Slashdot Mirror

We analyzed roughly 10,000 applications from the Google Play store. This was a random sample of free applications. Roughly 4,000 (40%) use trust managers that do not check server certificates, exposing any data they exchange with their servers to potential theft. Furthermore, around 750 (7%) applications use hostname verifiers that do not check hostnames, implying that they are incapable of detecting redirection attacks where the attacker redirects the server request to a malicious webserver controlled by the attacker. Finally, 1,300 (13%) do not check SSL errors when they use Webkit.

Case Studies (Applications rendered vulnerable due to vulnerable libraries)

Applications may use third-party libraries to enable part of their functionality. When these libraries have baked-in vulnerabilities, they are particularly dangerous because they make all applications that use them, and frequently the devices that run them, vulnerable. Furthermore, these vulnerabilities are not weaknesses in the applications themselves, but in the features they rely upon for functionality.

Flurry. Flurry is the number-one ranked ad library in the market used by 9,702 out of 70,000+ Google Play apps with 50,000 or more downloads. These applications have been downloaded over 8.7 billion times. As with many ad libraries, Flurry (prior to version 3.4) uses HTTPS with a vulnerable trust manager to upload information like device IMEI and location.

In a proof of concept for an MITM attack, we successfully used a vulnerable version of Flurry to capture the information sent to the remote server https://data.flurry.com./ We successfully matched the location of the simulation device against the data being sent by Flurry. In Figure 2, we show a hexdump of the data we captured during this MITM attack.

Girls do not play the same games as boys, and also tend to pick game categories that have no "main character." It's not that social media changed gaming; it's that social media put the game categories that appeal more to females right in their faces.

This is another indication of how eager the tech industry is to get in on the same monetization model that Rovio was just implicated in with the Snowden documents--data for dollars.

Rovio was just the tip of the iceberg. Everyone is trying to get involved in a "goldrush" of funds that have infused the industry with a serious lack of morality.

As I pointed out in a couple of posts recently ( http://yro.slashdot.org/commen... ), it is the mobile analytics market that the NSA is targeting for their data on as many people as possible. Those analytics providers are doing what the NSA cannot do themselves legally--gather data. Analytics providers do the gathering, and the NSA either steals or buys the data. It's as simple as that folks.

The really dirty secret is that pretty much every company out there with an internet presence and a mobile presence (an app) is complicit in this gathering of data, and they all know it. Both The New York Times and The Guardian use the exact same analytics firm that Rovio uses in their mobile game "Angry Birds", yet they are the ones that published articles based on Edward Snowden documents outlining NSA activity that targeted mobile analytics. Hypocrites.

Just to give you an idea of just how big this iceberg is, dig deep in the following webpages--they outline, by connections, a web of investors and customers that are perpetrating a global auction of our privacy.

Amazon -- Seattle, Wa.
https://developer.amazon.com/s...

Jaspersoft -- San Francisco, CA.
https://www.jaspersoft.com/mob...

Google -- San Francisco, CA.
http://www.google.com/analytic...

Flurry -- San Francisco, CA.
http://www.flurry.com/flurry-a...

Localytics -- Boston, MA.
http://www.localytics.com/

Countly -- LIBYA!!....serious wtf here. All contact info is for Libyan addresses.
https://count.ly/products/feat...

Konitgent -- San Francisco, CA.
http://www.kontagent.com/compa...

Webtrends -- Portland, OR.
http://webtrends.com/solutions...

Bango -- London, UK
http://bango.com/corporate/

Apsalar -- San Francisco, CA.
https://apsalar.com/

Piwik -- London, UK
http://piwik.org/what-is-piwik...

Mobilytics (Mobivity) -- Chandler, AZ.
http://www.mobilytics.net/

Adobe -- San Jose, CA.
http://www.adobe.com/solutions...

Openwave Mobility -- Redwood City, CA.
http://owmobility.com/about-us

Mixpanel -- San Francisco, CA.
https://mixpanel.com/

Urban Airship -- San Francisco/London
http://urbanairship.com/produc...

Cognizant -- Teaneck, NJ.
http://www.cognizant.com/enter...

