Android Data Stealing App Downloaded By Millions

← Back to Stories (view on slashdot.org)

Android Data Stealing App Downloaded By Millions

Posted by CmdrTaco on Thursday July 29, 2010 @04:04AM from the nobody-is-safe dept.

wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"

335 comments

Thats it! by socz · 2010-07-29 04:06 · Score: 3, Funny

I'm going back to winmo where it's "Safe!"

--
My abilities are only limited by my imagination
1. Re:Thats it! by Skatox · 2010-07-29 04:13 · Score: 0
  
  LOL!!!
2. Re:Thats it! by Pojut · 2010-07-29 04:29 · Score: 0
  
  It's sad because it's true :(
  
  --
  Living With a Nerd
3. Re:Thats it! by arkane1234 · 2010-07-29 04:31 · Score: 1
  
  It's sad because it's true :(
  No, it's not true. It's only that no one looks out for those things on winmobile.
  With as many free apps that change your wallpaper, etc, for winmo you can believe it's rife with it the same.
  It's amazing that anyone would think it doesn't happen...
  
  --
  -- This space for lease, low setup fee, inquire within!
4. Re:Thats it! by stanlyb · 2010-07-29 04:40 · Score: 0
  
  Noooo, not LOL, but ROFL ROFLS ROFL.
5. Re:Thats it! by socz · 2010-07-29 05:02 · Score: 4, Funny
  
  Of course it happens to any platform that you can install/patch/hack on. A lot of people don't even install anything on their winmo phones because its a hassle, yet on iP and droid, it's as easy as pie! But anyone who thinks they're safe is a fool... because unless you compile your own compiler...
  
  --
  My abilities are only limited by my imagination
6. Re:Thats it! by mark72005 · 2010-07-29 05:10 · Score: 4, Funny
  
  I am anxiously awaiting the safety and security of Windows Phone 7
7. Re:Thats it! by Rip+Dick · 2010-07-29 05:12 · Score: 2, Informative
  
  They just updated the article saying that it does not steal txt messages or browsing history.
8. Re:Thats it! by Dishevel · 2010-07-29 05:15 · Score: 4, Funny
  
  and write your own compiler.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
9. Re:Thats it! by TheRaven64 · 2010-07-29 05:35 · Score: 2, Interesting
  
  There's absolutely no reason that this should be the case. I can't speak for Windows Mobile, but the Symbian kernel has a capability model that makes it relatively easy to protect against this kind of thing. Applications, by default, can only read a few system locations (shared libraries and so forth) and can only write into their own directory. Each shared library and each application has a set of capability bits. A shared library can only be loaded by processes that have all of the capability bits that the library has (so, for example, if your app doesn't have the SMS capability, it can't load shared libraries that require it). If you install a wallpaper app, and it has the capabilities to inspect arbitrary directories, system configuration, and so on, then you'd expect to know something is wrong. Unfortunately, the Symbian UI sucks so badly that it probably doesn't actually tell you this...
  Interestingly, OS X also has quite a nice subsystem for running untrusted code. On recent versions, there are predefined sandbox settings for preventing writes, preventing Internet access, and preventing writes outside /tmp. It's not used much on the desktop (not at all for untrusted code, where it would be most useful), but it might be used on the iPwn.
  
  --
  I am TheRaven on Soylent News
10. Re:Thats it! by brasselv · 2010-07-29 06:14 · Score: 3, Funny
  
  and run it on hardware you designed and manufactured yourself
  
  --
  "Whenever people agree with me I always feel I must be wrong." (Oscar Wilde)
11. Re:Thats it! by Skatox · 2010-07-29 06:48 · Score: 0
  
  Sure! Because it's monotasking it cannot let your software run and steal data at the same time
12. Re:Thats it! by Anonymous Coward · 2010-07-29 08:49 · Score: 0
  
  In binary, can't trust those assembliers!
13. Re:Thats it! by w0mprat · 2010-07-29 09:49 · Score: 2, Insightful
  
  and write your own compiler.
  Your compiler can't compile itself!
  
