Android Malware War of Words

July 4th, 2014

trendmicro.pngGoogle’s head of Android security, Adrian Ludwig, has said that people buying anti-malware software for Android will probably get no extra protection over that already provided by Google Play services. The risk of potentially harmful applications ending up on users’ devices is significantly overstated and the actual risk of a damaging app being installed is extraordinarily low. Instead of showing how many users are actually affected reports focus on how many potentially malicious app exist and not whether they are ever installed.

Obviously, anti virus vendors have started responding. Trend Micro’s Rik Ferguson says

"Over 46% of the apps that Trend Micro has classified as “malicious” (leaving aside the high risk ones) were sourced directly from Google Play. [Trend Micro have] so far analysed 3.7 million Android apps and updates, 18% of those apps have been classed as malicious and a further 13% as High Risk."

Rik says Google’s estimation of how many apps are malicious might be wrong because their library of malicious and high-risk apps might be limited. You can only detect what you know about.

So who’s right? It’s certainly true that on the desktop and when doing web site security evaluation it’s best to use more than one tool. However, 13% of Play apps high risk? I don’t think anyone has experienced that kind of number. Then again, it depends what ‘high risk’ means. If this includes apps that are poorly written, have severe vulnerabilities and leak private information as opposed to those that are actively written to be malicious then this number might be true.

Meanwhile, if you are interested in the malware threat you might also look at the Virus Bulletin’s very recent article on how malware authors are obfuscating their code. Turning things around, how malware authors are obfuscating their code can also be used to help protect your apps. There’s also more in my recently updated obfuscation article

Related Articles:

Increase App Discoverability With Deep Linking

July 3rd, 2014


URXblog has recent research that shows that only 22% of apps have added deep link tags to their web sites for at least one mobile operating system. The research shows that some areas such as travel have yet to catch on to the fact that their apps can be better discovered if they use deep linking.
As URXblog says…

"We are at a turning point in the mobile app ecosystem where deeplinking is becoming a priority and not just a feature."

Deep linking is promotion for free so check out the Google and iOS (Registering Custom URL Schemes) documentation. There’s also more information at

UPDATE: URXblog added some additional insights on deep linking.

Related Articles:

How To Write Secure Android Apps

July 2nd, 2014

androidsecuritylogo.pngIf you follow this site you will know I take a special interest in Android security. As a result of a particular project, I have taken an even deeper interest more recently and have come to the conclusion, having read lots of papers and studies, that many Android developers unintentionally make some very poor security decisions when coding. Security isn’t on their radar. However, what with the growing number of vulnerabilities, unpatched OEM devices and malware it’s easy to get caught out. For example Skype, WhatsApp and Samsung have all had embarrassments and it’s well known banking apps leak information.

The good news is that it’s possible to protect sensitive data, for most of the time, by following some simple guidelines. For critical data, such as financial and banking data, it’s also possible to protect it in such way that it’s mathematically impossible to access even when a device has been rooted or malicious code has obtained root privileges.

Most of the Android security sites and books have been written by security researchers and show how to hack Android as opposed to protect apps. I decided to approach the problem from the other direction and have created a free site, with Android programming guidelines that can hopefully raise awareness and help developers become Android Security gurus.


Related Articles:

Apps Used More Than the Desktop

July 1st, 2014

comscore.gifComScore has an interesting press release that says that Apps Now Drive Half of All Time Spent on Digital. What’s especially interesting is that Comscore is saying apps are used more, rather than mobile is used more than the desktop. Here’s the split by app category…

One of the main drivers of use of apps rather than the desktop is communication via social networks. This is understandable because the phone is a natural communication device because it’s portable while the desktop isn’t. The top usecase, looking up information, is less obvious and shows that usability must be improving for people to want to use mobile instead of the desktop.

Related Articles:

The Secret of a Successful App

June 30th, 2014

googleio.pngI caught up on Google I/O 14 over the weekend by watching the Android-related videos I hadn’t seen in the week. It turns out the more compelling ones were not specifically about Android.

The session on Perfectly Executing The Wrong Plan gives an example how it’s easy to get excited about an idea and the implementation and ignore the importance of doing market research. It also explains how it’s easy to get misled if you use friends and family when doing market research.

In many ways this session demonstrates the importance of the business model. Just because your idea’s an app or mobile web site doesn’t mean you don’t need a business model. Take a look at Business Model Generation (and the book) and start filling your key activities, partners, resources, cost structure, customer relationships, segments, value propositions, channels and revenue streams. If you are at this stage in the product cycle then you might also want to read my mobile development primer.