Amethon -- Sydney, AU
http://www.amethon.com/

The ring to rule them all, if you believe the developers..
Segment.io -- San Francisco, CA.
https://segment.io/mobile

For the inner workings, see linked Whitepaper. A good list of other miscreants is included on that

The folks behind the tracking...

According to Rovio's own site, they use Flurry for data acquisition:

"In addition to the information covered above, we use Flurry Analytics in most games to collect gameplay-related information and technical data. This is a common analytics component, used widely in mobile gaming - for more information see www.flurry.com."

From the Flurry site, one will find the following code used by "Angry Birds" to track users:

http://support.flurry.com/sdkd...

Above code is part of larger cache of code documentation related to Flurry Analytics:

http://support.flurry.com/inde...

The folks behind the tracking...

According to Rovio's own site, they use Flurry for data acquisition:

"In addition to the information covered above, we use Flurry Analytics in most games to collect gameplay-related information and technical data. This is a common analytics component, used widely in mobile gaming - for more information see www.flurry.com."

From the Flurry site, one will find the following code used by "Angry Birds" to track users:

http://support.flurry.com/sdkd...

Above code is part of larger cache of code documentation related to Flurry Analytics:

http://support.flurry.com/inde...

It's not enough to log out, you have to wipe the cookies, too. Google sets a lot of them and then there are Google-related sites like Youtube which also set Cookies. I'm not sure how much these other sites share Cookies with Google, but I wouldn't trust them on it.

It's much more than not logging in to block tracking, just one step. Web Beacons are the concern logging in or reading html email.
http://en.wikipedia.org/wiki/Web_beacons running a huge a$$ HOSTS file is also very important.

Ever hear of flurry http://flurry.com/ https://top.robtex.com/flurry.com.html#records
that's a biggie to block. It's Google analytics, for a price they provide advertisers
user demographics and what ads to send to you.

Mostly used for mobile devices Flurry.com will let you opt-out if you give them your device ID.
http://www.flurry.com/user-opt-out.html every time I change the OS on my rooted Xoom tablet the ID changes
so I block it at the router level (just got a new router with firewall). Also your device ID isn't all that easy to find.
- for Android > play.store look for: Device ID

Read the ToS, Privacy Policy at http://rovio.com/ it explains in detail what angry birds does with your collected data.
One is they send your info to Flurry.com who in return sends them prospective clients.

----

Here's a good one... Read the ToS at http://flurry.com/ you'd never know it was Google.
I registered at http://testmy.net/ to keeps a data base of my connection rates; of course I read their terms of service,
it led you to https://www.google.com/intl/en/policies/?fg=1

There was a thread about tracking I happened on after my registration, the operator of that site
replied to the thread mentioning he was very happy to be working for Google, it was a good company.
I replied that it's odd your so up front about being part of Google yet one would never know through the ToS
http://flurry.com/ was Google as well. Now reading the ToS you'd never know http://testmy.net/ is part of Google. :}
unless you went to Robtex.com https://top.robtex.com/testmy.net.html#records

Yes Google provides a service and expects something in return, they can have my searches and the links
I visit, as I find them through Google. But I don't need Google+ shoved not only in my face, but into my lifel
Google+ isn't a service it's totally different.

It's not enough to log out, you have to wipe the cookies, too. Google sets a lot of them and then there are Google-related sites like Youtube which also set Cookies. I'm not sure how much these other sites share Cookies with Google, but I wouldn't trust them on it.

It's much more than not logging in to block tracking, just one step. Web Beacons are the concern logging in or reading html email.
http://en.wikipedia.org/wiki/Web_beacons running a huge a$$ HOSTS file is also very important.

Ever hear of flurry http://flurry.com/ https://top.robtex.com/flurry.com.html#records
that's a biggie to block. It's Google analytics, for a price they provide advertisers
user demographics and what ads to send to you.