  Personally I prefer to tap the bits into the hard drive platter with a magnetized sewing needle, that way I know it's safe... oh wait... what about the HDD's firmware?
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
14. Re:Thats it! by _0rm_ · 2010-07-29 11:31 · Score: 1
  
  Tell that to the Lispers.
  
  --
  Boredom is bliss.
15. Re:Thats it! by ignavus · 2010-07-29 12:33 · Score: 1
  
  and run it on hardware you designed and manufactured yourself
  Using a brain that you .... oh, forget it.
  
  --
  I am anarch of all I survey.
16. Re:Thats it! by the_other_chewey · 2010-07-29 16:14 · Score: 1
  
  Your compiler can't compile itself!
  Yes it can. It's called compiler bootstrapping
  Where do you think today's compiler binaries come from?
17. Re:Thats it! by Anonymous Coward · 2010-07-29 19:43 · Score: 0
  
  Funny that. I have a hazy memory of a 70's era nerd telling of a hack'd compiler that would detect when it was compiling itself and then and only then insert a backdoor function into the compiler executable it was generating.
18. Re:Thats it! by mcvos · 2010-07-29 21:13 · Score: 1
  
  There's absolutely no reason that this should be the case. I can't speak for Windows Mobile, but the Symbian kernel has a capability model that makes it relatively easy to protect against this kind of thing. Applications, by default, can only read a few system locations (shared libraries and so forth) and can only write into their own directory. Each shared library and each application has a set of capability bits.
  I don't know the technical details of it, but it's quite possible that Android does exactly the same thing. When you install an app, you get to see a list of the permissions it needs. At that point, an informed user will stop and consider if that app really needs all those permissions, and will not install it if he doesn't trust it. Unfortunately, most users don't do that and just blindly assume that every app can be trusted, giving it all the permissions it requests, whether they make sense or not.
19. Re:Thats it! by Anonymous Coward · 2010-07-29 21:13 · Score: 0
  
  Ehh, by default Android applications has access to next to nothing. An application can ask for permissions when installed, but the user has to grant it these permissions. If a wallpaper application asks for permissions to everything between heaven and earth and the user grants it these permissions, well, blame the user - not Android.
20. Re:Thats it! by Nyder · 2010-07-30 14:59 · Score: 1
  
  --
  Fuck that pedo The Prophet Muhammad.
  I like the sig, where can i buy a shirt version of it? =)
  
  --
  Be seeing you...
21. Re:Thats it! by bandmassa · 2010-07-31 09:08 · Score: 1
  
  In iPhone's "walled garden" one presumes this app would be rejected. I'm cynical enough to think the odd one might get through, but most won't.
  
  This is one reason why, even though I looked into Droid first, that I ditched Droid and went for the iPhone. The walled garden has its advantages. (I am feeling quite smug at the moment.)
  
  --
  "I hope you like Guinness, Sir. I find it a refreshing substitute for, er... food." Col. Jack O'Neil, SG-1
I'm confused... by mcgrew · 2010-07-29 04:07 · Score: 4, Insightful

A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?

--
Free Martian Whores!
1. Re:I'm confused... by jsnipy · 2010-07-29 04:08 · Score: 1
  
  it can
  
  --
  -- if you mod me down, I will become more powerful than you can possibly imagine
2. Re:I'm confused... by allusionist · 2010-07-29 04:11 · Score: 1
  
  Of course it can, but less tech-savvy phone owners won't realize this. They're the targets.
3. Re:I'm confused... by socz · 2010-07-29 04:11 · Score: 3, Informative
  
  This is what confuses me:
  
  The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning.
  
  When I started learning android, one of the first programs I made was literally just text and a color background right... and it still asked for permission for calls! I was like hrm, maybe I got a tampered with version of the SDK? But that is why I'm just like *shrugs it off* when I see wall paper apps request phone call access. Now, I don't download wall paper apps lol but, I can see why those who did shrugged it off as well. This is probably something that google needs to explain better, or I need to learn better, or things need to be changed.
  
