Dammit. Stuff like this is exactly what is going to destroy the app market for the Android.
Who's going to download anything if they hear this can even happen?
Most developers complain about the Apple iPhone approval process, but they don't realize how much it really HELPS them.
Consumer confidence keeps people buying mobile apps, and with the iPhone, nobody even thinks twice about it because we have the added comfort of knowing Apple stomps out the bad stuff - usually before we ever see it.
How is that different from desktop apps, from web apps, from an OS even? Any program you trust in whatever way can do bad, bad things with your banking details, private data, list of contacts, etc.
Having just gone through this with Apple for a major name organization, I can assure you they take the identity of developers very seriously. You have to be who you say you are.
People trust the bank's website because they see the URL and know that it's genuine. People trust brick and mortar stores because they trust Best Buy to deliver products from the people they say they're from. People trust the app store on their phone just like a brick and mortar store... that is, they expect that somebody is ensuring the validity of the products that are being shown to them.
There is no other way for the consumer to validate this information, so the store provider must.
Exactly how much of the actual code is examined as part of Apple's app approval? What's to keep someone from creating a time-bomb app, that is benign until a certain date or signal is received? A game app that keeps a centralized high-score list on a server somewhere could use that as a back-channel to send flags to enable some kind of malicious mode.
In that case, Apple could remove stuff after the fact, but everyone who had already downloaded it would be affected. The only advantage is that Apple keeps developer documentation about who submitted which app, so the guilty parties are potentially traceable, but there's a chance even that could be social-engineered.
The openness of the Android platform actually allows the marketplace to meet the demand for verified apps, the same way SSL certs are supposed to be (but the market for SSL cert signing is geared toward the server end, not the consumer end, and they keep screwing up the high verification certs by making people jump through stupid hoops when they want them).
Since iPhone apps are sandboxed your time bomb app is unlikely. Apps can access their own data and that's it.
The iPhone app store also lists the creator of the app - either the person's name or or their company name. If you use a company name you must provide legal docs; that probably would have prevented this situation.
Does the Android app store not have checks like that?
Except Apple's approval process really wouldn't have prevented this. Most iPhone apps phone home without almost any user being the wiser. Who knows what most iPhone IM apps or apps like 1Password (basically any app that allows the user to put in any type of freeform information) are doing behind the scenes.
No, but let's pretend a master password app silently sends the password info back home periodically. Apple's process would let an app like that through. It'd be pretty stupid for a developer to do this (I even think it's stupid for an Android dev to do this), as they'd certainly get caught. But Apple's submission process wouldn't be what caught them.
That's fine, but what mechanisms are in place for the consumer to ensure that what they are being shown is from who the app says it's from? I haven't submitted an app to the Android app store, so I'm unsure.
Please correct me if I'm wrong, but wouldn't it be fairly trivial to create a phishing iPhone application (even one that got accepted to the App Store?) My understanding is that nobody is combing through your code line by line, so you could sneak something in there that wasn't activated until after the app was accepted, right?
The app would have to be signed by someone who presumably would have paid the $99 to get the developer account with Apple and thus there would be a way to trace (somehow) the app to some real person. Now, the identity used to get the account could be faked, but that's no longer trivial, assuming Apple has done things properly.
I don't quite understand however why this does not also apply to the Android app market - surely whoever put this up there has a known identity. If not, the whole point of the market place is undermined. All this has no bearing on the "evilness" factor - Apple's market place is evil because it is a self-enforced monopoly. The Android market place could have policies controlling their apps ten times as fascist as Apple's and they would not be as evil, because we can always go elsewhere (and maybe will, if this continues to be an issue).
19 comments
[ 487 ms ] story [ 1235 ms ] threadWho's going to download anything if they hear this can even happen?
Most developers complain about the Apple iPhone approval process, but they don't realize how much it really HELPS them.
Consumer confidence keeps people buying mobile apps, and with the iPhone, nobody even thinks twice about it because we have the added comfort of knowing Apple stomps out the bad stuff - usually before we ever see it.
I'm presuming that Apple will at least perform the diligence of making sure the app author is who they say they are.
Someone bought bank-of-america.ru too. I don't see how that is materially different.
People trust the bank's website because they see the URL and know that it's genuine. People trust brick and mortar stores because they trust Best Buy to deliver products from the people they say they're from. People trust the app store on their phone just like a brick and mortar store... that is, they expect that somebody is ensuring the validity of the products that are being shown to them.
There is no other way for the consumer to validate this information, so the store provider must.
In that case, Apple could remove stuff after the fact, but everyone who had already downloaded it would be affected. The only advantage is that Apple keeps developer documentation about who submitted which app, so the guilty parties are potentially traceable, but there's a chance even that could be social-engineered.
The openness of the Android platform actually allows the marketplace to meet the demand for verified apps, the same way SSL certs are supposed to be (but the market for SSL cert signing is geared toward the server end, not the consumer end, and they keep screwing up the high verification certs by making people jump through stupid hoops when they want them).
The iPhone app store also lists the creator of the app - either the person's name or or their company name. If you use a company name you must provide legal docs; that probably would have prevented this situation.
Does the Android app store not have checks like that?
Well... I'm sure somebody has submitted one. We just need for them to kindly report back.
I don't quite understand however why this does not also apply to the Android app market - surely whoever put this up there has a known identity. If not, the whole point of the market place is undermined. All this has no bearing on the "evilness" factor - Apple's market place is evil because it is a self-enforced monopoly. The Android market place could have policies controlling their apps ten times as fascist as Apple's and they would not be as evil, because we can always go elsewhere (and maybe will, if this continues to be an issue).
http://www.cringely.com/2010/01/when-is-your-bank-not-your-b...