Mostly used for mobile devices Flurry.com will let you opt-out if you give them your device ID.
http://www.flurry.com/user-opt-out.html every time I change the OS on my rooted Xoom tablet the ID changes
so I block it at the router level (just got a new router with firewall). Also your device ID isn't all that easy to find.
- for Android > play.store look for: Device ID

Read the ToS, Privacy Policy at http://rovio.com/ it explains in detail what angry birds does with your collected data.
One is they send your info to Flurry.com who in return sends them prospective clients.

----

Here's a good one... Read the ToS at http://flurry.com/ you'd never know it was Google.
I registered at http://testmy.net/ to keeps a data base of my connection rates; of course I read their terms of service,
it led you to https://www.google.com/intl/en/policies/?fg=1

There was a thread about tracking I happened on after my registration, the operator of that site
replied to the thread mentioning he was very happy to be working for Google, it was a good company.
I replied that it's odd your so up front about being part of Google yet one would never know through the ToS
http://flurry.com/ was Google as well. Now reading the ToS you'd never know http://testmy.net/ is part of Google. :}
unless you went to Robtex.com https://top.robtex.com/testmy.net.html#records

Yes Google provides a service and expects something in return, they can have my searches and the links
I visit, as I find them through Google. But I don't need Google+ shoved not only in my face, but into my lifel
Google+ isn't a service it's totally different.

It's not enough to log out, you have to wipe the cookies, too. Google sets a lot of them and then there are Google-related sites like Youtube which also set Cookies. I'm not sure how much these other sites share Cookies with Google, but I wouldn't trust them on it.

It's much more than not logging in to block tracking, just one step. Web Beacons are the concern logging in or reading html email.
http://en.wikipedia.org/wiki/Web_beacons running a huge a$$ HOSTS file is also very important.

Ever hear of flurry http://flurry.com/ https://top.robtex.com/flurry.com.html#records
that's a biggie to block. It's Google analytics, for a price they provide advertisers
user demographics and what ads to send to you.

Mostly used for mobile devices Flurry.com will let you opt-out if you give them your device ID.
http://www.flurry.com/user-opt-out.html every time I change the OS on my rooted Xoom tablet the ID changes
so I block it at the router level (just got a new router with firewall). Also your device ID isn't all that easy to find.
- for Android > play.store look for: Device ID

Read the ToS, Privacy Policy at http://rovio.com/ it explains in detail what angry birds does with your collected data.
One is they send your info to Flurry.com who in return sends them prospective clients.

----

Here's a good one... Read the ToS at http://flurry.com/ you'd never know it was Google.
I registered at http://testmy.net/ to keeps a data base of my connection rates; of course I read their terms of service,
it led you to https://www.google.com/intl/en/policies/?fg=1

There was a thread about tracking I happened on after my registration, the operator of that site
replied to the thread mentioning he was very happy to be working for Google, it was a good company.
I replied that it's odd your so up front about being part of Google yet one would never know through the ToS
http://flurry.com/ was Google as well. Now reading the ToS you'd never know http://testmy.net/ is part of Google. :}
unless you went to Robtex.com https://top.robtex.com/testmy.net.html#records

Yes Google provides a service and expects something in return, they can have my searches and the links
I visit, as I find them through Google. But I don't need Google+ shoved not only in my face, but into my lifel
Google+ isn't a service it's totally different.

It's not enough to log out, you have to wipe the cookies, too. Google sets a lot of them and then there are Google-related sites like Youtube which also set Cookies. I'm not sure how much these other sites share Cookies with Google, but I wouldn't trust them on it.

It's much more than not logging in to block tracking, just one step. Web Beacons are the concern logging in or reading html email.
http://en.wikipedia.org/wiki/Web_beacons running a huge a$$ HOSTS file is also very important.

Ever hear of flurry http://flurry.com/ https://top.robtex.com/flurry.com.html#records
that's a biggie to block. It's Google analytics, for a price they provide advertisers
user demographics and what ads to send to you.

Mostly used for mobile devices Flurry.com will let you opt-out if you give them your device ID.
http://www.flurry.com/user-opt-out.html every time I change the OS on my rooted Xoom tablet the ID changes
so I block it at the router level (just got a new router with firewall). Also your device ID isn't all that easy to find.
- for Android > play.store look for: Device ID

Read the ToS, Privacy Policy at http://rovio.com/ it explains in detail what angry birds does with your collected data.
One is they send your info to Flurry.com who in return sends them prospective clients.

