May 27, 2011

Apps with dangerous permissions pulled from Chrome Web Store

Do you trust Google to review and ban potentially malicious applications from its online stores?

The Android Market has already been found offering "trojanized" apps, and now the Chrome Web Store has been spotted offering two popular game extensions that request potentially dangerous permissions of users that want to install them.



The apps in question are named Super Mario World and Super Mario 2 and are not manufactured by Nintendo. The fact that they are asking questionable permissions of the users has been discovered by David Rogers, the blogger behind blog.mobilephonesecurity.org, when he was in the process of installing one of them.

"Installation is pretty instantaneous," says Rogers. "As I looked at the screen, I saw the box to the bottom right. 'This extension can access: Your data on all websites, Your bookmarks, Your browsing history'".

He proceeded to deinstall the extension immediately, and searched for an explanation for the unduly broad permissions. The permission to access the user's bookmarks include the permission to read, change, add to and organize his bookmarks, and the one for accessing the user's browser history is supposedly necessary for the app to be able to open new tabs or windows.

But the worst one is the one that gives access to the user's data on all websites. Not only can the app read every page the user visits (think e-mail, Facebook, online banking), but can also use cookies to request the user's data from various websites - in short, the app can impersonate the user to the website.

Apart from being disappointed that Google has failed to spot the problematic permissions and ban the apps, Rogers really takes issues with the "permissions by default" installation.

"You click one button and it’s there, almost immediately with no prompt. Now, I’m not the greatest fan of prompts, but there are times when prompts are appropriate and install time is actually one of them," he explains. "It gives me the chance to review what I’ve selected and make a decision, especially if I hadn't spotted that information on a busy and cluttered webpage."

While I do think that Google has basically made no grave mistake here - it did, after all show the permissions needed - the problem is that for this system to work as it should is that you need to have careful and judicious users. And let's face it, they don't constitute a majority on the Internet.

Rogers also points out that to the average user, the fact that the Chrome Web Store is operated by Google makes him trust implicitly the downloads from it. In his opinion, this should make Google extremely careful when it comes to evaluating and vetting possibly dangerous apps.

In the end, Google has quietly removed the two apps from the market, but has not commented officially on the action. Let's just hope that they will take Rogers' objections in consideration.

No comments:

Post a Comment