Google needs to rethink its Android Marketplace policy

When looking for a smartphone, the operating system is (should be) a great influence in your decision on which smartphone to get. There are many smartphone OSes out there: Palm’s webOS, Samsung’s Bada OS, Nokia’s Maemo, and Qualcomm’s BREW just to name a few.  However, the five big players in this market – the five OSes that are the most popular and best supported – are Microsoft’s WindowsMobile, Nokia’s Symbian OS, RIM’s BlackBerry OS, Google’s Android, and Apple’s iOS (formerly known as iPhone OS). Typically, the average consumer will (should) look for a smartphone from among the big five; but even this list of five can be trimmed down.

Windows Mobile is a pathetic excuse for an operating system; it has been neglected by Microsoft for too long and is, simply put, lousy. (Microsoft plans on releasing Windows Phone 7 later this year which looks to be a stunner, but currently WinMo is terrible.) And, for all its market share – Symbian is the most popular smartphone OS globally (but it has a negligible market share in the USA) – Symbian is probably the most disorganized and least user-friendly out of the whole bunch. Plus, soon as Nokia – the phone manufacturer which single-handedly is keeping Symbian alive – drops Symbian in favor of MeeGo, Symbian can RIP. In other words, both WinMo and Symbian were unable to properly adapt to the software-side of the revolution started in 2007 by the release of the iPhone 2G. (Throwing decked out phones – in terms of hardware – doesn’t do you much good if you can’t back it up with proper software.)

Similarly, BlackBerry OS is struggling to adapt to the iPhone revolution; attempts to grow out of its niche market, i.e. the BlackBerry Storm, have not gone too well (BlackBerry Torch – a full keyboard, touchscreen phone – was just released and we can only wait and see what happens.) However, BlackBerry’s saving grace is corporate America (or corporate England, France, [insert country name here]). The full keyboard on BlackBerry phones and no-frills, I-am-here-to-work aura associated with BlackBerrys is often preferred by business users over the hard(er)-to-type-on touchscreen phones and the idea that touchscreen phones are more for entertainment than work. For example, sure while the iPhone may be able to do critical work functions – now it even includes the ability to use Microsoft Exchange Server – it just isn’t as attractive to business users as a BlackBerry is. Simply put, BlackBerrys are designed to allow people to work easier, better, and faster than other smartphones. Plus, in places outside the USA – such as the Middle East – the crackberry fade is in full force, with users preferring BlackBerrys over other brands.

So, even between the big, big three – BB OS, iOS, and Android – currently the average consumer really has only two choices: iOS and Android (assuming you aren’t looking for a smartphone for worked-related needs). Although the choices may be limited, it goes without saying both iOS and Android are terrific platforms.

While there are many differences between iOS and Android – the biggest of them being iOS is developed by Apple and Android is developed by Google – the difference I want to talk about is about their app stores. Without a doubt, after the iPhone revolution of ’07, app marketplaces are one of the biggest attractions when it comes to smartphones. A platform that has a large, well supported app store is more likely to succeed; a platform that does not, is more likely to fail. Both iOS and Android have large, well supported app marketplaces (although, as its stands, Apple iTunes is quite a bit larger than Android Marketplace). The point I want to discuss in this article (finally getting to the point of this article after all that trolling…) is how Apple and Google go about handling the security of these app stores.

Run by arrogant, naysaying control freaks, Apple iTunes (the app marketplace for iOS) is tightly controlled with Apple having to individually approve apps before they are allowed to appear in iTunes. This approach, while not too enlightened, has a great pro to it: It allows Apple to vet each individual app to ensure it is malware free. (Some people argue Apple does not have the ability or resources to vet every single app – since there are so many apps in iTunes – but the official word and general community consensus is Apple vets all apps.) Android Marketplace (Android’s app store) is run differently.

