Android offers developers a lot of freedom in using a phone's hardware in their apps. While this leads to some really amazing functionality, it can also be a security concern. Google has chosen to run a more open marketplace for apps, and does not hold content up so they can review it first
Your first line of defense is to just use common sense. If you're not familiar with an app, give everything a onceover before you install. Herein we'll use a real life example; an app that's managed to hit 10,000 downloads in just one week. The app in question, Android Gaming Network (AGN), is at least shady, but maybe an outright scam, and you can tell something is fishy just by looking at it.
Job one is to check the comments on an app to look for suspicious behavior. The wisdom of crowds is of real use in this instance. AGN, for instance, has over 200 Market reviews, most of them positive. If you look closer, you can tell something is wrong. Many of the reviews were clearly written by the same person. They have the same grammar and say mostly the same things. This is a big red flag for any app. In fact, in this app's comments, there are some real people offering words of warning. This free app charges you $10 a month if you're not careful.
The market has the option to pull up the other apps submitted by a particular developer. Make sure to look at these apps if you're feeling uneasy. It could be that they develop a well known app, and that can certainly put your mind at ease. It could also be that they develop several other questionable-looking apps. This is information you should have when evaluating an app.
The Android Market offers a link to the website registered by the developer. If you're feeling weary after looking at the Market comments and other apps, this is the next place to checkout. You can tell a lot about a developer from their site. If it looks like a storefront genuinely meant to promote mobile applications, that's a good thing. A completely unrelated site is not as good. The developer of AGN has a site listed, but when you go there, it's just a blank page with the URL. This isn't what you want to see.
A developer of reliable apps will want to put their best foot forward. Having a Twitter account is a good way to stay in touch with users. The developer's website should be able to direct you to their Twitter account. Not having a Twitter account is not necessarily a sign of trouble, but if you cannot find a real website, or a twitter account, that is a concern. A developer with no real presence online is suspicious.
Check the app permissions A Twitter client just needs a few permissions
This is perhaps the most important thing to do when you're unsure about an app. Android makes developers register system permissions for their apps to interact with the phone. By going down the list, you can tell what an app is going to do. Depending on the type of app, some permissions may stick out like a sore thumb. First, you have to know which permissions to look out for.
Right under the heading Services that cost you money, you may see the "send SMS" or "send MMS" permission. Most apps don't need the ability to send SMS messages. If you're looking at a game, news, or entertainment app of some sort, it more than likely shouldn't need these permissions. Sending SMS messages to premium rate numbers is a way to charge users surreptitiously, and we think that is how the developer of AGN is doing it. Bottom line, if an app is unexpectedly asking for SMS permissions, be skeptical.
Next up, look for the Storage header. The subcategory to be aware of here is "modify/delete SD card contents". This permission gives apps full read write access to you SD card. This includes access to your pictures, music, and videos. If you look around in your app permissions, you'll likely notice that many apps actually request this. They often need SD access to store cache, or some sort of downloadable data within the app. Even though it is common, if an app seems shady and wants SD access, you might want to think twice.
Another permission to watch out for is "read phone state and identity", which you will find under Phone calls. In this context, state means whether or not the phone is placing a call. There are perfectly reasonable circumstances that an app might want to know if you are on a call or not, but this permission also gives access to the unique identifiers of your phone. This includes the IMEI, IMSI, and Google identifier numbers of your handset. This could allow an unscrupulous individual to clone your phone.
The "full internet access" permission under Network communication is probably the most important permission an app can request. As the name implies, an app with this permission can load any URL and send data at will. The problem is that almost all apps request it. Games that send high score data, for instance, need this permission. Any app that pulls in online content would use it as well. Still, use your best judgment and decide if an app should have this privilege on your phone. There might be time you just don't want to risk it should you already feel uneasy about an app.
An automation app like Tasker needs more permissions
Lastly, check for the Your location section, and see if the app asks for either fine (GPS), or coarse (network-based) locations. Many apps ask for coarse location access, and this is maybe a little off-putting, but not the end of the world. Coarse cell network locations are usually off by a few blocks. Some developers use this to know what general vicinity their users are in. Still, if you value your privacy, you don't need to install these apps if you can't think of a valid reason for it to track you.
The fine GPS location, on the other hand, is more concerning. This permission allows an app to use the GPS ship to know exactly where you are. Unless you're looking at an app that does some sort of location aware searching, or location sharing, this is a red flag. There are very few instances when an app needs to know exactly where you are.
The vast majority of apps in the Android Market are on the up and up. We're not implying that you need to scrutinize all of them this thoroughly. However, if you're not familiar with an app, and something looks suspicious, don't be afraid to investigate before you install it. By looking into AGN a bit, we found the Market comments claiming premium SMS charges, that the developer website was blank, and that it was asking for strange permissions. It also looks like this developer did much the same thing last week under a different name. Those apps have been removed.
Keeping an eye on the permission of apps you have installed can also be of use, as it will help you better understand what uses the permissions have. To view an app's security information, go to its Market page, and hit menu > security. Currently installed apps also list their permissions in the Manage Applications Settings area as well. Follow these simple best practices, and you should be able to avoid scams and malware on Android with no problem.
Team Dt