-Tom Lidikay





Original story by ArsTechnica



This week security researchers are reporting a similar attack to one originally discovered a year ago.

Rather than malicious code being intentionally written into an android application, these apps were accidentally infected by windows malware while they were being written. The malware may have been introduced by an infected or pirated version of the development kit, the tools a programmer uses to write software.

This story brings to light some very deep concerns in the way software is written, distributed, sold, and eventually used.

If you are a programmer or your company employs programmers, you need to be thinking about security during the development process. Code should be written in a secure environment, on a clean machine, and utilizing a secure network. Best practices need to be followed, and code needs to be reviewed by more than one person before it is accepted.

This review process is best illustrated in the methods used to develop the Linux kernel


One thing illustrated in a comment from the release a year ago, is that some developers use pirated copies of Visual studio. This should set off alarm bells, why are we implicitly trusting software developed in this environment?

The next question we should be asking, is why are we encouraging this behavior in the first place? Microsoft visual studio 2017 costs 500 dollars for a standalone license of the professional version. If for some reason you need the subscriber version of the software, it costs 6,000 dollars for the first year, and 2500 dollars every year after that. No wonder some have elected to pirate it, for an individual developer on a budget, these costs are enormous.

What Microsoft should have done, and I know this is going to be controversial, is offer the development environment free of charge. They can earn their money back through a percentage on the Microsoft store, without gouging developers up front. More people would be enabled to write software for the Microsoft platforms, which by all accounts is a good thing for Microsoft. We would have the peace of mind of knowing any given piece of software was made in a development environment that was not contaminated by malware.

If you expect people to use your platform, you should provide the tools to make software for it.



Further down the chain in this particular story, is the distribution platform. Why were these clearly infected applications allowed to be distributed through the store? While I am a staunch advocate for the use of Android on mobile devices, Apple would seem to have a leg up in this regard. All software that makes it to the apple store is thoroughly vetted, in a process that take weeks. Yes, this is inconvenient. But it makes for safer devices.

Looping back on myself a bit, I have to point out apples flaw with software however, is their development kit is also expensive. (though less so than microsoft visual studio)
At a price of one hundred dollars per year, or three hundred for the enterprise program, this is a hard cost to swallow for a beginning developer. Add to this the fact that the development environment only runs on a Mac computer, and getting started becomes expensive fast.

Contrast this with googles android development environment, which is free, and runs on Windows, Linux, and yes, even Mac OSX. You are free to develop code in the environment which you are most familiar with, without upfront costs, using software tools that are not infected.

As for why these android applications were infected, is hard to say without investigating the exact environment in which they were developed. The most likely cause was poor, sloppy security practices on the part of the developers. I have often said, Security is everyone’s responsibility, and it is still true.

But I will leave this here as an open letter to hardware/OS manufacturers: If you want people to develop good code, for your platform (rather than your competitors) you need to provide good tools. (Also clean up your store.)