Security concerns over Android Market web store

Security concerns over Android Market web storeOne of the many highlights of the official Android 3.0 Honeycomb unveiling last week was the news that the Android Market was now available as a fully fledged web store, capable of being accessed by any device with a web browser, not just Android smartphones.

However, just as the fanfare is dying down comes troubling reports that the Android Market Web Store could have a gaping security flaw that could provide hackers with an open door to purchase apps without your knowledge.

Ironically, the flaw centres around what Google is touting as one of the web store's most useful features – the ability to push new apps straight to your Android phone after purchasing them online using a PC.

According to NakedSecurity blogger Vanja Svajcer, the feature most likely makes use of the INSTALL_ASSET command, which in essence requires only your Google password – most typically used in Gmail – as a security green light.

Svajcer reasons that all a hacker, or anyone looking to scratch you off their list of friends, would need to do is know that password, and they'd be able to start buying apps without your permission. Tie that in with the inevitable existence of less-than-honest apps that have slipped unnoticed past Android's app-vetting systems and it's a troubling picture.

And the security concerns don't end with the Android Market, either.

“The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence,” Svajcer writes.

It makes the case for keeping your password hard to crack and changing it regularly more compelling than ever.

Via SlashGear

Read more about: Android

Add a comment
 1 comment

stinky1  May. 29, 2011 at 18:57

umm if they have my password then of course they can buy stuff.
have i missed something here?
if they had my paypal password, guess what. they could buy stuff.

Email:

You don't need an account to comment. Just enter your email address. We'll keep it private.

Comment: