With the latest Android 4.2 (JellyBean) release on November 13, 2012, Google announced an exciting security feature called the "application verification service" to protect against harmful Android applications. As stated in a recent Google+ post by a member of the Google Android team, "Now, with Jelly Bean Android 4.2 devices that have Google Play installed have the option of using Google as an application verifier. We will check for potentially harmful applications no matter where you are installing them from." It is indeed an exciting security feature! We think it was a really good move by Google to directly face Android malware threats and take such measures to better protect Android users.
Meanwhile, because of the introduction of this service, people may start to wonder, "are third-party security apps still necessary with Android 4.2?" -- see the links here, here, here, and there. We are no exception! To demystify this service, we perform the following study for two main purposes: (1) We want to understand better how the app verification service works; (2) We also want to quantify the effectiveness of this service and compare it with existing third-party anti-virus engines.
The new service is implemented inside the official Google Play app, but is designed to work with apps from all app stores, including the official Google Play marketplace and other alternative ones. A user can turn the service on/off by going to "Settings," "Security," and then "Verify apps." When an app is being installed (Step 1), the service, if turned on, will be invoked (Step 2) to collect and send information about the app (e.g., the app name, size, SHA1 value, version, and the URL associated with it) as well as information about the device (e.g., the device ID and IP address) back to the Google cloud (Step 3). After that, the Google cloud will respond with a detection result (Step 4). If the app is not safe, the user is then shown a warning popup (Step 5) flagging the app as either dangerous or potentially dangerous....Read the rest at Professor Xuxian Jiang's blog.