Google has more of a hands-off policy when it comes to the Android Marketplace. While Google is less restrictive on the apps that can be placed in Android Marketplace, Google does not vet each app checking for malware. (The only type of checking Google performs is a “background check” on developers [i.e. has developers fill out personal details, such as address, phone number, etc. and Google checks to make sure all the information is accurate]) Instead, Google relies on the age-old Linux defense technique: User permissions.

Every time a user installs an app on their Android phone, they are informed – upfront and explicitly – what type of access the app has (i.e. what permissions the app has):

All the access an app is given is always stated to the user before the user confirms he/she wants to install the app in question. There are about 20 different types of permissions, ranging from full Internet access, to ability to delete files, to ability to send text/SMS messages, and everything in between. (A post on AndroidForums.com has a fairly good description on all Android app permissions, for those who want more information.) In theory this is a great way to protect users; in practice, it is fairly useless.

See the idea that users will be protected because they are presented with app permissions prior to installation makes one major assumption: Users are fully informed and knowledgeable. As any economist will tell you, consumers are never fully informed and knowledgeable about the topic in question. That is not to say everyone is dumb and illiterate; rather it means

  • Not everyone knows and understand how these Android app permissions work. As Android grows more popular day by day – it is now the fastest growing smartphone platform – Android phones are landing in the hands of techies, non-techies, kids, adults, etc. Not everyone has the know-how or means to research and understand what these app permissions mean, how they work, or what they do. Heck, I bet many people don’t even know the exist. Many people simply just click “OK” and install the app without properly reading permissions first.
  • App permissions are obscure and non-descriptive. Even if a user understands what permissions mean, how they work, and what they do the non-descriptive nature of the permissions makes it hard to understand exactly what an app will do on your cell phone.

Many times I – and I consider myself to be fairly good with technology – find myself wondering “why does this app need this permission” or “what will the app do with that”. For example, here are the permissions required for a Dictionary.com app:

Now why in the world does a Dictionary.com app need to have access to my location (GPS/network-based)? I may know that the app will access my location, but I don’t know what it will do with that access. While access to location may not necessarily server a malicious purpose (I am just using this as an example to prove my point), my point still stands: Users may know what permissions an app has, but they probably don’t know exactly what the app will do with that permission.

Hey, it isn’t just me or you either: Even security firms can be fooled by these app permissions.

As it stands, the difference between Apple iTunes security and Android Marketplace security can be summed like this: Apple accepts the responsibility of security on itself, filtering out potentially malicious apps; Google throws the responsibility of security on users, allowing them to decide which app is malicious and which is not. (Both iOS and Android have the capability to remotely wipe malicious apps from users’ phones after the malicious app has been outed.) Of course, Apple’s iTunes policy also needs some changes (many security experts state Apple’s Achilles heel is when a malicious apps gets pass Apple’s security filter), I personally feel Google’s current Android Marketplace policy is a bit too benign. (It is worth mentioning the much anticipated Windows Phone 7 app marketplace will supposedly take a page from Apple and Google’s playbooks by vetting all apps and having users explicitly allow app permissions.)

Now don’t get me wrong. I am not asking for Android Marketplace to become a shadow of iTunes; I don’t want Google to be as controlling and restrictive as Apple. However, I do feel Google needs to make some fundamental changes to its Android Marketplace policy because while SMobile’s wolf cry may be a bit overzealous (claiming 20% of apps in Android Marketplace are malware), Android malware is very real. (Don’t start cheering Apple fans – iOS has had its fair share of malware scares, albeit not necessarily affecting mainstream, non-jailbreaking users… yet.) These are the three key changes I feel Google should implement:

  • Google needs to start vetting each and every app they allow in the marketplace. Consumers should be able to rest easy getting an app from Android Marketplace knowing Google has ensured they are malware free.
  • Google needs to make developers explicitly state what they will do with the app permissions that their apps request. This clarification does not necessarily have to be stated at the same screen as where the app permissions are shown (the screen would become way too long/big if it did) but there should be some sort of link present allowing users to gain clarification about what the app will use each permission for.
  • Currently, by default, Android phones are set to allow installation of non-Android Marketplace apps. This should be turned off by default, forcing users to explicitly opt-in to allow non-marketplace apps to be installed. (Go to “Settings” -> “Application settings” to enable/disable this feature.)

