Android Market Web Store Backdoor Discovered by Naked Security

February 4, 2011
14

If you're familiar with the goings on with Google as of late, you know that Android has just received a significant bump with a fully functional browser-based store. Up until now, Android users had to rely on the tiny Android Marketplace based on their handheld devices - this new store allows apps to be downloaded simultaneously to each and every one of these devices (if the user has several) all at once, direct from the cloud. What's the problem with this? Doesn't this all seem like flowers and candy? How about if someone grabs your password?

That's right, this security hole isn't some intricate set of hacks flown in from Anonymous, it's a simple password protection situation, one that us human beings must be as careful as possible about. The danger in this situation is if indeed someone does get the password to your Google account, they'll be able to download applications to your devices from wherever they are in the world - since Google has these apps downloaded straight to your devices from the cloud, if someone has access to your Google account, they'll be able to insert whatever apps they wish into your phone. Harsh reality.

What Vanja Svajcer suggests, and we agree, is that there should be at least one more step in this process, that being a simple "accept download yes or no" notification that pops up on the user's device whenever an app is attempting to transfer from the cloud. Simple enough!

[Via Naked Security]


Recent Stories
  • http://twitter.com/DrHotmann Jordan Hotmann

    No extra steps, people need to use good passwords. The greatest benefit of the new online market is that I dont even have to get my phone out of my pocket. Adding an accept step would defeat half of the purpose of using the online market.

  • Jason Spears

    Silliness. This is the same thing Appbrain used to do. Where was the hue and cry then?

  • T Imarthurlee+androidcommunity

    This would only apply to apps that are in the market, I don’t really believe this is an issue. And yes people needs strong passwords anyways. Which is worse? Someone hacking into your gmail account(buying stuff with google checkout, taking all your friends emails, possibly syncing your passwords from google chrome) or someone installing a market app on your phone. I don’t see the big issue here. Use strong passwords LastPass FTW.

  • http://mindmirror007.blogspot.com/p/home.html Sathya

    Wow! Title makes it seem more than what it is! It is true for online anything! What if someone stole your bank password? Then what? Are you guys really Android fans or just wanting to get more hits with these flashy titles like TechCrunch?

    • http://androidcommunity.com/ Chris Burns

      Hey now, Techcrunch is alright. This is a real security risk for people who aren’t used to creating secure enough passwords to protect their valuable information on Google because before this, not as much was at risk. If you’ve already got a secure password, well done!

      • http://ryocentral.info Ryo

        Those people with weak password doesn’t need more protection. They need advice. And I don’t see making people with strong password suffer for the weak passwords of others.
        No more steps!

      • http://ryocentral.info Ryo

        Those people with weak password doesn’t need more protection. They need advice. And I don’t see making people with strong password suffer for the weak passwords of others.
        No more steps!

  • http://k3rnel.net Juan Rodriguez

    You’re making a big deal where there is none.
    If you want to cry wolf, cry at the fact that if your account got compromised, they could buy expensive apps and you’d only have 15 minutes to get a refund.

    • http://androidcommunity.com/ Chris Burns

      Do you know what that phrase means?

  • Zfwaeld

    While having an option in the Market app along the lines of “Allow Remote App Installation: Always/Prompt/Never” might alleviate a few worries, the lack of such isn’t anything that could even remotely be described as a “backdoor”. For Naked Security to claim credit for “discovering” something as obvious as “If you don’t protect your password, you have problems” is absurd.

  • Ron

    Another useless post, haven’t you got someting better to write than this? I can think of far worse consequences when my passwords get comprimised than this!!

  • Ron

    Another useless post, haven’t you got someting better to write than this? I can think of far worse consequences when my passwords get comprimised than this!!

  • http://twitter.com/chuckfalzone Chuck Falzone

    Wait, so if I let somebody get ahold of my Google login credentials, bad things could happen? Shocking!

  • http://ryocentral.info Ryo

    Umm. NO!
    No additional steps please.
    This is a non-issue and every additional step makes it more complicated.
    Again I’m wondering why every shit about Android security must be published? Fishing for clicks? Come on. don’t hurt Android with this rubbish.