>Android sits somewhere between "gift to hackers" and "Windows XP".
It is hard to take you seriously.
Let's be clear that the malware problem on Android aren't apps exploiting any weakness in the platform itself beyond the simplicity of pushing apps onto the market. They aren't exploiting that devices are running Gingerbread or anything like that.
These are apps doing exactly what they are allowed to do by the system -- after advertising their intentions and doing exactly what they declared that they could do -- but they are malicious because the things they are doing aren't in the best interest of the user.
e.g. an ostensible puzzle app that actually sends contact information to a third party (after declaring and getting permissions for contacts and internet access), or that sends pay SMS' to Nigerian sex operators, again after declaring and getting permissions for contacts and internet access.
When anti-virus vendors and please-pay-attention-to-us tiny security upstarts talk about malware, that occupies 99.9% of the space (if not 100%). It is a trust and validity issue with Google and the Play Store that requires much better vetting and culpability of developers, and vetting of applications (not in the "don't do anything that overlaps us" manner of Apple, but simply to validate the scope of functionality, fitness for advertised purpose, and lack of clear trademark and copyright infringement that is so prolific on the Play store).
That has nothing to do with the platform and everything to do with one store.
You clearly didn't read a single link that I posted. I did a comprehensive study of all malware targeting mobile devices between 2011 and 2012 and, yes, they are targeting the device itself and the design choices made while building it.
EDIT: oh wait, there you go blaming the user again. "Grandma should have known the difference between THIS app that requested her contacts and THAT app that requests her contacts and stole them. Jeez Grandma! Get with it!"
How is that not a design problem? I thought we gave up delegating security decisions to the user after we saw what happened with SSL?
EDIT: oh wait, there you go blaming the user again. "Grandma should have known the difference between THIS app that requested her contacts and THAT app that requests her contacts and stole them. Jeez Grandma! Get with it!"
No, I didn't blame the user. I pointed out that most of the problem with malware on Android, for the overwhelming majority of users (who don't sideload), was that the Play store is a wild west right now, where people pay $25 and make an account where they can instantly publish "Temp1e Run" that is actually nothing of the sort. This is the cause of the overwhelming majority of malware on Android.
Should apps be able to have those specific rights (such as sending pay SMS')? Yes, absolutely they should. The ability for apps to do more interesting things is exactly what differentiates it and makes it better. Simply saying "keep every app in a silo where it can't do anything" is not a choice users want.
EDIT: And just to loopback again, you again claim that malware needs to somehow break the bounds of the Android system to do its evil deed (exceeding permissions, cracking ASLR, etc). That is absolutely untrue in practice. Malware on Android, courtesy of the practically unmaintained primary market, is largely a study of social hacking.
It is hard to take you seriously.
Let's be clear that the malware problem on Android aren't apps exploiting any weakness in the platform itself beyond the simplicity of pushing apps onto the market. They aren't exploiting that devices are running Gingerbread or anything like that.
These are apps doing exactly what they are allowed to do by the system -- after advertising their intentions and doing exactly what they declared that they could do -- but they are malicious because the things they are doing aren't in the best interest of the user.
e.g. an ostensible puzzle app that actually sends contact information to a third party (after declaring and getting permissions for contacts and internet access), or that sends pay SMS' to Nigerian sex operators, again after declaring and getting permissions for contacts and internet access.
When anti-virus vendors and please-pay-attention-to-us tiny security upstarts talk about malware, that occupies 99.9% of the space (if not 100%). It is a trust and validity issue with Google and the Play Store that requires much better vetting and culpability of developers, and vetting of applications (not in the "don't do anything that overlaps us" manner of Apple, but simply to validate the scope of functionality, fitness for advertised purpose, and lack of clear trademark and copyright infringement that is so prolific on the Play store).
That has nothing to do with the platform and everything to do with one store.