The Android operating system has a restriction to block the installation of applications outside Play Store. Switching to “unknown sources” is a very bad idea regarding the security of the device, and any many security experts would confirm this.
Interestingly, this is exactly how Amazon has been proceeding, asking its app store customers to do so for a long time. Despite that it is not considered safe to open up an Android device to apps outside Google’s own store as this makes the device vulnerable to malware.
(Not to forget that sometimes even Play Store lets malicious apps sneak in, one way or another).
How and Why Amazon Imperils Android’s Security
It is indeed Amazon’s requirement to allow installations from unknown sources. Why is this? Even though almost all of Amazon’s apps are found on the Play Store, the company’s own third-part app store – Underground – is not allowed there, ZDNet points out. And that’s a fact that’s been known for a while. Some researchers acknowledged this security gap back in 2015. This is when Amazon Underground was actually launched.
Amazon then confirmed that their store has since been installed on millions of devices running Android. The spokesperson noted that “customers should take care only to download content from sources they trust, like Amazon.”
In fact, the problem is not in Amazon Underground but in the security gap that opens up when a user decides to install it. As Amazon and its services are quite popular among users all over the world, ZDNet researchers decided to contact several “prominent security researchers and experts” to comment on the “unknown sources” security issue.
What Do Security Experts Think of Amazon Underground’s Practice?
Joshua Drake, VP of Platform Research and Exploitation at Zimperium, said that the act of installing apps from unknown sources is always “a significant source of malware in the Android ecosystem,” and other security gurus joined his opinion.
Andrew Blaich, a security researcher at Lookout, added:
By allowing unknown sources, a user is removing the first line of defense in stopping themselves from installing a malicious app that can be delivered from a number of sources, including malicious website links, phishing attempts and others of which we’ve seen happen in targeted attacks like ViperRat and other broader non-targeted attacks.
Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, commented that “there are a lot of nasty Android apps out there and only downloading apps from official sources is key to a safe mobile computing experience.”
Because of the monopoly created by service providers such as Apple and Google, it is indeed quite hard for other players and competitors to get to users. A fact that explains Amazon’s resolution to beg its customers to relinquish security features in order to get to its own app store.
Android O to Change the Game?
Interestingly, Zimperium’s Drake told ZDNet that Google’s forthcoming Android O will allow third-party app stores on the platform without the need of switching it to unknown sources. Google hasn’t commented yet.
Amazon, on the other hand, recently put an end to the program of allowing Amazon Underground users to download apps and games for free. The company is however not ending its app store.