----

Here's a good one... Read the ToS at http://flurry.com/ you'd never know it was Google.
I registered at http://testmy.net/ to keeps a data base of my connection rates; of course I read their terms of service,
it led you to https://www.google.com/intl/en/policies/?fg=1

There was a thread about tracking I happened on after my registration, the operator of that site
replied to the thread mentioning he was very happy to be working for Google, it was a good company.
I replied that it's odd your so up front about being part of Google yet one would never know through the ToS
http://flurry.com/ was Google as well. Now reading the ToS you'd never know http://testmy.net/ is part of Google. :}
unless you went to Robtex.com https://top.robtex.com/testmy.net.html#records

Yes Google provides a service and expects something in return, they can have my searches and the links
I visit, as I find them through Google. But I don't need Google+ shoved not only in my face, but into my lifel
Google+ isn't a service it's totally different.

Sort of, but look at the website of any startup. They all try to list their large corporate customers. Being able to put Campbell's on your website is surely worth something.

I got a fantastic deal on a Motorola Xoom (10" screen), now running
Android 4.1 and I've rooted it myself.

When my computer went down I used the Xoom to surf and search for
a new mother board. I use a used bluetooth keyboard that
cost $10 at Goodwill; it's very nice, small in size yet large keys.

I got tired of it quick, not sure why, miss a mouse (?). I put a spare
computer together to used until the motherboard showed up.
I hope I never have to rely solely on a tablet again.

If one is going to use a tablet and it's locked or doesn't allow
say a HOSTS file to be installed, It really needs to be rooted.

Read this Privacy Policy http://www.rovio.com/Privacy this is the
norm for unrooted cell phones, tablets, and future UEFI protected OS's.
It's for Angry Birds, one would think they would make it a free program
seeing how much personal information is collected and the tracking they do.

http://www.rovio.com/Privacy is a favorite example of mine, I've mentioned it
on many occasions as most don't read nor care about ToS's. This ToS is
the same for most programs now. A direct quote from that link "Please note
that certain features of the Services may be able to connect to your social
networking sites to obtain additional information about you."

My HOSTS file for my PC is almost 600K and I thought that was huge
The HOSTS file for a rooted device is over 900K (Adaway).

Root the device or at the very least download and run Android_ID
https://play.google.com/store/apps/details?id=com.bzgames.androidid&feature=search_result
Get your number and paste it here http://www.flurry.com/user-opt-out.html
-Android assumed

Actually, this already happened. Mobile is eating away the handheld console market. The PSVita (built mostly from mobile parts) is essentially dead in the water. The 3DS, a more innovative product which tries hard not to be an iPod with a pad, fares better, but is still a failure compared to Nintendo expectations or the previous generation.

Android (tablets specially) are an abysmal market for games. Piracy rates are close to 100%, and people have been trained to pay little to nothing for games and value them as such. Considering there are now much more units out there compared to iDevices, app revenue is much worse. And iOS is a bloody arena. Everybody wants to hear Angry Birds stories, but 95% of the games in the mobile app stores are not breaking even (and we're not talking about million-dollar investments, but hobby affairs and two-people startups working for a few months).

Even then, no, the money is not in mobile. Rovio making $100 million a year sounds great to John Doe, but that is peanuts. You need more than that just to develop a top console game, and five to ten times the number to market it. A single top franchise such as Call of Duty generates more revenue than the entire mobile game industry combined. Of course, this can change. Just as the handheld consoles are going the way of the dodo, tablets, Android TVs or OUYAs could eat away the traditional console market. You may think this would make Call of Duty cost $3.99, and you'll get thousands of great games a month with Linux dominating your living room, but the actual reality will be more in the lines of millions of crap games worth zero and another '82 videogame crisis.

www.Flurry.com sells analytical services to it's customers (ASTRO, Angry Birds, to name two), ie what AD's to show on YOUR hand held. Flurry.com does keep identifiable information. Reading the Flurry.com ToS nowhere does it mention it's Google. That Flurry.com was Google could only be found (by me) through http://www.robtex.com/ also a Google service :} http://top.robtex.com/flurry.com.html#records To block Flurry.com tracking, download ANDROID_ID from the google store, obtain your ID (16 digits long) and paste it here http://www.flurry.com/user-opt-out.html anytime you change ROMS you will need to reopt-out as your ID will of changed.

