From the Android Forums: Android security

Twinmomma416 asks in the Android Central forums,

My contract with AT&T is up, and we are switching providers due to limited tower availability near our home. We will be switching to Sprint which does surprisingly well where we are at.I was a BlackBerry power user who switched to iPhone two years ago. I loved it. Ease of use, all the apps, etc. ... Disappointed in the lack of customization but happy with the security of the phone and trusting the apps.Fast forward to now and I'm rather let down by the iPhone 5 release. I was hoping for much more - bigger screen, more iOS features/customizability. I'm a big fan of Apple computers mostly because I don't have to worry about viruses and my wife downloading stuff since she is NOT a techie at all. Played with my friend's HTC Evo 4G and fell in love.Here's my problem. I don't like what I'm reading about the susceptibility Android's platform has for keyloggers and spyware. I deal with a lot of confidential information (I work in government HR) and I cannot risk someone putting something on my phone either through an app, an email, a text, whatever, that could compromise that. I've searched for anti-keyloggers/anti spyware but I'm not finding anything that really puts my mind at ease.I'm not interested in rooting a device, but I am interested in making sure I don't worry about these things daily. I want to go Android, but Apple's security leaves me feeling more at ease.Thoughts from the experts here?I should add I'm also considering the Galaxy S3

Android and app security. The two seem to get mentioned together anytime you read a title somewhere. They are a combination of terms that brings web traffic, and it's always easy to drive fans from both side into a tizzy. Let's cut the hyperbole and talk "real" for a minute or two, after the break.

(Have a question you need answered? (Preferably about Android, but we're flexible.) Hit up our Contact Page to get in touch!)

Yes, there is malware that can affect Android phones. There's also malware that affects iPhones, BlackBerries, Windows Phones, your Mac, and even Unix-based industrial machines that control things like dams and nuclear power plants. If you can write and install software on it, there's malware for it. People sticking their head in the sand and saying otherwise are doing a huge disservice to the folks listening to them. 

There are two issues at play -- one is the definition of malware, the other is the ease of installing it. We'll tackle the definition first. 

Programs that track you and display ads, after telling you they will track you and display ads, are not malware.

Yes, having your browsing habits sent to some server in the Ukraine sucks, but if you knew ahead of time and installed it anyway, it's not malware. It's just easy to call it as such because it's a hot topic and we're pissed off when we see it in action. Most times you'll see this done by folks who have a genuine interest in furthering the idea that Android is rampant with malware. Scaring people has been a lucrative business since the Middle ages. I'll let you in on an industry secret -- all of us who write words on the Internet are just regular people, and that means that some of us will do or say things to get a reaction. We know how to manipulate the group thinking process, because we're exposed to it daily. Always think critically about anything you read or hear. 

The other issue is that legitimate malware is super easy to install on Android. A simple tap will allow you to install applications from any source, with no jailbreaking or developer accounts needed. The vast majority of malicious applications come from third-party sites who offer applications that have been injected with other code. Sometimes the lure of getting pirated apps for free is too strong for some folks to resist, other times it's because an application isn't available through official channels, but there are a lot of folks sideloading apps to their Android devices. These apps haven't been scanned by Google's Bouncer process that scans every application for malicious code. 

So what do we do about it? First off, always read application permissions before you install an app. If you don't, there is only one person to blame when things go bad. I can write an app that steals your address book and posts it to Twitter, but I have to tell you I'm going to be digging in your address book and accessing your other accounts to deliver it. Be critical, and anything you don't understand when installing an app is something you need to be asking about. That's the whole reason Google presents us with the app permissions in the first place. 

Next, be mindful of where you get your apps. If you're not computer-savvy, only install apps from Google Play. The few times "malware" has been spotted in the Play store is has been quickly removed and addressed, just like it's done in Apple's appstore. Chances are you'll never see it, let alone download it. If you do use other sources to sideload apps, read the previous paragraph again. Then read it twice.

It's foolish to think that there isn't a need for diligence on any computing platform. A quick Google search will show you how claims of a platform being "malware-free" have been debunked time and time again. Use the tools Google gives us, and a bit of old fashioned common sense, and you'll be just fine.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.