Slashdot Mirror
Fifth of Android Apps Expose Private Data
WrongSizeGlass writes "CNET is reporting that a fifth of Android apps expose private data. The Android market threat report details the security issues uncovered. Dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mail and text messages, phone call information, and device location. 5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."
5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything
Emphasis mine. I'm not saying it's right that this could occur, but I operate under the assumption that anything I do online or with my phone is not private.
I think it's rather foolish to assume otherwise.
Living With a Nerd
My Evo tells me before I install an app what it will be able to do, I assume it works the same for all Android phones. It's hard to get worked up over an app that can access personal data, when you were told in big red letters that this app can access personal data, and you clicked ok anyway.
A fifth of applications rely on *permissions* that you, the user, must explicitly grant when you install them, that *allow* them to access private information.
That does not mean they do access that information, or put it to any sort of untoward use. Android practically screams at you when you install applications that need a bunch of permissions. Generally, sure, you ignore that if it just says "Read/write SD card" for example. But if something suspiciously asks for lots and lots of permissions, you might say to yourself "gee, this looks a little funny".
If 10,000 other people have installed it and everybody rates it 5-stars and there are no issues mentioned with it on the web, you can probably guess that it's not doing anything nasty with your information.
But the fact that Android extremely explicitly warns you about these permissions means that the only issue in my mind is there should be a more intense distinction in the UI between permissions like "Read/write to SD card" that lots of apps need, and "Access my contacts" or "Send text messages" which only a smaller number of apps need.
Otherwise, this is basically a hatchet job.
Whenever you install an application on Android, you're given a list of permissions the application wants to have in order to run, including accessing your data and making phone calls. You have to explicitly agree to this list before the app is installed. Is CNET saying that a fifth of Android apps can get your data, despite those permissions not appearing in the list? Because if they're not, this is a pointless "Well, duh" story: the user was told what the application is doing. If they just breeze through and click "OK" when that's clearly inappropriate (i.e., a tip calculator really shouldn't be requesting access to your call log), that's their damn problem.
Dislike the Electoral College? Lobby your state to join the National Popular Vote Interstate Compact.
Yes, by God lets not have users decide whether or not we can install an app that accesses our own data.
Corporations know far more about what's appropriate for my data than I ever could...
1. So because something has the ability to do something, that means that it DOES do it?
Logic. Submitter fails it.
2. When installing apps that have the ability to expose private data, the OS explicitly tells you beforehand and asks if you're sure.
While unscientific, everybody I know with an Android phone takes these warnings seriously. Yes, you still have the dancing bunnies problem, but in my experience most people don't expect a phone to work like a desktop, and the security awareness is higher as a result.
Congratulations on a flamebait article though.
This report is hardly independent. If you ignore the CNET reporter looking for controversial pulp to post on a blog you'll find that this report comes from smobilesystems, a little-known mobile security company who conveniently have a new piece of Android security software to sell that will stop all these non-existent rogue spyware apps. You can argue all you want that users install these apps with full knowledge and consent. They know that it's BS; they just want to use FUD to convince the unwary and paranoid that their software (which if it actually does anything, probably just checks the installed apps against a package name blacklist) will keep them safe from an imaginary raging torrent of malware on the Android platform.
And behold, a command prompt and he who sat upon it, his name was shutdown and -h 3:11 followed with him
"Suddenly the walled garden approach where apps go through an approval process doesn't seem so bad."
Yes, it does seem so bad. If it were just a question of certain apps being "approved," but users still having the option to install whatever they wanted, you might have a point (e.g. the repositories model for Linux distros). What Apple does is to say, "No, you cannot install that program, even if you want to, just because we said so! HAHAHAHA! No political cartoon apps for you!"
Palm trees and 8
The story is a PR plant by one of Apple's minions. They are taking a big negative with the iPhone, (no access to some phone functions) and turning it into a win for Apple.
To be fair, Apple's minion doesn't hire the story out and then attempt to sell it to the media. A few weeks ago Jobs claimed the Droid was a porn magnet or something like that... This is just more of the same ideological offensive.
The way this works is Apple's PR people go around making the case for their product, in those discussions are carefully constructed factoids like "their apps *can* do Bad Things (TM) with your private data!" Then some enterprising writer fills in the rest of the FUD perfectly willing to blow-up the half-truth in exchange for a closer seat in the Jobs Reality Distortion Field.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I wanted to install an app that managed sms, and it asked for permission to access my messages!
It goes without saying that I immediately canceled the installation.
If you actually RTFAs' source, you'll see that this smobile systems company is using these statistics to try and sell a dependency checker.