You know what permissions to allow a program by reading the ToS, (Terms of Service),
and I may be one of the few people that does this. The ToS will send you to their Privacy Policy
which is really what you need to read (Privacy Policy trumps the ToS).

With a Cell Phone or Tablet you have no control over your system, unless rooted which
I for one required, while I allow permissions, I also block them (HOSTS file).
(To the Anonymous Coward who showed me how to slip a HOSTS file through a rooted phone - thanks again)

The two most important permissions to me are superuser and Full internet access.
Allowing Tracking to me it's exactly dangerous but to me very close.

Using Angry Birds (rovio.com) is an example of abusing the full internet access permission:

Angry Birds Privacy Policy: http://www.rovio.com/Privacy
they use www.flurry.com for analytics

Flurry.com also has a privacy policy: http://www.flurry.com/privacy-policy.html
That you are agreeing to when you agree to Angry Birds:

Both parties (Angry Birds, Flurry-analytics) use web beacons
http://en.wikipedia.org/wiki/Web_bug to track everything you do while accessing
the network via your unrooted device.

Flurry.com knows when and who (you, your spouse, kids or which friend) checked
their email last from your Internet connection/router/WiFi. As they do collect identifiable information.

rovio.com also send "some" collected data out of country , other countries
aren't required to supply ToS's - so you no clue what's to become of that.
X-plorer is a good example using both of my important permissions and not one word
of how they handle data or if they even collect it, or if they are going to upload a program my way.

All of the above is unacceptable to me, it's beyond tracking and into following "for personalized ads".
The Target store for one may very well know your daughter is pregnant before you.
http://science.slashdot.org/story/12/02/17/1927229/how-companies-learn-your-secrets

The above is the norm for what the Cell Phone, Tablet, and such. On PC's one (I at least)
would never install something with those conditions. Games from the android stores
have some of the worst ToS I've ever read. While Angry Birds is a good example
ASTRO file manager reads the same way.

Objective-C's growth in popularity coincides with the Flurry Analytics study that showed most mobile developers targeting iOS, with support for Android dropping by a third over 2011. C# will probably continue to see increasing interest because of WinRT. Lua is unsurprising because of its popular use in games, and they just released 5.2 last December. What I find most interesting is that plain old C is set to overtake Java.

Of course, if you don't take the Tiobe rankings seriously, than all of this is moot, but I guess it's something to talk about on a Friday.

The fact though is that Google provides the tools for developers to handle the variations in screen size and such and in practice developers don't seem to be having too much trouble with the fragmentation issue.

Third-party developer support for Android declined by a third in 2011.

Totally terrible statistic. That is only for developers that use Flurry Analytics. Considering Google has a Google Analytics SDK for Android, I'm not shocked at all that Flurry Analytics use is skewing toward Apple users.

Even if developers just stopped writing apps for Android, that is not proof that fragmentation was the cause.

There is no fragmentation problem with Android. It's always been something that Apple fanbois have used to attack Android for being less homogenous.

Is that so? Then maybe you can explain to the Galaxy S and Tab buyers why they won't be getting Ice Cream Sandwich.

The fact though is that Google provides the tools for developers to handle the variations in screen size and such and in practice developers don't seem to be having too much trouble with the fragmentation issue.

Third-party developer support for Android declined by a third in 2011.

True early on some features wouldn't be supported on older versions of Android, but the same is true with iOS, Apple adds new features and doesn't necessarily port them to old iPhones.

While not every feature gets back ported, the 2.5-year-old iPhone 3GS can run the latest version of iOS. The problem is that carriers aren't interested in doing support; they want to sell new phone models every six months.

I'm not sure that iPhone users are sitting back eating popcorn anymore.

