Verify apps

Talking about malware on a mobile platform is a tough thing to do right. Some of what you hear is real, and needs addressed responsibly, but so much of it is just FUD from folks trying to sell you something or get you to change your choice of device. We try to do the former, without downplaying the serious issues, but we also depend on users to be a little bit savvy and not do the things that lead to getting malware on the phone in the first place.

Thankfully, Google has stepped up and taken the reigns here. As ComputerWorld's JR Rapheal has pointed out, starting with Android 4.2 users now have the option to have every application that is being sideloaded scanned before installation. This uses the same technology as Google Play's Bouncer, and is designed to scan for and find malware -- both known cases and suspicious applications. If an app's fingerprint matches known malware, you'll be blocked from installing the application. If the app shows anything that the canner feels is suspicious, you're warned that it may be harmful and given the choice whether or not to install. The service is entirely opt-in, and your choice can be changed at any time through the device security settings. 

We're big proponents of responsible reactions to and prevention of mobile security issues. In a time where companies release blurbs in the press that exaggerate the amount of malware (Android VP of engineering Hiroshi Lockheimer notes that actual dangerous malware is extremely rare on the Android platform) and push users to use their products, we're glad to see Google taking this sort of action. There is no substitute for common sense, but Android 4.2's new security scanning feature sounds like the right way forward.


Reader comments

Android 4.2 brings new security features to scan sideloaded apps


Hopefully in the near future this will also manage to curb piracy as well. I'm tired of mandatory network license checks.

That was one of my first thoughts too, but until they make this a mandatory thing instead of opt-in, it wont stop piracy since they can just not turn it on, or turn it on and then turn it off when they want to install a pirated app.

Agreed, but they need to do it right. I like being able to install unsigned content that devs have themed or whatever and I'd hate for a side effect of this to be that I can no longer easily install things like that.

If you're worried about the latest updates, get a Nexus. It sucks I know, but at least you will know next time. I'm even selling my SGS3 for a Nexus 4 purely for the updates.

I've had a nexus since the Nexus One (Nexus One, then Galaxy Nexus) and yes, it is kinda cool to get updates within days of hearing about them -- fun. And it's not like the pure-google android experience is significantly less than the HTC'd, Samsung'd or whatever tweaked version.


Honestly, Cyanogenmod or or AOKP have many more features than pure AOSP. I'm not sure who would want stock Android actually when custom roms based on stock are the same thing but with better features.

I've never pirated an app, so I'm very glad that Google allows this to be optional. The only time I've sideloaded an app from a questionable source was when looking for a live wallpaper, so I don't want anything scanned for me. And I have no intention of pirating apps, I gladly support our devs.

Personally I'll leave this on to start with -- the scanning isn't like a virus checker intercepting all sorts of system calls and slowing things down, it's only scanning at install time, so why not let it do so? At least until false-positives on the scan prove annoying (if there are any false positives in practice)...


This seem good but after thinking about it, I'm worried that this is one small step away from a full virus scanner. People already believe that the Play Store is full of viruses. Which is nonsense. But of course there is some bad stuff in there as there are everywhere else. This seems like perfect fodder to "prove" that the Android OS needs a virus scanner.

If you are really going to sideload, you need to be careful of the sources. I "sideload" on my desktop and do a whole manner of tinkering. But my desktop is a heavy weight system so running virus scanners on install of an application and/or constantly is not too much of a problem.

My question is how does the mobile platform stay lightweight for the future but balanced with the real issue of security?

These are all great changes in Android 4.2. But with less than 3% of devices running 4.1, and only 25% running ICS, it's going to be 2 years before the mainstream public can take advantage of these new things. And as a developer, I'm tired of writing code for 2.3.3 and not being able to take advantage of all the ICS and JB goodness.

I'm curious to see how this security handles apps like Adobe Flash that are not supported on JB Devices, but lots of folks run on the Gnex and other JB devices. Guess I'll find out as soon as I get 4.2 on my Gnex.

So is this on automatically and remove the need to specifically enable installing sideloaded apps?

That's an interesting move. Let's see how it works out in real life.

A couple of typos in the 2nd para though: it should be reins (things for controlling the front end of a horse), not reigns (something done by royalty); and scanner, not canner in the same paragraph.