Game-over HTTPS defects in dozens of Android apps expose user passwords

Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been abandoned,
or have severe problems. Mozilla claims to have a review process but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded programs.
Microsoft pushes updates that cause severe problem, even to the point of
prevent the bootup of Windows. The drivers pushed by Windows Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

Only because you want someone to usurp the role of your parent. You
think someone else is supposed to protect you. How much have you paid
Google for that protection? About as much as you did your parents.

The apps are NOT Google's products to regulate. You want Google to
perform quality control on code that isn't there own. Doesn't matter in
what country exists a software store. Some may have a review process,
some will run submitted programs through AV scans, and some may have a
feedback process for users to report problems with the software outside
the scope of reporting problems to the software author.

Despite you wanting your parent to continue shielding you from the bad
world, it is not the job or responsibility of Google, Cnet, Softpedia,
or other software store to perform code reviews. One, they may not have
access to the code. Two, that would require a huge programmer staff to
perform disassembly or code analysis. Three, just how much are you
paying these software stores to protect you under ANY condition? I
suppose you think LifeLock should provide their services for free, too.

If you want the protection you claim others should provide you then go
hire a team of code analysts. Good luck finding any that will work for
free. So, when you buy a television at a retail store, go home and plug
it in, and it explodes causing you injury, you really think the store is
at fault for not opening the shipping carton, running the television
through a series of quality, durability, and protection tests, and then
re-box the television so then it is safer for you to purchase? Uh huh.

On 2015-06-21 8:22 PM, VanguardLH wrote:
Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been abandoned,
or have severe problems. Mozilla claims to have a review process but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded programs.
Microsoft pushes updates that cause severe problem, even to the point of
prevent the bootup of Windows. The drivers pushed by Windows Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

Only because you want someone to usurp the role of your parent. You
think someone else is supposed to protect you. How much have you paid
Google for that protection? About as much as you did your parents.

If I BOUGHT their phone, I DO expect some sort of protection. How much
did I pay? How much does a phone cost usually? $500 to $1,000? Yeah, I
expect something out of that.

The apps are NOT Google's products to regulate. You want Google to
perform quality control on code that isn't there own. Doesn't matter in
what country exists a software store. Some may have a review process,
some will run submitted programs through AV scans, and some may have a
feedback process for users to report problems with the software outside
the scope of reporting problems to the software author.

Despite you wanting your parent to continue shielding you from the bad
world, it is not the job or responsibility of Google, Cnet, Softpedia,
or other software store to perform code reviews. One, they may not have
access to the code. Two, that would require a huge programmer staff to
perform disassembly or code analysis. Three, just how much are you
paying these software stores to protect you under ANY condition? I
suppose you think LifeLock should provide their services for free, too.

If you want the protection you claim others should provide you then go
hire a team of code analysts. Good luck finding any that will work for
free. So, when you buy a television at a retail store, go home and plug
it in, and it explodes causing you injury, you really think the store is
at fault for not opening the shipping carton, running the television
through a series of quality, durability, and protection tests, and then
re-box the television so then it is safer for you to purchase? Uh huh.

I assume that you also believe that it isn't the car manufacturer's
responsibility to make sure that the car doesn't cause an accident which
kills the owner. You have a very bizarre way at looking at products and
the responsibility a manufacturer holds towards them.


--
Slimer
Proud "wintroll"
Encrypt.

Slimer wrote:

On 2015-06-21 8:22 PM, VanguardLH wrote:
Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been abandoned,
or have severe problems. Mozilla claims to have a review process but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded programs.
Microsoft pushes updates that cause severe problem, even to the point of
prevent the bootup of Windows. The drivers pushed by Windows Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

Only because you want someone to usurp the role of your parent. You
think someone else is supposed to protect you. How much have you paid
Google for that protection? About as much as you did your parents.

If I BOUGHT their phone, I DO expect some sort of protection. How much
did I pay? How much does a phone cost usually? $500 to $1,000? Yeah, I
expect something out of that.

The apps are NOT Google's products to regulate. You want Google to
perform quality control on code that isn't there own. Doesn't matter in
what country exists a software store. Some may have a review process,
some will run submitted programs through AV scans, and some may have a
feedback process for users to report problems with the software outside
the scope of reporting problems to the software author.

