Google needs to rethink its Android Marketplace policy

When looking for a smartphone, the operating system is (should be) a great influence in your decision on which smartphone to get. There are many smartphone OSes out there: Palm’s webOS, Samsung’s Bada OS, Nokia’s Maemo, and Qualcomm’s BREW just to name a few.  However, the five big players in this market – the five OSes that are the most popular and best supported – are Microsoft’s WindowsMobile, Nokia’s Symbian OS, RIM’s BlackBerry OS, Google’s Android, and Apple’s iOS (formerly known as iPhone OS). Typically, the average consumer will (should) look for a smartphone from among the big five; but even this list of five can be trimmed down.

Windows Mobile is a pathetic excuse for an operating system; it has been neglected by Microsoft for too long and is, simply put, lousy. (Microsoft plans on releasing Windows Phone 7 later this year which looks to be a stunner, but currently WinMo is terrible.) And, for all its market share – Symbian is the most popular smartphone OS globally (but it has a negligible market share in the USA) – Symbian is probably the most disorganized and least user-friendly out of the whole bunch. Plus, soon as Nokia – the phone manufacturer which single-handedly is keeping Symbian alive – drops Symbian in favor of MeeGo, Symbian can RIP. In other words, both WinMo and Symbian were unable to properly adapt to the software-side of the revolution started in 2007 by the release of the iPhone 2G. (Throwing decked out phones – in terms of hardware – doesn’t do you much good if you can’t back it up with proper software.)

Similarly, BlackBerry OS is struggling to adapt to the iPhone revolution; attempts to grow out of its niche market, i.e. the BlackBerry Storm, have not gone too well (BlackBerry Torch – a full keyboard, touchscreen phone – was just released and we can only wait and see what happens.) However, BlackBerry’s saving grace is corporate America (or corporate England, France, [insert country name here]). The full keyboard on BlackBerry phones and no-frills, I-am-here-to-work aura associated with BlackBerrys is often preferred by business users over the hard(er)-to-type-on touchscreen phones and the idea that touchscreen phones are more for entertainment than work. For example, sure while the iPhone may be able to do critical work functions – now it even includes the ability to use Microsoft Exchange Server – it just isn’t as attractive to business users as a BlackBerry is. Simply put, BlackBerrys are designed to allow people to work easier, better, and faster than other smartphones. Plus, in places outside the USA – such as the Middle East – the crackberry fade is in full force, with users preferring BlackBerrys over other brands.

So, even between the big, big three – BB OS, iOS, and Android – currently the average consumer really has only two choices: iOS and Android (assuming you aren’t looking for a smartphone for worked-related needs). Although the choices may be limited, it goes without saying both iOS and Android are terrific platforms.

While there are many differences between iOS and Android – the biggest of them being iOS is developed by Apple and Android is developed by Google – the difference I want to talk about is about their app stores. Without a doubt, after the iPhone revolution of ’07, app marketplaces are one of the biggest attractions when it comes to smartphones. A platform that has a large, well supported app store is more likely to succeed; a platform that does not, is more likely to fail. Both iOS and Android have large, well supported app marketplaces (although, as its stands, Apple iTunes is quite a bit larger than Android Marketplace). The point I want to discuss in this article (finally getting to the point of this article after all that trolling…) is how Apple and Google go about handling the security of these app stores.

Run by arrogant, naysaying control freaks, Apple iTunes (the app marketplace for iOS) is tightly controlled with Apple having to individually approve apps before they are allowed to appear in iTunes. This approach, while not too enlightened, has a great pro to it: It allows Apple to vet each individual app to ensure it is malware free. (Some people argue Apple does not have the ability or resources to vet every single app – since there are so many apps in iTunes – but the official word and general community consensus is Apple vets all apps.) Android Marketplace (Android’s app store) is run differently.

Google has more of a hands-off policy when it comes to the Android Marketplace. While Google is less restrictive on the apps that can be placed in Android Marketplace, Google does not vet each app checking for malware. (The only type of checking Google performs is a “background check” on developers [i.e. has developers fill out personal details, such as address, phone number, etc. and Google checks to make sure all the information is accurate]) Instead, Google relies on the age-old Linux defense technique: User permissions.

