stores, you’re subjecting yourself to less legitimate sources.
Brandt noted that weakened security is not unique to Amazon’s Appstore, because any third-party app store living on Android must require customers to allow installations from unknown sources. There is no other method to add third-party app stores on an Android device.
However, this security issue magnifies if you consider that Amazon, a retail giant who has millions of customers with registered credit cards, is telling Android owners to disable that security provision. Also, many Amazon customers aren’t as tech-savvy as the typical Android nerd seeking to unlock special functionalities on their phones.
“Without giving people the full context of the security involved in that decision [to install from unknown sources], I think it’s a little irresponsible,” said Brandt, regarding Amazon’s method.
To be fair, Amazon claims it carefully curates apps that appear on the Appstore, so the chances of malware appearing in the store are slim. However, installing the Amazon Appstore on an Android device also requires tapping on a shortened URL sent from Amazon, which could easily be spoofed.
Additionally, when you download an app from the website, you receive a URL in the form of a text message; these URLs could also be spoofed to redirect to malware.
Bottom line, becoming an active Amazon Android Appstore shopper reduces the security of your Android device, especially if you don’t know what you’re doing.
At the end of the day, however, when using Android the level of security depends on the user’s skill level.
“The real question is do dumber users need Big Brother to keep them from installing dumb things?” said Jonathan Zdziarski, a security researcher who specializes in mobile hacking.  ”I’m sure a lot of people are buying these [Android] devices without knowing anything about them. They are more likely to fall victim.”


Popular posts from this blog

Top 5 Women Who Impacted Technology in 2010

Katie Stanton, International Strategist for Twitter Katie Stanton has impressively long names of companies in her resume. They include the White House, Google Inc, and her latest addition is Twitter. Her remit is working on Twitter’s international strategy and her experience in social media will be a key asset to the company. Katie has a history of working in technology, and her knowledge of departmental laws will help Twitter work alongside government agencies, as she’ll be spearheading the free information approach, especially after the Wikileaks incident. Stanton has been a key player in the techsphere for some time, and this extends to her private life. Following the Haiti disaster she worked with a group of engineers to create a free texting service to help those in need and she is constantly in demand as an expert in both social media and government policy.
Caterina Fake, Co-Founder of Flickr and Hunch Despite having a surname which sounds like a pseudonym for a spy (it’…

AT&T MiFi 2372 review

In the week or so that I have been testing the AT&T MiFi 2372 by Novatel Wireless, it has already saved no less than three lives. First, it saved my cable guy’s life. You see, Time Warner Cable provides the worst home Internet service I have ever experienced. I can’t even think of a close second. If providing terrible home Internet service was a sport, Time Warner Cable would be on its tenth consecutive undefeated season. Forget the fact that my upload speed is capped at 60Kbps and I’m lucky if I can get half that — it has been months since I’ve gone through a full day without at least one service interruption. Months. Unfortunately, Time Warner Cable has an exclusive contract with my building so I have no choice but to endure its abysmal service. Last week, as a Time Warner Cable technician entered my home for the sixth time in two months, I realized that this certainly would have spelled serious trouble had it not been for my trusty new back up device. Before the Mi…

Evolution Of Computer Virus [infographic]