Android, like any other operating system, has its strengths and weaknesses. It offers arguably more functionality and flexibility than any other mobile platform, comes in all shapes, sizes and prices and can be tweaked until your heart is content. That said, it has some weaknesses that the Android development team are working hard to fix. For instance, fragmentation still exists (not quite to the extent it used to, but only 1 percent of Android devices are running Android 4.0) and power management still needs a bit of work.
Throughout the last year, Android's security has also become a questionable topic. Reports of "stolen" applications that had been repackaged and re-uploaded to Android Market that would steal personal information and send it to a remote server popped up across the Web. Those reports were followed with how much malware had grown. According to Lookout Mobile Security in their Mobile Threat Report in November, Android's malware problem had grown 250 percent over the course of a six-month period, meaning Android users were two and a half times more likely to run across malware in Android Market. Another study performed by Juniper Global Threat Center claimed malware increased 472 percent between July and November of last year.
Just earlier today, however, Google assured users that they don't take their users' security lightly. On the Google Mobile Blog, Hiroshi Lockheimer, VP of Engineering for Android, announced Google's new layer of security, Bouncer. Bouncer is a service that scans applications that are freshly uploaded to Google's Market servers in search of known malware, spyware and trojans. Lockheimer goes on to explain:
"It [Bouncer] also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back."
Lockheimer said that between the first and second halves of 2011, Android malware downloads from Android Market experienced a decrease of 40 percent, thanks to Bouncer. So while we were thinking Google was doing little to combat malware directly, they were actually running Bouncer without our knowledge.
He had nothing but good things to say about Android security (of course), and he also described how Android "makes malware less potent." He mentioned sandboxing, where Android puts up "virtual walls" to limit what malware can do if it finds its way onto a device. And then there is automatic, remote malware removal, if needed.
Through all of this, though, there is one part that Lockheimer mentioned that we all should be very familiar with by now: permissions. When you go to install an application, either through Android Market or via side-loading, you will be presented the specific permissions that the application will need in order to function as intended. Simply put, if an application requests permissions that seem ... out of place, you should be wary of the app. For example, if a game needs access to your contacts, you may want to consider skipping it altogether.
In essence, some of this fight against malware will always be somewhat in the hands of end users. If you don't pay attention to what permissions each app needs, you're putting yourself at risk. So here lies the question: do you ever check permissions before installing an app?
If you're anything like me, you never do. (I'm also that guy who never used antivirus software on his Windows machine.) When I install an application, I'm always more worried about whether the app or game works as described or not. I click "Install," "Accept & download" and enjoy the app. Sure, the permissions page flashes, but just like terms and agreements pages, I skip right past them without reading a single word.
The good thing is there are services out there, like Lookout Mobile Security, that perform permissions checks automatically. When you install an application, it scans the app (much like Bouncer) for known malware, then it double-checks application's granted permissions and notifies you if something is fishy.
I use Lookout from time to time (read: when I remember or care to install it). Still, though, I makes me wonder just what some apps have permission to. To be honest, it's probably nothing to worry about, seeing as I usually stick to well-known developers and recommended applications. But that doesn't mean one hasn't slipped through the cracks.
Do any of you actually read the permissions every time you install an app? Or, like me, are you in too much of a hurry to spend a couple seconds glancing at them? Have you ever come across an app that needed weird or unexplained permissions that seemed questionable?