A second session I found interesting had actually very little to do with mobile and Android. Biologically inspired models of intelligence given by Ray Kurzweil describes how Google is developing artificial intelligence.

[If you like that session you should also take a look at David Wood’s (of Symbian fame) Anticipating 2025 eBook based on the conference of the same name.]

Related Articles:

User Retention

June 27th, 2014

applicationdevelopersalliance.pngA hot topic at the moment is retaining users. The Application Developers Alliance has a very useful pdf on how to motivate and engage users to boost customer retention. It includes tips on using customer feedback, customer research, onboarding, personalised communications, in-app support, real-time performance monitoring and re-engagement of past users.

The important thing about many of the motivation and engagement techniques is that they need to be designed into the app. There’s no point releasing an app and then thinking how to retain users. 

Related Articles:

Thoughts on Google I/O 14

June 26th, 2014
googleio.pngHere are my immediate thoughts, from a developer perspective, on the announcements from Google I/O.

1 billion 30 day active Android users is huge. It’s also impressive that Android has managed to achieve 62% tablet market share. These are the headline numbers that should attract developers and cause apps to be created. While wearables, TV and automotive might have potential, they won’t (yet) be attracting that much investment for 3rd party apps to be created.

AndroidOne, formerly rumoured to be Android Silver, is a hardware reference platform to allow OEMs to get to market quickly. It will be stock Android with quick updates from Google and promises phones under $100. This has the potential to cause new low end phones to run Android 4.x+ rather than 2.x. It could also upend other mobile OS initiatives at the low end: Nokia X and Firefox OS. However, this primarily depends on takeup by China OEMs. Let’s wait and see. UPDATE: More on Silver (and Nexus).

Android ‘L’ rethinks the UI design, called ‘Material’ design. It’s still in development and it will be the end of the year before it’s on shipping devices. I do wonder if a UI re-design was really needed. As with iOS, I think this will cost developers and stakeholders a lot of development time. Some iOS developers I know have said that the iOS re-design cost them a year of app innovation - and so it might be on Android. Even then, there will be old apps and old devices so it will end up being a mishmash anyway. I am not yet liking the common desktop/mobile metro-esqe feel that in some ways looks like it was invented at Microsoft - and killed the Windows 8 interface. However, I might eventually be won over when I examine in more detail.

On a more positive note, pre and post activity animations will improve look and feel. The new z arg for views to give depth/shadow is interesting. It can be used to show something can be pressed. This is often missing on Android list views where iOS has the disclosures (chevrons). Being able to colour widgets is also interesting as I have had to do this in the past to create/configure white label apps. Currently, it’s possible but difficult and it will be great when this can be done easily - but probably only for new devices which kills my excitement somewhat.

And this leads me to the support library. The usefulness of all of this depends on how much Google supplies in the support library for use by earlier devices. If it’s only for new devices then we have yet more fragmentation and less consistency across the platform. Here’s a vote for getting as much as possible in the support library. However, I suspect this is a big wish given ‘L’ will be "The biggest release in the history of Android". Google have over 100 teams working on Android and there will be over 5000 new APIs in ‘L’ ….


As rumoured, Android ‘L’ devices will use ART instead of Dalvik leading to up to 2x performance improvement, less invasive garbage collection and fewer out of memory errors …



Android Piracy and Fraud Woes

June 25th, 2014

swrve.pngSwrve has some new research that shows that 19% of Android in-app purchases (IAP) are frudulent. Swrve used their ‘fraud filter’ to compare on-device purchase events against Google Play receipts to determine if they were valid or fraudulent.

What does this mean? How can it happen? There are some hacking apps that, if used to run apps that offer IAP, can be used to trick Google Play into allowing the IAP to happen without a valid payment. The device has to be rooted and running the hacking apps themselves is a significant risk as who knows what else they do. Nevertheless, this looks to be a large hole that Google really ought to fix ASAP.

The current problems are not just related to IAP fraud. PlayDrone (pdf slides from presentation), an application used to measure apps on Google Play, has found that 25% of apps are copies of others. That is, a significant proportion of the code in 25% of the apps is the same as found in other apps. Some other insights are that only 15% of apps are obfuscated and native apps (as opposed to app generator and Webview-based) correlate strongly to those that apps that are popular.

Related Articles: