We’ve known that Google had the ability to remotely remove apps obtained from the Market since before the G1 first hit users hands, but until this week it had gone completely unused.
What apps were so dangerous that they caused Google to forcibly yank them from users’ devices?
The early reports indicated that they were simply apps that did nothing and while that is technically true it isn’t really the whole story.
The apps in question were released into the Market by Jon Oberheide from a security startup, Scio Security. One of the apps appeared in the Market as a picture viewer with images from the soon to be released Twilight Eclipse, but the real purpose of the app was to expose what Oberheide deems to be a security flaw and that is the ability to have an app retrieve new executable code without the users permission once it is installed. Now in this instance Oberheide had no intention of doing anything malicious, but obviously this concept could potentially be exploited by less scrupulous folks.
Oberheide was contacted by Google after he spoke about his app at SummerCon last week and was asked to remove the app from the Market, which he did. While Google indicated that most users had already removed the app — apparently it didn’t deliver what the Twilighters were looking for — they went ahead and decided to make this a teaching moment of their own by hitting the kill switch, also known as “REMOVE_ASSET,” and thus pulled the app from anyone that hadn’t gotten around to deleting it themselves. The notifications in the post image are what a user sees when this happens on their device.
Google reported on their use of the feature and why it is a necessary tool in their developer’s blog.
The remote application removal feature is one of many security controls Android possesses to help protect users from malicious applications. In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users. While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users’ safety when needed.
This remote removal functionality — along with Android’s unique Application Sandbox and Permissions model, Over-The-Air update system, centralized Market, developer registrations, user-submitted ratings, and application flagging — provides a powerful security advantage to help protect Android users in our open environment.Rich CanningsAndroid Security Lead
Interestingly Oberheide in looking further into the event found that Google has a companion intent to “REMOVE_ASSET” named logically enough “INTALL_ASSET.” While the reason for the former is readily apparent it is a little less clear why Google would require the latter (perhaps some of our more developer minded readers might have some ideas). If you are interested in additional detail you can hit up the source link below for Oberheide’s own blog post on the the whole incident.
Personally I’m fine with Google having this capability in the name of security and they have probably earned our trust by implementing it only once in nearly two years, but I’m curious to see if most Android owners agree with me. Does it bother you that Google can either wipe an app from or add an app to your phone as they see fit or do you find it comforting that that they can close the flood gates on a potential security threat if necessary?