My remark was meant to be tongue-in-cheek, but why wouldn't they be? The iPhone 4S has been the top selling handset for months, and iOS sees much more third-party developer support--developer support for Android actually decreased in 2011. And iOS is the #1 mobile OS on the web, which suggests a large portion of Android users are budget buyers who aren't even using their smartphones as smartphones.

I don't say all this to further more smartphone OS wars but to point out that the stereotypical image of Android as some all-devouring conquerer isn't accurate. When iPads and iPods are counted, iOS actually has more total marketshare--for whatever marketshare is worth in terms of "victory", which isn't as much as Slashdotters think.

This doesn't appear to address fragmentation at all. To the contrary, fragmentation will be even easier, according to the article:

To be clear, this doesn't mean the death of phone makers' user interface customizations, such as HTC's Sense or Samsung's TouchWiz. Far from it: Google is also making it easier for developers to accommodate these custom interfaces, with a bit of code that adopts whatever theme the device is using by default. Essentially, app developers will be able to choose whether their apps will look more like stock Android 4.0, or like the phone maker's customized interface.

Recall that TouchWiz is the reason the Galaxy S and Galaxy Tab won't get Ice Cream Sandwich despite being only months old. Just look at this chart of the completely broken upgrade cycle for Android smartphones--and note the 2 1/2 year old iPhone 3GS can run the latest version of iOS. The problem is that the carrier's business model is to sell you a new phone every six months. It's not in their best interests to provide upgrades and support. As far as they're concerned, interaction with the customer is over the moment you purchase the phone, so they don't give a crap about trying to provide a cohesive platform that interoperates with competing Android phones.

Seamless experiences win out in the long term. We saw this when gaming moved from PCs to consoles in the 2000s, and it's happening now in the transition to the post-PC era. The previous mobile web OS usage article raised a lot of eyebrows, because despite the fact Android has greater volume, it's turns out that it's actually #3 in web use behind Java ME and iOS, which means the majority of Android users are not using their phones like smartphones, for whatever reason. On top of that, developer support for Android dropped by one-third over the course of 2011 despite an increase in activations.

The fragmentation issue is something Google desperately needs to solve if it wants to avoid the same fate that desktop Linux did. Throwing something out there, calling it open, and letting "choice" steer the ship isn't going to do it. Requiring support for a theme is a step in the right direction, but all it means is that there is a default theme, not a standardized one.

(1) counts all iOS devices, not just phones and (2) speaks about in-app purchases stats.

So when you talk about "OS share" for computers do you exclude either desktops, laptops, or servers? If not, why are Android proponents so interested in only counting phones? Third party developers could usually care less whether someone is running iOS on a phone or a Touch.

As far as app purchases....

http://www.wired.com/gadgetlab/2011/12/ios-revenues-vs-android/

http://blog.flurry.com/bid/79061/App-Developers-Bet-on-iOS-over-Android-this-Holiday-Season

Not to mention piracy rates are higher on Android....
http://www.informationweek.com/news/security/app-security/231601064

You can target the same API and hit all those "related but not entirely compatible operating systems".

Not without tremendous support costs, and mobile developers have been public about this. In addition to the software APIs, there are multiple hardware devices to target with varying capabilities. Even the very existence of variable screen resolutions completely screws up the ability to have a single, unified, cohesive interface across multiple phones.

Android was designed from the ground up to handle significant differences between handsets and OS versions, and gives developers tools for dealing with that gracefully. Whether or not they do it right is another story.

It may have been Android's intention to seamlessly target multiple hardware devices, but you pretty much cap the point yourself--whether or not it actually does is another story. Developer support for Android has declined by one-third over the course of this year.

It's not flamebait. It's based on a study by Flurry Analytics showing that Android developer share has declined by more than one-third in the last year. Apparently, refuting the Eric Schmidt with hard numbers is now "flamebait" because happens to be negative news about Android.