Every time a user installs an app on their Android phone, they are informed – upfront and explicitly – what type of access the app has (i.e. what permissions the app has):

All the access an app is given is always stated to the user before the user confirms he/she wants to install the app in question. There are about 20 different types of permissions, ranging from full Internet access, to ability to delete files, to ability to send text/SMS messages, and everything in between. (A post on AndroidForums.com has a fairly good description on all Android app permissions, for those who want more information.) In theory this is a great way to protect users; in practice, it is fairly useless.

See the idea that users will be protected because they are presented with app permissions prior to installation makes one major assumption: Users are fully informed and knowledgeable. As any economist will tell you, consumers are never fully informed and knowledgeable about the topic in question. That is not to say everyone is dumb and illiterate; rather it means

  • Not everyone knows and understand how these Android app permissions work. As Android grows more popular day by day – it is now the fastest growing smartphone platform – Android phones are landing in the hands of techies, non-techies, kids, adults, etc. Not everyone has the know-how or means to research and understand what these app permissions mean, how they work, or what they do. Heck, I bet many people don’t even know the exist. Many people simply just click “OK” and install the app without properly reading permissions first.
  • App permissions are obscure and non-descriptive. Even if a user understands what permissions mean, how they work, and what they do the non-descriptive nature of the permissions makes it hard to understand exactly what an app will do on your cell phone.

Many times I – and I consider myself to be fairly good with technology – find myself wondering “why does this app need this permission” or “what will the app do with that”. For example, here are the permissions required for a Dictionary.com app:

Now why in the world does a Dictionary.com app need to have access to my location (GPS/network-based)? I may know that the app will access my location, but I don’t know what it will do with that access. While access to location may not necessarily server a malicious purpose (I am just using this as an example to prove my point), my point still stands: Users may know what permissions an app has, but they probably don’t know exactly what the app will do with that permission.

Hey, it isn’t just me or you either: Even security firms can be fooled by these app permissions.

As it stands, the difference between Apple iTunes security and Android Marketplace security can be summed like this: Apple accepts the responsibility of security on itself, filtering out potentially malicious apps; Google throws the responsibility of security on users, allowing them to decide which app is malicious and which is not. (Both iOS and Android have the capability to remotely wipe malicious apps from users’ phones after the malicious app has been outed.) Of course, Apple’s iTunes policy also needs some changes (many security experts state Apple’s Achilles heel is when a malicious apps gets pass Apple’s security filter), I personally feel Google’s current Android Marketplace policy is a bit too benign. (It is worth mentioning the much anticipated Windows Phone 7 app marketplace will supposedly take a page from Apple and Google’s playbooks by vetting all apps and having users explicitly allow app permissions.)

Now don’t get me wrong. I am not asking for Android Marketplace to become a shadow of iTunes; I don’t want Google to be as controlling and restrictive as Apple. However, I do feel Google needs to make some fundamental changes to its Android Marketplace policy because while SMobile’s wolf cry may be a bit overzealous (claiming 20% of apps in Android Marketplace are malware), Android malware is very real. (Don’t start cheering Apple fans – iOS has had its fair share of malware scares, albeit not necessarily affecting mainstream, non-jailbreaking users… yet.) These are the three key changes I feel Google should implement:

  • Google needs to start vetting each and every app they allow in the marketplace. Consumers should be able to rest easy getting an app from Android Marketplace knowing Google has ensured they are malware free.
  • Google needs to make developers explicitly state what they will do with the app permissions that their apps request. This clarification does not necessarily have to be stated at the same screen as where the app permissions are shown (the screen would become way too long/big if it did) but there should be some sort of link present allowing users to gain clarification about what the app will use each permission for.
  • Currently, by default, Android phones are set to allow installation of non-Android Marketplace apps. This should be turned off by default, forcing users to explicitly opt-in to allow non-marketplace apps to be installed. (Go to “Settings” -> “Application settings” to enable/disable this feature.)

While the three mentioned changes will never make Android 100% malware free (no platform can ever be 100% malware free; Linux fanboys, take your “Linux can’t be infected” crap and stick it up your… keep it to yourself), they will greatly help in the fight against rising smartphone malware. Come on Google, don’t leave us all hanging.

Feel free to share any thoughts you may have on the matter in the comments below. Please try to keep fanboyism to yourself.

Related Posts