Despite you wanting your parent to continue shielding you from the bad
world, it is not the job or responsibility of Google, Cnet, Softpedia,
or other software store to perform code reviews. One, they may not have
access to the code. Two, that would require a huge programmer staff to
perform disassembly or code analysis. Three, just how much are you
paying these software stores to protect you under ANY condition? I
suppose you think LifeLock should provide their services for free, too.

If you want the protection you claim others should provide you then go
hire a team of code analysts. Good luck finding any that will work for
free. So, when you buy a television at a retail store, go home and plug
it in, and it explodes causing you injury, you really think the store is
at fault for not opening the shipping carton, running the television
through a series of quality, durability, and protection tests, and then
re-box the television so then it is safer for you to purchase? Uh huh.

I assume that you also believe that it isn't the car manufacturer's
responsibility to make sure that the car doesn't cause an accident which
kills the owner. You have a very bizarre way at looking at products and
the responsibility a manufacturer holds towards them.

Now you're trying to obfuscate the seller from the maker. Notice now
you are relating how the MANUFACTURER of the product is responsible for
its performance. So use the same logic for the Android apps. Yep, the
DEVELOPER of the apps is the one responsible for it not using a secure
login. Google does not manufacture the apps at its store. So go blame
the manufacturer just like you did in your example above.

On 2015-06-21 10:33 PM, VanguardLH wrote:
Slimer wrote:

On 2015-06-21 8:22 PM, VanguardLH wrote:
Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/
snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is Linux. So
Linux (the variant of which you don't bother to mention) is secure but
Linux (Android OS) is not secure. Uh huh. Looks like you wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by *them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android users
get their software, is dishing out insecure software which allows for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point to a
problem with the Linux kernel, but it DOES point to a problem with the
Android ecosystem which is continuously showing people that it has no
interest in providing a stable, secure and safe environment for users.

So what's new? The Mozilla plug-ins site is dishing out tons of add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been abandoned,
or have severe problems. Mozilla claims to have a review process but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site (Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded programs.
Microsoft pushes updates that cause severe problem, even to the point of
prevent the bootup of Windows. The drivers pushed by Windows Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't write.
You can get Far Cry games through the Microsoft store and they have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by someone
else is like asking your ISP to ensure that all web traffic to your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

Actually yes, it IS their bug to make sure that any software being made
available in the Store isn't malware. It is ridiculous for you to claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

Only because you want someone to usurp the role of your parent. You
think someone else is supposed to protect you. How much have you paid
Google for that protection? About as much as you did your parents.

If I BOUGHT their phone, I DO expect some sort of protection. How much
did I pay? How much does a phone cost usually? $500 to $1,000? Yeah, I
expect something out of that.

The apps are NOT Google's products to regulate. You want Google to
perform quality control on code that isn't there own. Doesn't matter in
what country exists a software store. Some may have a review process,
some will run submitted programs through AV scans, and some may have a
feedback process for users to report problems with the software outside
the scope of reporting problems to the software author.

Despite you wanting your parent to continue shielding you from the bad
world, it is not the job or responsibility of Google, Cnet, Softpedia,
or other software store to perform code reviews. One, they may not have
access to the code. Two, that would require a huge programmer staff to
perform disassembly or code analysis. Three, just how much are you
paying these software stores to protect you under ANY condition? I
suppose you think LifeLock should provide their services for free, too.

If you want the protection you claim others should provide you then go
hire a team of code analysts. Good luck finding any that will work for
free. So, when you buy a television at a retail store, go home and plug
it in, and it explodes causing you injury, you really think the store is
at fault for not opening the shipping carton, running the television
through a series of quality, durability, and protection tests, and then
re-box the television so then it is safer for you to purchase? Uh huh.

I assume that you also believe that it isn't the car manufacturer's
responsibility to make sure that the car doesn't cause an accident which
kills the owner. You have a very bizarre way at looking at products and
the responsibility a manufacturer holds towards them.

Now you're trying to obfuscate the seller from the maker. Notice now
you are relating how the MANUFACTURER of the product is responsible for
its performance. So use the same logic for the Android apps. Yep, the
DEVELOPER of the apps is the one responsible for it not using a secure
login. Google does not manufacture the apps at its store. So go blame
the manufacturer just like you did in your example above.

I would blame the developer too, but Google has a reputation to uphold
and the fact that it allowed those developers to sell such insecure
software and its malware becomes their fault as a middleman. If they
want to sell their store as being a "safe" place, it makes sense that
they would actually verify the quality of the software within it at some
point. The fact that they didn't makes Google look just as bad as the
developer.


--
Slimer
Proud "wintroll"
Encrypt.

Slimer wrote:
On 2015-06-21 10:33 PM, VanguardLH wrote:
Slimer wrote:

On 2015-06-21 8:22 PM, VanguardLH wrote:
Slimer wrote:

On 2015-06-21 1:53 AM, VanguardLH wrote:
Slimer wrote:

On 2015-06-20 10:49 PM, VanguardLH wrote:
Slimer wrote:

Remember kids, Linux is _secure_ and Android is the best
evidence of that:

http://feeds.arstechnica.com/~r/arstechnica/index/~3/pe9l4loZCRk/

snipped the plagarized article

Do you often shoot yourself in your own foot? Android OS is
Linux. So
Linux (the variant of which you don't bother to mention) is
secure but
Linux (Android OS) is not secure. Uh huh. Looks like you
wanted to
slam Windows but hit the wrong target.

My reading of the article says the *apps* are ****ed up by
*them* not
using HTTPS, not there is a problem in the Linux-based Android OS.

The point here is that Google Play, the store from which Android
users
get their software, is dishing out insecure software which allows
for
their passwords to be stolen. People like to say that Windows is a
magnet for malware, but here is evidence that Android is the mobile
equivalent of a malware magnet. You're right, this doesn't point
to a
problem with the Linux kernel, but it DOES point to a problem
with the
Android ecosystem which is continuously showing people that it
has no
interest in providing a stable, secure and safe environment for
users.

So what's new? The Mozilla plug-ins site is dishing out tons of
add-ons
that are crap code, spyware (sometimes announced, sometimes not),
conflicts with other add-ons (to reduce stability), have been
abandoned,
or have severe problems. Mozilla claims to have a review process
but it
doesn't seem much effective to ensure a source of stable, non-
conflicting, and supported plug-ins. Sourceforge.net is rifled with
abandonware, works in progress (that are distributed as finished
products but are not), and other crapware. Every download site
(Cnet,
Softpedia, etc) has crapware, spyware, adware, and badly coded
programs.
Microsoft pushes updates that cause severe problem, even to the
point of
prevent the bootup of Windows. The drivers pushed by Windows
Update may
not even be for your hardware or the correct version of it. The
Microsoft Store carries programs that obviously Microsoft didn't
write.
You can get Far Cry games through the Microsoft store and they
have bugs
that can not only crash the game but halt the OS even after applying
patches. I doubt that everything at the Apple Store is "clean".

Even with review process, if present, asking a software distribution
center to ensure all software from their site that is written by
someone
else is like asking your ISP to ensure that all web traffic to
your host
is safe, not in a category you find offensive, and is always legal.
That's not really their job.

Actually yes, it IS their bug to make sure that any software being
made
available in the Store isn't malware. It is ridiculous for you to
claim
otherwise. It's known as quality control, something sorely lacking in
American enterprises nowadays.

Only because you want someone to usurp the role of your parent. You
think someone else is supposed to protect you. How much have you paid
Google for that protection? About as much as you did your parents.

If I BOUGHT their phone, I DO expect some sort of protection. How much
did I pay? How much does a phone cost usually? $500 to $1,000? Yeah, I
expect something out of that.

The apps are NOT Google's products to regulate. You want Google to
perform quality control on code that isn't there own. Doesn't
matter in
what country exists a software store. Some may have a review process,
some will run submitted programs through AV scans, and some may have a
feedback process for users to report problems with the software outside
the scope of reporting problems to the software author.

Despite you wanting your parent to continue shielding you from the bad
world, it is not the job or responsibility of Google, Cnet, Softpedia,
or other software store to perform code reviews. One, they may not
have
access to the code. Two, that would require a huge programmer staff to
perform disassembly or code analysis. Three, just how much are you
paying these software stores to protect you under ANY condition? I
suppose you think LifeLock should provide their services for free, too.

If you want the protection you claim others should provide you then go
hire a team of code analysts. Good luck finding any that will work for
free. So, when you buy a television at a retail store, go home and
plug
it in, and it explodes causing you injury, you really think the
store is
at fault for not opening the shipping carton, running the television
through a series of quality, durability, and protection tests, and then
re-box the television so then it is safer for you to purchase? Uh huh.

