Slashdot Mirror
Fifth of Android Apps Expose Private Data
WrongSizeGlass writes "CNET is reporting that a fifth of Android apps expose private data. The Android market threat report details the security issues uncovered. Dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mail and text messages, phone call information, and device location. 5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."
Err --
Android applications have flags indicating what they are and aren't allowed to do, and are cryptographically signed with those flags. What this study (presumably) did is just check which apps have which flags set.
Thing is, when you-the-user install an app, you're told exactly which flags it has set, and given the opportunity to confirm or deny. In short -- if you're installing a lighter-flame gadget which says it's allowed to read your address book and connect to the Internet, and you click "OK", you deserve exactly what you get.
(Also -- misbehaving developers can, and sometimes do, have their signing keys revoked).
From the summary:
5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."
Err, the mobile user was explicitly informed of this BEFORE the software is install. Don't believe me? Check this screenshot http://www.taosoftware.co.jp/en/android/wakeupcallmaker/img/wakeupcallmaker_install.png
I guess someone has an axe to grind against Android (hint, hint) just because there were stories earlier about the iPhone revealing the exact location of the users to applications and ads.
This space for rent.
They got the figures by mining information from each app via the Android Market, or through one of the many aggregator sites like this one. Permissions are publicly listed, so that's how they came to their figures.
But yeah, it's incredibly misleading. The user is warned on install and at the bottom of the application's description in the Market.
Charisma is the measure of someone's ability to lie with a straight face.
...in particular. They're just selling anti-malware software for smartphones. They'll be glad to sell you protection for your RIM, WinMo, or Symbian phone, too. They're also glad to point out the danger you're in with those phones, too - lacking their product.
"National Security is the chief cause of national insecurity." - Celine's First Law
IPhone apps do not have access to email or text messages or the data in any other app except through a very well defined API that requires user confirmation in virtually all instances of data sharing.
In many cases there is no way to access the content of another app (email for example).
It it also not possible for an app to make a call without user confirmation and it is not possible to send a text message at all.
Now this is, in fact, sort of a pain because I'd really like to build an app that sends or receives text messages but it does make for improved data security.
IPhone apps do not have access to email or text messages or the data in any other app except through a very well defined API that requires user confirmation in virtually all instances of data sharing.
As does Android. Th
This application has access to the following:
These are all displayed to the user in big orange warning text, with an OK/Cancel button below 'em. Every application in the market does this sort of thing, so the user knows exactly what every app is able to do. The article looks like FUD to me.
Does it? I've used several apps that have had access to my text messages, and I've never been presented with a confirmation request from them.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
You have to OK all the things that an app can touch before you install it, if you go installing apps without looking at what it can possibly touch then that is your problem. That is unless there is an exploit that allows developers to access features that it does not specify in the application manifest.
It asks you before you install the app so it doesn't bug you every five minutes after you install it when it tries to do things you're already aware it's going to do.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Google map app has built in voice search that I don't think is at the OS level. For example, if you click the mic button while in map mode and say "navigate to gas station" it goes into nav mode to the nearest gas station.
Don't think of it like the web based google mas, think of it instead as a hand-free car's navigation system. It will also dial numbers for you, including knowing to dial where your driving to ( "Dial Destination or some such magical phrase).
-Malakai
A Dragon Lives in my Garage