Nicely done, Jay, thanks.
Sounds simple right? Well it is, although like all things, we users can make it harder than it needs to be.
One of the negatives of open source is that it is prone to malicious folks doing malicious things with malicious apps.
Now this doesn't mean you have to be paranoid. No need to stop getting apps. You just have to use your noodle.
It's very easy. Follow a few general rules and you will be good to go.
1. Trusted sources. The Market...er Play store should be your first stop when looking for an app. Google does a pretty good job of finding and keeping infected apps (malware) off the market. Some get through, but they usually get snapped up quickly. Amazons App Store is another "Brand Name" market. There are some other sites that do offer clean apps. So how do you know if they are OK? Well....
2. Read the reviews. If an app is faulty, does something sketchy, folks WILL complain about it. Does it use Air Push (pushes ads to your notification bar instead of in app )? Are the permissions wonky? Was a virus found? Does the Developer maintain the app? All these are questions that can point you in the right direction.
3. Permissions. This one is a big one that is not as cut and dry as it would seem. Some apps will ask for permissions that may not fit what that app says it does. Some are obvious no no's, such as a battery widget wanting access to your address book or dialer.
Others aren't. Network access can be needed to access high scores, or so when you click "help" it goes to the dev website. If you ever have a question, email the dev and see if he replies (bad sign if they don't ) and if it makes sense.
Search the web for better descriptions of permissions.
3. Unknown Sources. This is under Security in 4.0, I can't remember where it is in 2.3. Basically this allows software from outside the Market to be installed. It is unchecked by default, so unless you have changed it there's nothing to worry about. If you choose to check it and install from elsewhere then be sure you know all you can about the app. Usually not a big issue (say from XDA), but can get you in trouble, so.....
4. Anti Virus/Security apps.
These are good if you just want to click and go. Lookout, Snap Secure, Bit Defender are good examples. In some ways they behave just like your computer anti-virus in that they scan downloaded and installed (not files that are downloaded) apps for malware and block any they find. Most also give location of lost devices, back up services, etc. I can recommend these for almost anyone.
The most important thing to remember is it starts with you the user. Getting a basic education on Permissions and Malware is IMPORTANT. The only way malware can get on your device is if YOU download it and install it. So be diligent and you won't have much to worry about.
This isn't all inclusive. I am no expert, just a user trying to pass on some advice.
Nicely done, Jay, thanks.
Good write-up, Jay.
Would it be possible to make this a sticky? I think it would be helpful to all Android users who visit the forums.
Follow me on Twitter @lak611
I'm trying to add a bit to Pinstack. I by far do not know everything, and I hope that if I miss something others will fill in my gaps.
Also just hope it will bring users out of the woodwork and maybe join in.
Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3)
Will stick it later unless Glenn gets to it first.
My first stickie!
Good article. My pleasure.
Galaxy S4 Red
Would edit main but its so difficult with that much text.
Air Push Detector
Highly recommended is Avast Security for Android (search it in Play Store). They bought TheftAware to make it part of their bundle, if you lose your device.
What do you get? Virus Scanner (On-Demand if wanted), Privacy Advisor (for app permissions), Application Management (tells you what apps are running), Shield Control (protection for apps, web, and SMS), SMS and Call Filter, Firewall, Network Meter (tells you how much data each app is consuming), Anti-theft (phone is lost, you can track it and send commands from another device thru SMS or through their web app). There is more stuff I might be missing, its all you need for security imo. Besides common sense. lol.
BTW The tracking app if you lose your device is a separate hidden app (that can't be deleted unless you follow some instructions). So that means if you want you can keep that app and get rid of the Avast suite. For the theft app it is better if you are rooted, as many features depend on it but you can still use it.
Edit: DID I MENTION ITS ALL FREE
Maybe someone has some insight on this. But what exactly about the Android OS makes it so vulnerable to malware and viruses and all that? I've been doing some reading and it seems that over 90% of these sorts of threats hit Android.
The relative openness of Android and the ability to publish without stringent reviews beforehand.
On iOS side loading isn't an option (unless jail broken). A malicious app can be posted anywhere and promoted as something legit. Inexperienced users can then install opening themselves up to attack.
One of the pluses (some feel) with Apples App Store is the review process apps go through before they at accepted and published. Apples process deters or catches most (not all) malicious applications there fore protecting users.
Google asks for $25 for a Dev account and then you're off. They do scan the Market for malicious apps but are often reactionary instead of proactive. However that doesn't absolve users of responsibility. Malicious apps aren't really that hard to spot.
1. A paid app that shows up free from a different (sometimes like named) developer.
2. An app that asks for overly invasive permissions. All permissions are required to be listed. Why does a game need access to SMS? Always check the permissions. If they don't make sense email the Dev. If you don't get a response or one that sounds suspect...avoid it.
3. User reviews. Read more than the first 3-4. Do they sound fake? Are they overly glowing?
4. Side loading. While the majority of apps I've used I have side loaded, they came from XDA and from trusted, recognized devs. Side loading an app from a website that seems cobbled together or (hate to say it) from China is a risk. You wouldn't allow a stranger into your wallet, don't allow one on your phone.
Android does have risks. With 4.1 (maybe 4.0) Google introduced a virus scan into its app installer. Its not fool proof, none of them are. If you apply common sense and are proactive then you will be fine. I still don't use a virus scanner, and I haven't had a single malware issue. The amount of apps I have side loaded puts me in a high risk category.
Lastly, not everything is 100%. You can do it all correctly and still stumble into malware. You have to accept that you need be vigilant. Occasionally check setting/data usage for apps sneaking data. Check setting/battery, is something chewing up battery, and is that normal?
Its not nearly as bad as articles suggest. Sources are usually Antivirus devs who are pushing a service, or a pro Apple/windows phone/who knows pushing an agenda.
These are all great tips. Thanks! So I'm working on an article about security, malware, and the Android OS. In the course of my research, I can find a ton of stats and tales of scary malicious apps, phishing attacks, etc. But what's missing are the real world stories of people actually telling about a specific Android malware attack and how it affected them, whether it stole personal info, cost them money from premium texts, stuff like that.
I was wondering if anybody had a story they might share. Or know anybody who has one. I'm trying to put a human face on this issue.