  --
  My abilities are only limited by my imagination
4. Re:I'm confused... by Vintermann · 2010-07-29 04:14 · Score: 2, Insightful
  
  Never mind that, why would you need a wallpaper app that requests permission to make phone calls?
  Really, there's no helping some people.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
5. Re:I'm confused... by YouWantFriesWithThat · 2010-07-29 04:25 · Score: 1
  
  honestly, i think that you did something wrong with your test app. there are tons of highly intricate apps that do not request permission to make calls. now, if your app wanted to go to the background when a call came and relaunch when the call is over that's something different. however, that permission is "read phone state" which does not sound the same at all.
6. Re:I'm confused... by thePowerOfGrayskull · 2010-07-29 04:31 · Score: 1
  
  This is probably something that google needs to explain better, or I need to learn better, or things need to be changed.
  I think Option 2. Blackberry does something similar - an app can't ever do anything you don't explicitly give permissions for. When in doubt, *always* choose "Deny"; and don't check "don't ask again" since if it turns out that the app legitimately needed the permission, it will make it easier to correct later.
7. Re:I'm confused... by Anonymous Coward · 2010-07-29 04:34 · Score: 0
  
  You made a mistake creating the project. Very likely that you selected device feature when setting up the initial project.
8. Re:I'm confused... by brainboyz · 2010-07-29 04:46 · Score: 4, Informative
  
  Your manifest file is wrong. You request a list of permissions that your app is then allowed to use, but requesting them does not mean you used it. You probably have PROCESS_OUTGOING_CALLS or CALL_PHONE listed unnecessarily.
9. Re:I'm confused... by jeffmeden · 2010-07-29 04:49 · Score: 4, Informative
  
  honestly, i think that you did something wrong with your test app. there are tons of highly intricate apps that do not request permission to make calls. now, if your app wanted to go to the background when a call came and relaunch when the call is over that's something different. however, that permission is "read phone state" which does not sound the same at all.
  Yes, "read phone state" sounds totally different than "make phone calls" or whatever the exact verbage is... /sarcasm
  Cellphones went mainstream about 10 years ago, and even smartphones like those based on Android are very common. This means they are in the market where you need it to be so simple that someone with a barely functioning grasp of English could figure it out.
  To software engineers, there might be a difference between "read phone state" and "make phone calls" but to a layperson there really isn't. You really need to look at it with the "would it work in a car" mentality: is it simple enough to be put into a car and be figured out by anyone with a mild amount of training in "not crashing"? Hint: "turn key to start" is good, an arrow indicating which way to turn it is better, and "please select from the available options: Activate engine controls. Activate engine starter motor. Activate seat belt latch." is NOT going to go over well.
  All this nonsense about "well the user was advised that SIM activity could be perturbed by the inclusion of application permission" as an excuse for a poorly implemented security platform needs to be thrown out the window unless you want Android to turn into Windows Mobile 6 in a matter of months while security and usability problems fly out of the woodwork and people flock to a different platform without such headaches.
10. Re:I'm confused... by socz · 2010-07-29 05:04 · Score: 3, Insightful
  
  Well, what was interesting *to me* was that when I sent the program to the emulator, i left it blank! So I hadn't even made any changes to the default and it was asking for permission. In my mind, if it does nothing, why does it need access?
  
  --
  My abilities are only limited by my imagination
11. Re:I'm confused... by socz · 2010-07-29 05:05 · Score: 1
  
  Yeah that's what I figured. It's the default though, but like I said in another post, it's odd to me that something that does nothing is forced to request access to anything.
  