While the three mentioned changes will never make Android 100% malware free (no platform can ever be 100% malware free; Linux fanboys, take your “Linux can’t be infected” crap and stick it up your… keep it to yourself), they will greatly help in the fight against rising smartphone malware. Come on Google, don’t leave us all hanging.

Feel free to share any thoughts you may have on the matter in the comments below. Please try to keep fanboyism to yourself.

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

24 comments

  1. Fred

    Dear Suzan,

    you’re right and very wrong!

    It’s right, it’s annoying what the app developers do. I personally think many of them do not know their IDE enough to compile only the functions into their soft that are needed.

    But we do have a free market, it is solely a thing (agreement) between you and the app developer IF you are willing to pay the price for using his app (financially and/or in matters of data exposement).

    What I recommended you is installing something like “LBE Security Service” which gives YOU the decision about what an app can do and what not.

    Regards, Fred

    (‘downgraded’ from Android to WinMo 6.5)

  2. Suzan

    Ashraf, EXCELLENT article!

    I bought my first android phone a month ago and have been going mad all over the Google android marketplace, looking for interesting apps and games. Downloading and installing them without giving a damn to the permissions. After installing nearly 15 different apps, I cared to notice the permissions thing. I was downloading a simple free game and the permissions were SCARY! Why would a simple game need to know my GPS location? Why a game needs to read logs of my sensitive data? Why does it needs access to my SMS logs? Why the game needs access to my camera and flash? After that, I checked many other apps and games and I was SHOCKED to find that all of those apps needed permissions to stuff that’s has nothing to do with those apps. Recently I found an app that needed tens of different permissions and I thought of warning others about that app but WTF, I can’t leave a review until I install that app. Google wants me to download and install an app and then warn others of the danger??? I’m not going to install any of the apps available in the Google Android Marketplace unless they scan all of these apps and ask the developers why do they need so many permissions. I have uninstalled all the apps and games! I hate Google marketplace for allowing crooks to decide what information they want out of my phone using their apps. Almost all apps are on a serious PRIVACY breach and Google won’t even allow us to leave a review of the app unless we install it in the first place? This is a bunch of nonsense for a novice user!! And if you are a “smart” user, you cannot install any app at all because you know those permissions will ruin your phone (and your life)!! If you can’t install the android apps, what good is your Android phone then? Is there anyone out there who can name even a SINGLE app that is not taking advantage of the permission system?

  3. Samuel

    @RobCr: To change people’s thinking about iOS being the only mobile platform to develop for, you’re also going to have to make them realize that iPod does not equal MP3 player (though i suppose its more of a doesn’t equal PMP now). Apple (READ: Steve Jobs) doesn’t want that to happen though. I’d be happy to help if you can think of something though!

  4. RobCr

    @Ashraf: Two reasons for potential iPhone developments –
    1) A friend recently asked me to help develop an application for the iPhone. They probably don’t want me blabbing too much about it. However the person desiring the development, just automatically requested that it be developed for the iPhone. Presumably because they expected potential customers would be wanting it to run on an iPhone. When I discovered that I would have to use an Apple Mac, to develop it, I said ‘stuff that’ (to myself), and politely declined.
    I agree, that it would be a default assumption by many (do it for an iPhone)
    If I could snap my fingers (or rub a Genie’s bottle), I would stop anyone making that default assumption from now on. (Did I mention that I hate Apple ?)
     
    2) I have another friend who would like an application developed, and he too just assumes it would have to be for an iPhone.
     
    What can we do to change the world’s thinking (please) ?

  5. Ashraf
    Author/Mr. Boss

    @RobCr: 2.2 is due in September; if you want to wait for better battery you may be disappointed because we don’t know if 2.2 will improve battery life or not.

