Bad Piggies, Graffiti and the IRT

How bad is Google’s application security problem?

Think “New York City in the 1970s.” Just like New York during those dark days, Google faces a myriad of problems: many of its own making. And the Silicon Valley star might consider looking to Gotham for inspiration as it tries to turn things around.

Have you ever seen those gritty photos of the New York City subway from the 1970s? You know the ones: with weary riders spaced out in cars spray painted with graffiti inside and out? Whatever happened to that? If you ride the New York City subway today, there’s hardly any graffiti to speak of – and it’s not like no one is interested in street art these days. That’s more popular than ever. No…New York’s Metropolitan Transit Authority (MTA) snuffed out its graffiti problem. But how?

I thought about that graffiti this week as I wrote about Google’s trouble with another security incident: the embarrassing eruption of adware on its Chrome Web store. The company was forced to remove seven Chrome browser extensions claiming to be Chrome versions of the hot new game Bad Piggies – the latest installment in the Finnish firm Rovio’s enormously popular Angry Birds. Writing for Barracuda on October 3rd, researcher Jason Ding noted more than a half dozen Chrome extensions that claimed, falsely, to be versions of Bad Piggies. Many, when installed, requested permissions to harvest a dizzying amount of information on the user’s Web browsing activity. A few also installed adware plug-ins.

Like the graffiti on New York City’s subways, bogus Chrome extensions and malicious mobile applications have become a chronic and embarrassing problem that Google is having trouble stamping out. Bad Piggies wasn’t the first time bogus apps have cropped up on the Chrome Web store. And the whole Chrome Web store headache is similar to the tactics used by malware authors behind threats like DroidDream, the Trojan horse application that was bundled with playable versions of any number of popular Android applications and posted to Google’s Android Marketplace.

Like the MTA in the 1970s, Google is struggling to stay on top of the scourge of bad apps. Writing in response to questions from this reporter about the bogus Bad Piggies extensions, for example, a Google spokeswoman said that the company removed the “extensions noted in the Barracuda Labs report” from the Chrome Web Store. However, a quick check revealed at least two other extensions – both posing as Bad Piggies Chrome plug-ins, both clearly bogus and both sporting hundreds of user reviews complaining about scammy apps and adware. Tagged.

For the MTA in the 1970s, graffiti was a complex problem with no easy solution. Cars were tagged en route and – often – when they were out of service and sitting idle in holding facilities. The result: by the late 70s, graffiti covered the exterior and interior of almost every subway line, reinforcing public perceptions of the subway as dirty and crime ridden. At a practical level, the tagging had become so rampant that it was obscuring much of the signage on the subway lines, making it difficult for riders to navigate the system.

Are there lessons for Google in the MTA’s successful battle against graffiti in the 70s and 80s? Yes.

First: the MTA made getting rid of graffiti a priority. It reorganized to create clear lines of responsibility for dealing with graffiti. The agency invested millions to clean graffiti from its stock of more than 3,000 subway cars. Finally, the MTA pivoted from a policy of trying to apprehend and punish taggers to making it harder and less rewarding to tag trains. Trains were outfitted to make it harder to climb on and staging yards were secured to keep taggers out when the trains were idle. The “Clean Car” program in 1984 took tagged cars out of service until graffiti was removed from them, reinforcing the image that the MTA was in charge. Almost immediately, graffiti became less common. By 1989, it had been all but eradicated from the MTA.

As with the MTA, Google needs to take ownership of its application platforms, including Google Play and the Chrome Web Store. It must drain the swamp by removing applications that violate its policies. Next, Google needs to institute strict guidelines for developers and demand accountability from them. Google’s chief competitor, Apple, accomplishes this by requiring application developers to make a small, monetary deposit when they set up a developer account. The company then performs (cursory) audits of submitted applications, mostly for adherence to its AppStore policies. The fee isn’t enough to be a barrier to entry or to dissuade a sophisticated malware author, but it is enough to scare away those who want to operate anonymously and/or unethically. Google should do the same.

So far, there’s not much evidence yet that this is happening. Google plays dumb about bad apps, contending that it will remove bad Chrome extensions when they crop up. Writing about the Bad Piggies rogue application problem, the Google spokeswoman said that users (the victims) also shoulder some of the responsibility for policing the Web Store. “You should review the permission messages and user reviews carefully when you install a Chrome app or extension and decide whether you trust the author with those privileges,” the Google spokeswoman wrote.

That sounds sensible enough – but its specious advice. Chrome users have almost no way of evaluating the trustworthiness of Chrome extension publishers because Google doesn’t have any reputation ranking system, nor does it review applications and extensions before they’re published. I’m all for personal responsibility, but asking customers to police the stores in which they shop is a stretch.

In the 70s and 80s, the MTA owned up to the fact that it had to clean up graffiti because all those tags were undermining its mission. Google may, at some point, reach the same conclusion about its application marketplaces. Let’s hope its sooner, rather than later.

H* | October 11, 2012 1:04 pm

So how do you balance this perceived directive against the
unpopularity of Apple’s policies about the iphone store, which
people rail against when the apps they write and submit [legitimate
or not] are rejected?

Paul | October 11, 2012 2:51 pm

Good question – I think folks always push against constraints, especially software developers, who are kind of a libertarian minded bunch. Like Apple’s policies or not, the facts speak for themselves: iOS is slightly less dominant that Android, but has far fewer problems with rogue applications and malware.

solak | October 11, 2012 4:04 pm

@H*
No matter what the policies are, they will irritate some people, and they will complain. One set of rules cannot please everyone. A company like Apple or Google must decide what their mission is and have rules that serve that mission.

Apple’s goal is ease of use for those who buy their devices (including not having to worry (much) about security), so developers have the constraint of getting App Store approval.

What is Google’s goal? What AppStore rules will serve that goal?

Dan Guido | October 12, 2012 2:25 pm

Hey Paul, I did a comparative analysis of Google and Apple’s store policies in a research presentation and I came to slightly different conclusions for why Google’s stores are so frequently abused and Apple’s are not. The monetary fee makes no difference and both app stores have them (for mobile). It comes down to involving people in the process, which Google seems not to want to do and which Apple operationally excels at doing.

http://www.trailofbits.com/research/#mobile-eip

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post