From the article you linked:-

"However, the largest single factor that appears to impact developer support for the platform is the consumer’s ability to pay. This comes down to Google Checkout penetration. Upon setting up an iOS device, a consumer must associate either a credit or gift card to her iTunes account. In theory, this means that 100% of all iOS device users are payment enabled. This has not been the case for Android, resulting in lower revenue generation possibilities on the platform. With the recent integration of Google Wallet and Google Checkout, as well as their current $0.10 Android app sale to spur new account sign-ups, Google appears to be taking steps to correct this

The point here is that the main issue at least in the case of flurry is the ability for customers to pay on the Android platform. Hence the reason why Eric Schmidt said the problem should be rectified in about 6 months. I don't see this a refuting what he said. IF the problem is customers ability to pay as the article you linked says then obviously Schmidt is aware of the issue and plan to fix it in 6 months. Nothing refuted. We'll see if they fix it.

It's not flamebait. It's based on a study by Flurry Analytics showing that Android developer share has declined by more than one-third in the last year. Apparently, refuting the Eric Schmidt with hard numbers is now "flamebait" because happens to be negative news about Android.

It's not surprising why app developers are betting on iOS over Android. According to the Flurry Analytics study, they make four times as much money on iOS. Developers are also concerned about fragmentation, the lack of store curation, and lower penetration of Google Checkout among Android users compared to iOS users, who are always payment enabled through their iTunes accounts.

Android's target demographic is hardcore techies combined with budget buyers unconcerned with smartphone quality. It actually makes very little money for Google, while iOS is generating obscene profits for Apple. Slashdot still fetishes marketshare as if it's the only metric that matters, but Android is actually like a whole bunch of operating systems with different capabilities.

This is a new (in the last year or so) "freemium" business model which is turing out to be a very lucrative way for developers to make money in the new App Store mobile gaming world. It is all explained quite well in this blog post:

http://blog.flurry.com/bid/65656/Free-to-play-Revenue-Overtakes-Premium-Revenue-in-the-App-Store

Most of these games don't require you to make in-app purchases to continue in the game, they just allow you to buy items to proceed in the game faster. Because the games are free, the developers get vastly more distribution of their games than if they were paid, and even though only a small minority pay for in-app purchases, the developers can make a significant amount of money off of them. This ends up being a win-win: developers get paid and get lots of exposure for their hard work and potentially millions of people get quality games for free which is subsidized by a small number of people with more money than time on their hands who want to proceed faster in the games.

Speaking as an app developer, there is no reason to ever use UDID in the App store that can't be done using account/password or OpenID. Provisioning for testing is the only time UDID's make sense but testing is time limited and restricted to 100 devices. Enterprise is another, but that is not what this lawsuit is about.

This is about the use of UDID's for the aggregation of users' personal information.

It is already happening.

For example, Flurry, a popular library which has a lot of developers using its API in the app store, uses AppCircle as virtual currency for the purpose of advertising. So it is very likely that if an iPhone is purchased second-hand, then that advertising profile from the first user will carry over.

Here's another example from an app developer,

Fluent Mobile Websites and Applications
When you use certain features of our website and applications, we may collect personally identifiable information from you that may include your email address and mobile phone number.

via Fluent Mobile Inc

Personally, I find it reprehensible, and I don't do it, but I continuously read about other developers doing it.

Posting Anonymously because this is Apple we are discussing about.

Speaking as an app developer, there is no reason to ever use UDID in the App store that can't be done using account/password or OpenID. Provisioning for testing is the only time UDID's make sense but testing is time limited and restricted to 100 devices. Enterprise is another, but that is not what this lawsuit is about.

This is about the use of UDID's for the aggregation of users' personal information.

It is already happening.

For example, Flurry, a popular library which has a lot of developers using its API in the app store, uses AppCircle as virtual currency for the purpose of advertising. So it is very likely that if an iPhone is purchased second-hand, then that advertising profile from the first user will carry over.

Here's another example from an app developer,

Fluent Mobile Websites and Applications
When you use certain features of our website and applications, we may collect personally identifiable information from you that may include your email address and mobile phone number.

via Fluent Mobile Inc

Personally, I find it reprehensible, and I don't do it, but I continuously read about other developers doing it.

Posting Anonymously because this is Apple we are discussing about.