    As for what OS/Phone I have: I will keep that a secret for a little bit longer. ;)

    May I ask why you want to develop specifically for iOS? I understand iTunes is a huge market, but Android Marketplace is also big (100,000+ apps) and I am sure Windows Phone 7 will have a good marketplace too. If you ever decide to develop for Android, drop me a line – I have a few ideas.

  6. RobCr

    Thanks Ashraf,
    That was a thorough, comprehensive review (comparison).
    If it was me buying one, and I did not have to cater for possibility of developing iPhone application, then I would be leaning towards the Samsung.
    However, I would wait for 2.2, and perhaps wait for better battery ?
    And would heed your advice about return(swap) possibility.
    Which version of Android is in your phone ?
    And which phone ?
    Thanks for responding,
    Rob
     
     

  7. Ashraf
    Author/Mr. Boss

    @RobCr: First off let me begin by saying many of the great Android phones out right now are available in CDMA in the USA and don’t have GSM versions for international usage. Out of the GSM versions that are available, Galaxy S phones (i.e. Samsung I9000) is one of the best ones out there; it has an amazing screen, the most powerful CPU/GPU out on the market right now, etc. In fact, I would go so far as to say in terms of hardware Samsung I9000 is unmatched (the only thing it lacks is a flash but its “Night Mode” is terrific). On the software side, though, Samsung needs to pick up the pace.

    The Galaxy S phones have GPS issues (a fix is expected in September), lag issues (there are “lag fixes” out there that pretty much solve this issue), and the battery life of the Galaxy S phones is terrible (if you consider how power-friendly the hardware is, the phones should atleast be getting 2x the amount of life outa battery). However, the hope is that with the release of Android 2.2 Samsung will address all these software related issues but only time will tell.

    (Oh Samsung failed quality control: Many users have reported issues with the touch sensitive keys; make sure if you friend does buy the phone he buys it from somewhere he can exchange if he gets a bad one.)

    So my verdict on Samsung I9000/Galaxy S phones: They are great but can be made better and hopefully with the release of Android 2.2 all our gripes will be addressed.

    That said, Android is a great OS – I highly recommend it to anyone. Android 2.2 (“Froyo”) makes the OS that much better, with a new compiler that is ultra-fast, built in tethering, full Flash support, and other stuff I can’t remember off the top of my head.

    In terms of what phone I recommend: I really can’t “recommend” any single phone since my research was limited by the phone choices available in the USA, but I would say check out http://www.gsmarena.com/ as a good resource on phones. You may especially want to check out the Samsung I9000 vs iPhone 4 review (http://www.gsmarena.com/samsung_i9000_galaxy_s_vs_apple_iphone_4-review-500.php) since both phones are excellent and most likely will be considered by your friend.

    (Oh, and keep in mind there will be a large influx of Windows Phone 7 phones by the end of this year, so if your friend can wait, he will have a greater choice by the end of the year.)

  8. RobCr

    Hi Ashraf,
    I have given up on my iPhone App development desires, until flippin Apple allows me to develop them on Windows with an emulator. I have hated Apple for a long time.
    Regarding your phone, and the OS:
    My friend asked me to check out the Samsung GT-I9000 for him.
    The specs look good.
    I notice it uses the Android OS (V2.1 but it is expected to be upgradeable to 2.2 soon)
    I am not in USA (I’m in Aust), but I assumed that Google were selling phones over there, with their own OS. And I did not doubt that other phone mfrs might use the OS.
    Which brand of phone do you have ?
    What are your thoughts on that Samsung ?
    (Assuming the OS becomes 2.2 soon)
    Do you recommend Android (OS) phones to your friends ?
    Which phone(any OS), would you recommend for my friend ?
     

  9. RobCr

    @Samuel:
    Apple hardware usually costs twice as much as it should.
    Windows is more popular, because it runs on hardware that costs half the price, and there are tons more applications. And the applications are cheaper or free.
    Wouldn’t it be great if the same happened with some other smart phone(s).
    My love affair with MS, has dwindled in the latter years,
    Whereas I have always detested what Apple does.

