A few days ago, we started talking about security and malware on Android. Or rather the lack of malware on Google Play. We mentioned Android’s sandboxing model that bars apps from damaging the core OS, and made it clear that as of Android 4.1 Jelly Bean the main threat for Android users comes from their own actions, not the app market.
If a user downloads apps from third-party app stores, however, he faces two possible threats: rogue/spyware applications and premium SMS apps.
Android 4.2 however effectively deals with those two last threats as well, and now we know how.
Bouncer, Google Play's security system in a nutshell
To understand the mechanism, we have to take a look back at February 2012 when Google introduced the Bouncer system that continuously scans and analyzes every single app submitted on the Play Store, and goes to such great lengths as to actually run every app on a cloud simulator to check its actual behavior. The end result is that Google Play - contrary to the paranoia some software vendors try to spread - has become a very clean place.
A little disclaimer to be perfectly exact: it is not impossible to circumvent the Bouncer system as it runs a virtual environment and that could be detected, but it is extremely hard to crack it. And given the consequences for the developer account that does, it is hard to imagine Android security cracked.
Now, Bouncer is pretty much a sealed box for the public. Reverse-engineering it, though, has revealed that what it does is effectively detect the most common threats from spyware and premiums SMS apps. If an app tries to steal your contacts, Bouncer detects it. If an app tries to send a message to a premium number, Bouncer detects it. If an app, steals your photos? You guessed it right, Bouncer detects it.
Recommended Stories
Android 4.2 brings Bouncer to sideloaded apps
The big news with Android 4.2 is that it now includes a service based on Bouncer that works with all apps, not just those on Google Play. For example, it can check apps you download on the Amazon Appstore. Or an anonymous Chinese app catalog.
Whenever you try to ‘sideload’ an app (install it from a different source than the official market, that is), the system will kick in and instantaneously run that same very detailed check on Google’s servers. Speed here is important, and in Android's case, you won't even notice the check.
"The server does all the hard work," Android VP of Engineering Hiroshi Lockheimer explained. "The device sends only a signature of the APK so that the server can identify it rapidly."
The new service is not mandatory in a typical open Google fashion. The first time you try to sideload an app on your Android 4.2 device, a pop-up will appear asking you whether you want to verify apps. Best of all, when an app raises some red flags with its behavior, but can’t be definitely written off as malware, you get to choose whether to install it or not AFTER reviewing what it has access to. This way, even if you are paranoid about security, you still would not need to read every single time the components an app has permissions to access.
And even the permissions screen has been tweaked adding illustrative icons, so you can take a quick glance instead of reading it.
This is definitely another huge step for Android security and reiterates Google’s commitment to openness. Instead of leaving its app protection system for the Play Store only, the company spreads it to sideloaded apps and thus makes third-party app catalogs more secure. We can only applaud Google for that.
Victor, a seasoned mobile technology expert, has spent over a decade at PhoneArena, exploring the depths of mobile photography and reviewing hundreds of smartphones across Android and iOS ecosystems. His passion for technology, coupled with his extensive knowledge of smartphone cameras and battery life, has positioned him as a leading voice in the mobile tech industry.
Recommended Stories
Loading Comments...
COMMENT
All comments need to comply with our
Community Guidelines
Phonearena comments rules
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: