The Android Market Web Store- announced earlier this week- has a potentially ruinous security hole. Hackers who find their way to your Gmail password can now- potentially- purchase apps for your devices without your knowledge.
The new web store's most vaunted feature is the ability to browse and purchase apps online and have them push directly to your device. Security blogger Vanja Svajcer took a look at what goes on behind the scenes when that request is made. He believes the web store uses the INSTALL_ASSET intent (first used by Google to remove trojans placed by a researcher) to remotely push applications to the handset.
This means that your Google account information is the only thing necessary for someone to start buying applications on your device. Imagine what would happen if, say, an angry ex "guessed" their partner's Gmail password and decided to start browsing apps by "most expensive" and downloading them all?
Spammers could also use it as an opportunity to force downloads of malware. Svajcer suggested that requiring the handset user to approve each download manually would help. That would upset the neat, one-step app-buying experience Google showed us on Wednesday. But they should at least enable it as an option for those of us who want a little extra security.
In the mean time, change your password and be super nice to everyone you think knows you well enough to guess it.
[Via Naked Security]