  10. Samuel

    @RobCr: I can’t really say, about the iPhone on Windows development. I gave it up as not worth it.

    In general I define fanboyism as defending something because of who made it, and that u must accept no changes. So by suggesting jail breaking I say Caleb is not a fanboy.

  11. Frank

    I dunno what’s your problem /w WinMo?
    When you strip off all the gimmiks (like Sense UI etc) and use 4 apps its the most valuable item I know. Much better usability as a mobile phone than iPhone or these Androids. These are mostly made for beauty and ease of use but not for productivity. Same as WinMo 6.5 in its original configuration.
     
    Frank

  12. RobCr

    @Samuel:
    Normally I work in XP, and develop for XP (Those pgms run ok in Win7).
    This current query was regarding the possibility of developing an app to run on an iPhone. But I was wishing to do the development on a PC (running XP).
    And to make life easy, I was hoping the development environment (do they call that the SDK ?), in XP would have an iPhone emulator, so I could do my coding/running/debugging all in XP desktop PC.

    PS You guys made me look up the definition of fanboyism.
    When I was madly in love with Buffy, was that fanboyism ?
    Or, when I said Blade Runner was the best movie ever made ?

  13. Samuel

    @RobCr: Do you mean developing for WinXP/7 or developing for WinMobile/WinPhone7 on WinXP/7? Different answers depending on which?

    @Ashraf: I agree what he said is not an answer but I don’t think it is really fanboyism, not sure of exactly what it is then though…

  14. Samuel

    @RobCr: There is a way to do iOS development on Windows, I did look into it a while back, but I don’t remeber how and it might not work anymore. 

    As to Pirate protection, Google does protect copyrights and the like but only if it’s reported to them.

    And with Windows, do you mean Windows Mobile or Windows Phone 7?

  15. RobCr

    Someone is asking me to develop an application for the iPhone.
    It would offer choices to users, and store their answers etc. (Without me giving away what they have dreamed up, we could call it a ‘shopping’ list on steroids)
    It appears that one has to own an Apple Mac , to conveniently develop iPhone applications. Apparently there is no iPhone emulator that can be run in Windows, for developing/testing purposes. (There is one for the Mac.)
    If Steve Jobs, personally visited me, and gave me an Apple Mac (for free), I might use it, but I would be resenting the fact that I had to use a Mac
    And so to my question –
    Does anyone know how I could develop an iPhone application in Windows (XP or Win7) ?
    And have an emulator running in Windows.
    I have checked out DragonFireSDK, but the current release (release 1), is only targeted at Game development.
    I asked the question about developing a non game app, and one of the knowledgeable members said it is rumored that Release 2 may handle that.
    He said it would be extremely difficult with Release 1

    Rob
    PS It would be some months before it is released.
    What are the chances that Google’s Android, will be swamping the market in Australia, by then ?
    The only thing I like about Apple’s PIA policies, is it appears to offer very strong protection to prevent pirating.
    What protection would there be with the Google Android (if I used that instead) ?
    And that raises similar questions regarding development in windows (Emulator, etc). 

  16. Samuel

    I’m going to think on your comments about the marketplace a bit before i comment on them but I just wanted to say that Windows Mobile is not a bad OS, it’s a bad Phone OS (note how it’s called Windows Mobile, its ment for mobile computers that cannot run a full OS).

  17. david roper

    The thought of Android Phpnes having the ability to Spam us scares the hell out of me.  Is nothing sacred anymore?  “Junk mail” on a phone?  Rights? Privileges?  Wow!!
    That’s why I chose a plain Flip phone by Verizon when my last 2 year contract ran out.  I chose at first to get two Android phones because I thought they were cool to own but after a week using them I turned them in.  Too much touch for me to answer a phone call when someone called me.
    K.I.S.S. Y.M.M.V.