Dammit. Stuff like this is exactly what is going to destroy the app market for the Android.
Who's going to download anything if they hear this can even happen?
Most developers complain about the Apple iPhone approval process, but they don't realize how much it really HELPS them.
Consumer confidence keeps people buying mobile apps, and with the iPhone, nobody even thinks twice about it because we have the added comfort of knowing Apple stomps out the bad stuff - usually before we ever see it.
Exactly how much of the actual code is examined as part of Apple's app approval? What's to keep someone from creating a time-bomb app, that is benign until a certain date or signal is received? A game app that keeps a centralized high-score list on a server somewhere could use that as a back-channel to send flags to enable some kind of malicious mode.
In that case, Apple could remove stuff after the fact, but everyone who had already downloaded it would be affected. The only advantage is that Apple keeps developer documentation about who submitted which app, so the guilty parties are potentially traceable, but there's a chance even that could be social-engineered.
The openness of the Android platform actually allows the marketplace to meet the demand for verified apps, the same way SSL certs are supposed to be (but the market for SSL cert signing is geared toward the server end, not the consumer end, and they keep screwing up the high verification certs by making people jump through stupid hoops when they want them).
How is that different from desktop apps, from web apps, from an OS even? Any program you trust in whatever way can do bad, bad things with your banking details, private data, list of contacts, etc.
Except Apple's approval process really wouldn't have prevented this. Most iPhone apps phone home without almost any user being the wiser. Who knows what most iPhone IM apps or apps like 1Password (basically any app that allows the user to put in any type of freeform information) are doing behind the scenes.
Please correct me if I'm wrong, but wouldn't it be fairly trivial to create a phishing iPhone application (even one that got accepted to the App Store?) My understanding is that nobody is combing through your code line by line, so you could sneak something in there that wasn't activated until after the app was accepted, right?
The app would have to be signed by someone who presumably would have paid the $99 to get the developer account with Apple and thus there would be a way to trace (somehow) the app to some real person. Now, the identity used to get the account could be faked, but that's no longer trivial, assuming Apple has done things properly.
I don't quite understand however why this does not also apply to the Android app market - surely whoever put this up there has a known identity. If not, the whole point of the market place is undermined. All this has no bearing on the "evilness" factor - Apple's market place is evil because it is a self-enforced monopoly. The Android market place could have policies controlling their apps ten times as fascist as Apple's and they would not be as evil, because we can always go elsewhere (and maybe will, if this continues to be an issue).
That's fine, but what mechanisms are in place for the consumer to ensure that what they are being shown is from who the app says it's from? I haven't submitted an app to the Android app store, so I'm unsure.
[+] [-] dpcan|16 years ago|reply
Who's going to download anything if they hear this can even happen?
Most developers complain about the Apple iPhone approval process, but they don't realize how much it really HELPS them.
Consumer confidence keeps people buying mobile apps, and with the iPhone, nobody even thinks twice about it because we have the added comfort of knowing Apple stomps out the bad stuff - usually before we ever see it.
[+] [-] thwarted|16 years ago|reply
In that case, Apple could remove stuff after the fact, but everyone who had already downloaded it would be affected. The only advantage is that Apple keeps developer documentation about who submitted which app, so the guilty parties are potentially traceable, but there's a chance even that could be social-engineered.
The openness of the Android platform actually allows the marketplace to meet the demand for verified apps, the same way SSL certs are supposed to be (but the market for SSL cert signing is geared toward the server end, not the consumer end, and they keep screwing up the high verification certs by making people jump through stupid hoops when they want them).
[+] [-] algorias|16 years ago|reply
[+] [-] city41|16 years ago|reply
[+] [-] marcusbooster|16 years ago|reply
http://www.cringely.com/2010/01/when-is-your-bank-not-your-b...
[+] [-] olefoo|16 years ago|reply
[+] [-] dminor|16 years ago|reply
[+] [-] jkincaid|16 years ago|reply
[+] [-] zmimon|16 years ago|reply
I don't quite understand however why this does not also apply to the Android app market - surely whoever put this up there has a known identity. If not, the whole point of the market place is undermined. All this has no bearing on the "evilness" factor - Apple's market place is evil because it is a self-enforced monopoly. The Android market place could have policies controlling their apps ten times as fascist as Apple's and they would not be as evil, because we can always go elsewhere (and maybe will, if this continues to be an issue).
[+] [-] wrs|16 years ago|reply
[+] [-] jmtulloss|16 years ago|reply