In response to a slew of malware-infected apps on the Android Market, Google introduced Bouncer as a security mechanism to keep naughty apps at bay. But according to research from two security experts, Bouncer can easily be tricked to allow malicious apps onto Google Play (formerly the Android Market).
Jon Oberheide, a security expert and CTO at Duo Security, will be presenting his findings alongside security researcher Charlie Miller at the SummerCon conference later this week. The pair have released a teaser video (below) showing one method for bypassing Bouncer.
“This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment,” Oberheide wrote in a blog post this morning. “While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities. We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.”
Hacks like these are to be expected, especially for new security mechanisms, so we’re fortunate that Oberheide and Miller are helping Google to plug the issue. Google needs to strike a balance between offering strict security on Android apps and living up to its open ecosystem. Apple doesn’t have as many malware issues on iOS since it rules its app ecosystem with an iron fist — which is good for security, but not so much for developer flexibility.
VentureBeat is creating an index of the most exciting cloud-based services for developers. Take a look at our initial suggestions and complete the survey to help us build a definitive index. We’ll publish the official index later this month, and for those who fill out surveys, we’ll send you an expanded report free of charge. Speak with the analyst who put this survey together to get more in-depth information, inquire within.