Also, I saw no mention that these 'leaks' are derived from sources other than what the user allowed.
In short, Not news.
"Our goal each year should be to increase the number of goals we set for ourselves!"
100% of your pc applications have access to your file system!
Dozens of apps were found to have the same type of access to sensitive information as known spyware does
Dozens of children were found to have access to the same types of kitchen utensils that murderers use!
which is totally what she said
Fear, Uncertainty & doubt is all this article is doing
http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt.
As many people have pointed out the security permissions model in android is very good.
you cant have fantastic apps without allowing them access to other data.
And so thats why the security permission authorization screens are there.
Its so dumb this article, because you cant have your cake and eat it too.
It pisses me off when journalists write a piece like this LL because it gets headlines.
Hey CNet, get a life and stop taking backhanders from Apple or Microsoft. Just a ridiculous article in the first place.
I think you'd surprised to find that to most private data NO apps have ANY access on the iPhone... They're mostly limited to their own data and to the net and there are only very few APIs to access anything else. Android may be cautios and transparent, but iOS is paranoid.
In the long run I very much doubt that the "flagging and informing" of Android helps here. It's good for shifting the responsibility over to the user ("You clicked OK after all, you dumb fuck!"), nothing more. The difference between Google and Apple is that Google thinks this is enough and Apple doesn't. I have not made up my mind yet about who's right. But I know one thing: Half of the population is beyond average intelligence.
99.9% of desktop apps can do whatever they want. They can read your emails. They can determine how much seti data you've processed. they can find out everything you type. They can capture video of your desktop and stream it to africa.
People want their phones to be computers. You are taking no more or less risk with a phone than you do with a computer. The app market is ripe for social engineering attacks right now, but i highly doubt there is more risk than on the desktop.
People are complaining that someone has access to contacts and emails, but people are also scrambling to give all that information to google through gmail, voice, and wave.
I was wondering how many were going to get to this level of information.
Poor Elinor Mills, doesn't have anything to write about, so she takes copy from the marketing department of a company, summarizes it and calls it reporting.
She was just doing us a favor, making sure that we knew about an advertisement.
I am sickened to think that people believe this is reporting or worthwhile blogging.
There is no information until you have verified their claims or can allow somebody to verify the claims. SMobile scanned the database of program information and concluded that 20% of android apps should make us panic. Then Smobile told us not to worry , they have the solution and would let anyone have the solution if you bought their product. God forbid that in this whole circle of marketing they should actually pass along worthwhile information.
I would just like to note that 70% of iPhone apps don't have spyware included.
True, but it's hard to judge the impact of a disclosure from the nature of the information. That's a major bug in our conception of privacy, particularly in the US. It's not *what* the information is, but how it is used that matters.
I'm reasonably expert when it comes to information privacy issues, but even I don't feel like I fully understand the consequences of granting each permission. I sometimes contact an app developer when an app requests permissions that don't seem right. Usually it has something to do with advertising revenue, but that really just shifts the uncertainty elsewhere.
What the user ought to be asked is not assent to fine grained permissions like "read phone state and identity", but rather usage scenarios like "transmit my identity and application usage to an advertiser for calculating reimbursement to the app developer" that implies a package of fine grained permissions. Furthermore, any party in the transaction should be contractually limited to those uses. A developer who collects or provides usage data beyond what is needed to calculated reimbursement should be liable. An advertiser who sells the data to credit reporting agencies should be liable.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
As you noted, the google model is nothing more than blame-shifting, just like MS's UAC.
Totally wrong. Google sandboxes applications, meaning it enforces these permissions at the OS level. And the permissions are clear and simple enough that normal people usually understand them. On iPhone, in principle, any application can read almost any data and invoke for-pay services.
When compared to Apple's walled garden from a security perspective there isn't even a question as to which is better.
Apple's "walled garden" is a fiction; Apple doesn't have the resources to do meaningful security audits on the software it approves. Anybody who wants to can sneak malware into their Objective-C programs and activate it at some point in the future. Even with full source code, Objective-C is such a flexible language that a clever programmer can hide pretty much anything. And Apple wouldn't know about it until it gets user complaints. But since there is no sandboxing or permission system, and no way to install security software on the iPhone, it may be a long time before anybody notices what's going on. So, not only is Apple's own review process nearly meaningless against a determined hacker, user-based vetting is far less effective on the iOS platform.
The only way to enforce permissions is through sandboxing. Apple's "walled garden" is a joke from a security point of view. iOS has just about the worst security model of any phone OS.