I assume that you also believe that it isn't the car manufacturer's
responsibility to make sure that the car doesn't cause an accident which
kills the owner. You have a very bizarre way at looking at products and
the responsibility a manufacturer holds towards them.

Now you're trying to obfuscate the seller from the maker. Notice now
you are relating how the MANUFACTURER of the product is responsible for
its performance. So use the same logic for the Android apps. Yep, the
DEVELOPER of the apps is the one responsible for it not using a secure
login. Google does not manufacture the apps at its store. So go blame
the manufacturer just like you did in your example above.

I would blame the developer too, but Google has a reputation to uphold
and the fact that it allowed those developers to sell such insecure
software and its malware becomes their fault as a middleman. If they
want to sell their store as being a "safe" place, it makes sense that
they would actually verify the quality of the software within it at some
point. The fact that they didn't makes Google look just as bad as the
developer.


I am totally amazed that You think Google and Microsoft really care what
You think.They are totally about money and the user be damned.

Slimer wrote:

I would blame the developer too, but Google has a reputation to uphold

Perhaps Google has different reputation on different continents.

When you obtain a program, its license typically includes statements to
indemnify the author from harm to the licensee by the program. In this
case, Google doesn't have to write an indemnification clause in their
TOS because the apps weren't written by them.

and the fact that it allowed those developers to sell such insecure
software and its malware becomes their fault as a middleman.

You've never bought a car or understand how recalls work? The retailer
from whom you bought the car is not responsible for defects in the car.
The manufacturer remains responsible. When you take a recalled car to
the dealer, they do the service but they *bill* the manufacturer.

If middlemen were responsible for everything they sold then no one would
sell anything made by someone else. You'd have to get your snowblower
direct from the manufacturer. You'd have to buy the materials used to
build your house direct from the manufacturer. You'd have to buy your
car direct from the manufacturer. Commerce doesn't work that way.

You're playing the uber-liberal where everyone must be responsible for
the actions by one.

If they
want to sell their store as being a "safe" place, it makes sense that
they would actually verify the quality of the software within it at some
point. The fact that they didn't makes Google look just as bad as the
developer.

They may have a reputation they want to uphold but that does not make
them legally or even morally responsible for code with which they were
never involved.

Read their Terms of Service. No where do they guarantee the safety or
protection of you when using apps that they distribute. Uber-liberalism
promotes passing the buck. The one responsible is the one who wrote the
code. Focus on them. No one else is at blame. If they do any scanning
or diagnosis of what they distribute then that is at their expense and
also their choice.

So the author is responsible but you don't know how to target them so
you go after the distributor who was never involved in the code. The
apps would become prohitively expensive if Google were to hire a team of
programmers to disassemble the apps to do the software QA that was
lacking by the author. And since your ISP was the transport for you
getting those bad apps then they must be responsible, too. And the
maker of your modem, router, and computer must be responsible because
they allowed that "bad" program onto your computer. And the OS maker
must be at fault for not integrating a debugger that sends the code to a
team of diagnostic and testing engineers to verify the program is safe
for you to use. And on down the line to blame everyone but the one who
is at fault: the program's owner/author/coder.

No one told you the Internet is a scary place?

If you have the time and inclination, you might want to read:

http://developer.android.com/distrib...lity/core.html

Go through the various categories listed in the left pane. They
describe what the DEVELOPER is supposed to do. Google does NOT perform
code review. How would they know an app logs in to some site? How
would they know if the app was supposed to use HTTP or HTTPS to log into
sites (that they don't know about)? How would they know if the only the
login credentials were to be encrypted or the entire web session?
Google is not the developer. They don't waste their time checking the
operation of the apps. They probably do run them through anti-virus
scanners. Scanning can be automatic. Code review is far from automatic
or cheap.

On 2015-06-22 10:51 PM, VanguardLH wrote:
Slimer wrote:

I would blame the developer too, but Google has a reputation to uphold

Perhaps Google has different reputation on different continents.

When you obtain a program, its license typically includes statements to
indemnify the author from harm to the licensee by the program. In this
case, Google doesn't have to write an indemnification clause in their
TOS because the apps weren't written by them.

