Sophos' Concern Over Android Market Website Real or Unfounded?

Security firm Sophos warned on Friday that the new Android Market website, as currently configured, could present a security hole for Android users.  However, given the way this website works, in reality it's not really that much of a concern.

As noted by Sophos, when you select an app from the Android Market, and approve its installation on your phone, it is more or less immediately downloaded to your smartphone. While a user has to approve the permissions an app requires on a device after the installation on the website, when it downloads to the Android phone, no user intervention is required.

As Sophos notes, this means that if an end user has their password stolen, a hacker could install malware on their system without intervention. The malware could be used to obtain any amount of personal information that could then be used for financial gain.

The article then goes on to recommend different ways to encourage Google to fix this issue ASAP.

Of course, what wasn't mentioned in the article is that if your Google account password is stolen, you have a lot more to worry about than just your Android phone: Gmail, Google Docs, etc., etc.

Additionally, what's not mentioned is that the Web-based Android Market is just that: a Web portal into the Android Market. It's not a way that someone could use to download some malware onto your system, unless that malware was in the Android Market already. Now, if you could actually use the site to sideload something, that might indeed be an issue. That said, it would be a good security measure to require the app to be accepted on the device, after selecting it on the Android Market website.

However, because you can't download "just anything" via the Android Market, but only market apps, and although we do agree that end users need a strong password for your Google account, and you should also strive to keep passwords separate, perhaps with the aid of a password program like LastPass or Roboform, this is hardly a zero-day vulnerability.