Saturday, July 27, 2013

Google's new "Verify Apps" service makes Android more secure

Along with the recent release of a new version of Android, 4.3, Google also rolled out a new service that promises to make Android more secure.

The Verify Apps service was originally rolled out as part of Android 4.2.  But now its been pulled out of Android itself and made part of the Google Play Store service, along side the already existing Bouncer service.  By doing so, all versions of Android can take advantage of this.

I learned about this thru THIS posting at Computerworld.

So, what DOES this new service do?  Its a universal app-scanning system.  It watches for new apps on your system, even those loaded directly from outside the Google Play Store ("sideloaded"), and instantly checks that app for malicious or potentially harmful code.

While I think this is great, I'm not sure I buy into the views of this writer of the blog posting that this somehow eliminates the need of anti-malware apps on Android.  While, yes, there is a bit of fear mongering on the part of the anti-malware field (true of a lot within the security field), the fact is we've seen an increase in Android malware.  Plus, one can get a large number of free anti-malware apps, so its not like you have to pay a lot of money to protect yourself.

On a practice point, we've seen failures with Bouncer.  Who's to say that similar issues won't been seen with Verify Apps?  Plus, like I think most security professionals, I prefer multi-level security measures.  It's a mistake to rely on one or a limited number of tools to protect our systems.  It would be like a company thinking that since they have firewalls, they need not worry about anti-virus or the like.

I do like the idea of "Android deconstruction" mentioned by the writer (further covered in THIS posting), with Google pulling out certain elements from Android itself, and making them available as separate apps, thus avoiding the issue of Android upgrading.  There are limits to this, as not everything can be an app, but maybe this will help make Android be a more core OS, that can be more easily upgraded.