But they were _DISTRIBUTED_ by them through a store that belongs to
them. The person who bought the software or downloaded it did it through
them. As such, Google is responsible for the stuff that they sell. If it
is malware then Google - the company peddling the crap - is responsible.
If it didn't want to be, it should have tested the software before
deciding to deploy it.

and the fact that it allowed those developers to sell such insecure
software and its malware becomes their fault as a middleman.

You've never bought a car or understand how recalls work? The retailer
from whom you bought the car is not responsible for defects in the car.
The manufacturer remains responsible. When you take a recalled car to
the dealer, they do the service but they *bill* the manufacturer.

The dealer represents the manufacturer. No matter how you look at it,
buying from a dealer is the same as buying from the manufacturer
directly. The dealer didn't build the car, but it is responsible for the
crap it sells nonetheless. If it is faulty, it needs to repair, replace
or refund the buyer. If that requires them in turn to request a refund
from the manufacturer, that's fine.

If middlemen were responsible for everything they sold then no one would
sell anything made by someone else. You'd have to get your snowblower
direct from the manufacturer. You'd have to buy the materials used to
build your house direct from the manufacturer. You'd have to buy your
car direct from the manufacturer. Commerce doesn't work that way.

You're playing the uber-liberal where everyone must be responsible for
the actions by one.

I believe in manufacturers and their middlemen standing by the product.
I'm not a liberal, simply a consumer with an expectation of quality.

If they
want to sell their store as being a "safe" place, it makes sense that
they would actually verify the quality of the software within it at some
point. The fact that they didn't makes Google look just as bad as the
developer.

They may have a reputation they want to uphold but that does not make
them legally or even morally responsible for code with which they were
never involved.

Read their Terms of Service. No where do they guarantee the safety or
protection of you when using apps that they distribute. Uber-liberalism
promotes passing the buck. The one responsible is the one who wrote the
code. Focus on them. No one else is at blame. If they do any scanning
or diagnosis of what they distribute then that is at their expense and
also their choice.

So the author is responsible but you don't know how to target them so
you go after the distributor who was never involved in the code. The
apps would become prohitively expensive if Google were to hire a team of
programmers to disassemble the apps to do the software QA that was
lacking by the author. And since your ISP was the transport for you
getting those bad apps then they must be responsible, too. And the
maker of your modem, router, and computer must be responsible because
they allowed that "bad" program onto your computer. And the OS maker
must be at fault for not integrating a debugger that sends the code to a
team of diagnostic and testing engineers to verify the program is safe
for you to use. And on down the line to blame everyone but the one who
is at fault: the program's owner/author/coder.

No one told you the Internet is a scary place?

If Google knows that an application is malware, it has a responsibility
to remove it as quickly as possible. The fact that it doesn't shows that
it simply doesn't care about the consumer.

--
Slimer
Proud "wintroll"
Encrypt.

On 2015-06-23 3:35 AM, VanguardLH wrote:
If you have the time and inclination, you might want to read:

http://developer.android.com/distrib...lity/core.html

Go through the various categories listed in the left pane. They
describe what the DEVELOPER is supposed to do. Google does NOT perform
code review. How would they know an app logs in to some site? How
would they know if the app was supposed to use HTTP or HTTPS to log into
sites (that they don't know about)? How would they know if the only the
login credentials were to be encrypted or the entire web session?
Google is not the developer. They don't waste their time checking the
operation of the apps. They probably do run them through anti-virus
scanners. Scanning can be automatic. Code review is far from automatic
or cheap.

Which is why Google Play will forever be known as a peddler of malware.
How the Hell are people supposed to take Linux-based Android phones
seriously when they know that the company will make absolutely no effort
whatsoever to protect them from security issues or malware?

You've just shown the world that Android phones are to be avoided. Boy
am I glad that I don't use one.

--
Slimer
Proud "wintroll"
Encrypt.

Slimer wrote:

Which is why Google Play will forever be known as a peddler of malware.
How the Hell are people supposed to take Linux-based Android phones
seriously when they know that the company will make absolutely no effort
whatsoever to protect them from security issues or malware?

You've just shown the world that Android phones are to be avoided. Boy
am I glad that I don't use one.

Which would also be true of every online store and download site. Not
their responsibility to write the Functional Specification and
Engineering Specification documents for a program. Not their job to do
code reviews. Not their job to perform Software Quality Assurance.

I've "just shown" that all software is to be avoided according to your
logic of who is responsible for the code in a program.