Let the buyer beware
The android market is an entirely free and open market. It allows complete freedom in the creation and sale of applications but also allows any person to trade under any name and fly any flag. Certificates are self-issued so you cannot fully trust any vendor. Think about twitter and the knowledge that any account isn’t to be trusted until proven, take this with a truckload of salt and you will begin to understand the shrewdness required on the android market. The permissions model (which I’ll cover in another post) and the Dalvik virtual machine (again, I’ll cover it some other time. In short, it stops the apps eating each other and the phone) are there to protect you. This does not protect you from malicious apps, however - the model is there to protect the phone, the makers of other apps and the phone provider. What protects you and your data? Well… nothing. The Apple store and Windows 7 phone app stores require permission to use certain privileges and do certain things. The android store does not require any vetting for an app to be put in the market. An app may be taken down at a later date if reported but if made correctly the app shouldn't be reported (/ if the app has been made correctly, the fact that it's malicious should be difficult to detect). Skipping over hidden usage of fair permissions (that will be covered in the permissions post), an application with no permissions at all can do the following things: - copy data from your SD card; - enumerate your applications and services; - read log information (through a circuitous method); and - potentially load a malicious application or steal information from other applications. A well-made “intent-hijacker” will, for instance, be able to launch an identical browser to your regular browser except that that this browser will send any credentials to a 3rd party server. Your facebook password would no longer be your own. This could be hidden in an application such as a free "angry birds" application with no visibility to yourself. The key is protect yourself as best you can and there's a few ways to go about this until Android implement some form of signing so that an application can be linked to a user. Firstly, read the reviews of the current users before downloading. It may sound silly but a proof of concept was made out a "Twilight" preview last year. It offered unseen pictures of that sparkly guy and his girlfriend. 50,000 people downloaded it before it was taken down by the powers that be. If it has zero stars, don't download it. Secondly, if the app doesn't do what it says it does or doesn't work or has any kind of error with it, uninstall it. There's a number of good guides on how to do this on the internets. After uninstalling it, review it. State the issue and be polite about it. Thirdly, if it appears to break laws, infringe copyright or do something similar that would affect businesses, be suspicious. The powers that be are notoriously slow when it comes to removing malicious apps but ones that affect money they are generally very quick to act (lawyers work well as motivators, evidently) If the application looks too good to be true, it probably is. These three suggestions, taken to heart, should help keep your phone clear of malicious applications.