Google engineers stress importance of Android app security at I/O

Android is most commonly-targeted mobile OS when it comes to malware, so Google engineers offered developers some basic but helpful tips during I/O last week.

SAN FRANCISCO -- It's no secret that Android is the prime target for mobile malware. This is disconcerting to consumers, but it should also be just as worrisome for app developers.

During a session about Android security and privacy at the close of Google I/O on Friday afternoon, Android security engineer Jon Larimer attributed the security gap to a "the fundamental lack of transparency."

"People are getting more and more distrustful of apps that ask for access to their personal data without any clear reason on what you're planning to use it for," Larimer added. "Mobile devices are very powerful now, but they're also a treasure trove of very private personal data on the phone's owner."

Larimer instructed the few hundred developers attending that particular seminar that apps need to "respect the data" on Android devices, reminding them that people actually don't generally like giving out personal details to strangers. That concept shouldn't be any different on mobile devices.

"When a user allows your app to access some aspect of their phone, they're trusting you with it," Larimer asserted.

Some of potential culprits behind mobile attacks include "unscrupulous marketers" who want to mine mobile devices for data, and Black Hat spammers who will pay big bucks for collections of detailed personal data. Larimer explained that a user's phone number and email address could be harvested for spam, as well as the people on their contact lists.

In fact, Larimer argued that every single component of an app can be exposing data if you aren't taking the necessary precautions, whether it's the log file, settings file, the web service, or the data being transmitted over the network Then again, developers have a lot more to worry about than just the apps they develop, such as insecure wireless networks and cases of lost and stolen devices.

Larimer also pointed out that if your app requests permissions, a security vulnerability in your app can grant other apps access to the protected data or component without permission. Just as when it comes to users protecting their own security, developers can implement a few simple methods that could work security wonders.

"It's often easier to write a secure app in Android than it is to write an insecure app," Larimer posited.

For instance, Google engineers advised uploading a privacy policy for an app letting users know what you're going to do with your data.

"It should spell out exactly what data you collect. And I really mean exactly," Larimer said. He also acknowledged maintaining developer account security so other people don't publish apps for you and Google Authenticator for two-factor authentication.

Android software engineer Kenny Root also cited using an Application Signing Key, which works exactly as described: a unique key that unlocks a designated app.

Of course, given that this key is supposed to be unique and the gatekeeper to an app, Root reminded developers that if they lose their key information, then it's lost forever -- forcing the developer to ask all of his or her users to uninstall and reinstall their apps for further updates.

To get an idea of how often this happens, just search for "lost Android release key" to get an idea so it doesn't happen to you.