Amazon's app store puts millions of Android devices at risk

(Image: CNET/CBS Interactive)

Ask almost any security expert, and they'll tell you switching on "unknown sources" on your Android phone or tablet is one of the worst things you can do for device security.

But that's exactly what Amazon has asked its app store customers to do for years.

The heart of the problem is Amazon's requirement to allow installations from "unknown sources" -- that is, any app or game that hasn't been carefully vetted by the Google Play app store. That's because while almost all of Amazon's apps are already in Google Play, the retail giant's own third-party app store, dubbed Underground, isn't allowed.

Opening your Android phone or tablet up to apps and games outside Google's protective walled garden also makes your device infinitely more vulnerable to malware.

And that's no secret. We're not even the only ones to notice it -- some noted the security issue back in 2015 when Amazon Underground first launched.

When asked to comment, an Amazon spokesperson confirmed that Underground had since been installed on "millions" of Android devices. That's in part because some of Amazon's own apps for Android are only available through Amazon Underground, such as Amazon Prime Video -- the company's competitor to Netflix.

The spokesperson added that "customers should take care only to download content from sources they trust, like Amazon."

But it's not Amazon's app store that's the problem -- it's the giant hole you have to punch in Android's security to get it installed in the first place.

amazon-second-lede.png

(Screenshots: ZDNet/CBS Interactive)

We spoke to several prominent security researchers and experts, and they all agreed that opening up "unknown sources" is a bad move for security.

Joshua Drake, VP of Platform Research and Exploitation at Zimperium, who was credited with finding the Stagefright bug that affected millions of Android users, said that installing apps from unknown sources is "a significant source of malware in the Android ecosystem."

Andrew Blaich, a security researcher at Lookout, agreed. He said: "By allowing unknown sources, a user is removing the first line of defense in stopping themselves from installing a malicious app that can be delivered from a number of sources, including malicious website links, phishing attempts and others of which we've seen happen in targeted attacks like ViperRat and other broader non-targeted attacks."

Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, said in an email: "There are a lot of nasty Android apps out there and only downloading apps from official sources is key to a safe mobile computing experience," he added.

We could go on and on -- but you get the idea.

The battle for access to app stores isn't new. Because mobile device and software makers like Apple and Google get to dictate the terms to who can and can't access their platforms, competitors like Amazon will resort to begging their customers to essentially forego some security for access to its own app store.

And while Android has always been the more open platform for apps and games compared to iPhones and iPads, which have built a reputation for security thanks to Apple's strict app store requirements and code checking, that is soon set to change. Drake added in his email that Google's upcoming Android O will allow third-party app stores without requiring blanket access to the whole phone, effectively making it harder for malware to install.

When reached, Google wouldn't comment on the record.

Amazon's app store currently has 800,000 free apps, thanks to the company's incentive to developers to submit their apps. The company said last month that though it's shutting down its namesake developer program, which allows the millions of Amazon Underground users to download apps and games for free, the app store itself is "not going away" any time soon.

Given the security risks, your best bet is to uninstall the app -- pronto -- and switch off "unknown sources." Anything else is putting you at risk.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.



from Latest Topic for ZDNet in... http://ift.tt/2qnw1nR