Slashdot Mirror
Fifth of Android Apps Expose Private Data
WrongSizeGlass writes "CNET is reporting that a fifth of Android apps expose private data. The Android market threat report details the security issues uncovered. Dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mail and text messages, phone call information, and device location. 5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."
Err --
Android applications have flags indicating what they are and aren't allowed to do, and are cryptographically signed with those flags. What this study (presumably) did is just check which apps have which flags set.
Thing is, when you-the-user install an app, you're told exactly which flags it has set, and given the opportunity to confirm or deny. In short -- if you're installing a lighter-flame gadget which says it's allowed to read your address book and connect to the Internet, and you click "OK", you deserve exactly what you get.
(Also -- misbehaving developers can, and sometimes do, have their signing keys revoked).
From the summary:
5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."
Err, the mobile user was explicitly informed of this BEFORE the software is install. Don't believe me? Check this screenshot http://www.taosoftware.co.jp/en/android/wakeupcallmaker/img/wakeupcallmaker_install.png
I guess someone has an axe to grind against Android (hint, hint) just because there were stories earlier about the iPhone revealing the exact location of the users to applications and ads.
This space for rent.
...in particular. They're just selling anti-malware software for smartphones. They'll be glad to sell you protection for your RIM, WinMo, or Symbian phone, too. They're also glad to point out the danger you're in with those phones, too - lacking their product.
"National Security is the chief cause of national insecurity." - Celine's First Law
IPhone apps do not have access to email or text messages or the data in any other app except through a very well defined API that requires user confirmation in virtually all instances of data sharing.
In many cases there is no way to access the content of another app (email for example).
It it also not possible for an app to make a call without user confirmation and it is not possible to send a text message at all.
Now this is, in fact, sort of a pain because I'd really like to build an app that sends or receives text messages but it does make for improved data security.
IPhone apps do not have access to email or text messages or the data in any other app except through a very well defined API that requires user confirmation in virtually all instances of data sharing.
As does Android. Th
This application has access to the following:
These are all displayed to the user in big orange warning text, with an OK/Cancel button below 'em. Every application in the market does this sort of thing, so the user knows exactly what every app is able to do. The article looks like FUD to me.
Does it? I've used several apps that have had access to my text messages, and I've never been presented with a confirmation request from them.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
You have to OK all the things that an app can touch before you install it, if you go installing apps without looking at what it can possibly touch then that is your problem. That is unless there is an exploit that allows developers to access features that it does not specify in the application manifest.