"Question: Why exactly would you WANT this?"

Seriously? I guess you're serious, but this comes from the "why do I want a color screen/camera/internet/touchscreen on my phone" crowd.

Here's a shocker: people play games on their phones. Angry Birds has been purchased by 6.5 million people. That's a lot, and that's not even a good game. EA makes iPhone games like SimCity, Need for Speed, Spore and Command and Conquer Red Alert. Square Enix makes a little game called Final Fantasy. Yes, that Final Fantasy. the real final fantasy. Even small developers are making a million dollars a month off iPhone games.

Sony has no choice: iPhone had 19% of the portable software revenue in 2009 compared to the PSP's 11%. That's amazing for a device that was only 2 years old at the time, that's triple the 5% the iPhone had in 2008.

As for batteries running dead... well, that happens. You can run down your battery watching Youtube videos or constantly checking Facebook. The "think about the battery!" excuse is played out, people said the same thing when they added color screens to phones and again when cameras were added and again when giant LCD touchscreens were added. If you don't like it, don't buy a smartphone or buy a case that charges the phone.

The UDID is really useful for collecting analytics, such as with Flurry Analytics. You can really easily get nice graphs and charts on how users in aggregate are using your app, or drill down to any particular (anyonymous) user based on the UDID. For these analytics to be useful, you need to specify some type of unique identifier for the device. A UDID makes perfect sense, and there really isn't any standard or easy way to map the UDID to any particular user anyway, so it's hard to see what all the fuss is about. Regardless, the app should let the user know the UDID is being logged, and allow them the option to turn the logging off.

You realise this story is actually about apps, rather than phones, right? They might have "only" 28% of the smartphone market (I say only because it seems a small figure but it's currently second only to RIM/Blackberry at the moment, and they're having their pie eaten at an alarming rate), but they control a disproportionately high share of the app market (the most recent figures I can find are a year old, unfornately, but I doubt they've shifted in anyone else's favour too much in that time). 79% market share when your nearest competitor has only 15% share sounds like it might be a big enough advantage to constitute a monopoly.

The following is mostly unopinionated and uses actual cited facts.

Of the total cellphone market the iphone is around the 3% mark, although I do not have a source for this. You specifically said *smartphone market*, which according to http://comscore.com/Press_Events/Press_Releases/2010/4/comScore_Reports_February_2010_U.S._Mobile_Subscriber_Market_Share and http://arstechnica.com/gadgets/news/2010/02/google-makes-biggest-gain-in-smartphone-market-share.ars Apple holds 25 % market share. Now android may be growing fast but it will reach a market saturation point. It is worth noting that at launch, iPhones were $600 and Droids were $200 http://blog.flurry.com/bid/31410/Day-74-Sales-Apple-iPhone-vs-Google-Nexus-One-vs-Motorola-Droid and they had almost identical sales figures in the first 74 days. Granted, that is just the droid and not all android phones, but as my previous citations indicate, the iPhone still has greater market share despite lower priced android based phones on multiple carriers.

As far as your data plan pricing goes http://www.verizonwireless.com/b2c/splash/plansingleline.jsp?lid=//global//plans//individual for a 3g 'smartphone' you will need the $29.99 a month, exactly the same as an iPhone data plan. Even with sprint http://shop.sprint.com/NASApp/onlinestore/en/Action/DisplayPlans the base plan with unlimited data is $69.99 a month, same as iPhone. Im not going to bother looking at tmobile.

Not to open up a flame war but I need to make a quick point on how useful the ability to tether, use linux and flash, I will keep it to a minimal here. I do not mean just on one smart phone, if you are using you laptop, you are sitting down somewhere which in all likelihood has (free) wifi, mainstream consumers(read: non technically inclined people) have little use with linux(not to fault distros like ubuntu which will serve most users needs but most people do not want to learn something new), and flash is a good way to heat up my computer.

If you want to give citations for your 'better' network, 'cheaper' data plan(inexpensive was the word you were looking for, which I still think would be inaccurate) and 'better' data service, that would be nice. That does not include tv ads demonstrating 3g speed differences, some form of 3rd least biased party, please.