  --
  My abilities are only limited by my imagination
12. Re:I'm confused... by Anonymous Coward · 2010-07-29 05:10 · Score: 0
  
  Never mind that, why would you need a wallpaper app that requests permission to make phone calls?
  Really, there's no helping some people.
  You can help them, they are too dumb to own an andriod....tell them to get an iphone. that will solve the issue.
13. Re:I'm confused... by Anonymous Coward · 2010-07-29 05:13 · Score: 0
  
  The default added is for CALL_STATUS, not to make calls. There's no reason an app should ask for permission to make calls unless that is explicitly stated in the manifest.
14. Re:I'm confused... by YouWantFriesWithThat · 2010-07-29 05:13 · Score: 1
  
  this being slashdot, i will forgive you for making assumptions about who i am and if i am a software engineer or not. but i am not.
  
  to be precise: the permission that gives the phone access to make calls is designed to sound scary. it is "Services that cost you money, directly call phone numbers". and my point stands that it sounds a hell of a lot different than "read phone state".
  
  most businesses shoot for a 3rd grade reading level, and i think that in this case android did just fine in making the permission simple to understand. you can throw stones at some aspects of the android OS, but i don't think that this is one of those places. these people installed a wallpaper app that had as many permissions as a new launcher (desktop) and that was their decision.
  
  if a layperson had a question about that app or permissions in general they could have googled it right from their phone. if you choose to drive with your eyes closed, you will crash the car in your analogy.
15. Re:I'm confused... by MBGMorden · 2010-07-29 05:15 · Score: 1
  
  You know that, but the average idiot doesn't. It's the same thing as the screensaver viruses that get passed about.
  Not really much of a news story IMHO. Computers (and modern smart phones are basically just little computers with tough interfaces) have been susceptible to malware for years.
  
  --
  "People who think they know everything are very annoying to those of us who do."-Mark Twain
16. Re:I'm confused... by IamTheRealMike · 2010-07-29 05:22 · Score: 1
  
  You're not forced to request access to everything. I've written an Android app and that warning never appeared for it.
17. Re:I'm confused... by arth1 · 2010-07-29 05:23 · Score: 3, Interesting
  
  Wallpapers aren't just static images.
  The wallpaper I have here, changes colour depending on the time of day.
  You can even show a view adjusted for the weather where you are.
18. Re:I'm confused... by Drathus · 2010-07-29 05:25 · Score: 1
  
  You list the permissions your app needs in the AndroidManifest.xml file. They're not computed by what the app does in code.
  So you had a permission there which you did not need.
19. Re:I'm confused... by Dishevel · 2010-07-29 05:25 · Score: 0, Flamebait
  
  Barely literate fucks who could not understand anything not related to drinking or twitter should take the fucking bus. They should also reap the consequences of being a stupid fuck and have their personal data stolen. I am very ok with this. Let the stupid and those who just can't be bothered to read hurt.
  .
  P.S. Remove warning labels about coffee being hot and hair dryers not for use in shower as well.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
20. Re:I'm confused... by h4rr4r · 2010-07-29 05:29 · Score: 1
  
  It can, the folks installing this are the same folks who installed screensaver apps way back when.
21. Re:I'm confused... by Gilmoure · 2010-07-29 05:31 · Score: 1
  
  P.S. Remove warning labels about coffee being hot and hair dryers not for use in shower as well.
  This could make for a funny show.
  
  --
  I drank what? -- Socrates
22. Re:I'm confused... by Dishevel · 2010-07-29 05:37 · Score: 1
  
  Could also make for a better world.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
23. Re:I'm confused... by Anonymous Coward · 2010-07-29 05:44 · Score: 0, Informative
  
  one of the first programs I made was literally just text and a color background right... and it still asked for permission for calls!
  So.. you told it to ask for permission to make calls, then are surprised when it says it needs permission to make calls?
  You wrote the program, you're responsible for the requests. The SDK doesn't give it anything you don't ask for.
  You don't understand development, and it shows. This is clearly a "Layer 8" problem.
24. Re:I'm confused... by mafian911 · 2010-07-29 05:49 · Score: 2, Interesting
  
  I don't think this post is flamebait. Ok, well, "dumb" is harsh, but I do think the iPhone is targeted toward people who really just don't know any better. That's why the phone is so easy to use, bc hell, a baby can figure it out.
  
  Android allows you to do more, but at the cost of a little extra complexity. I think an average user can handle it, I know a lot of people with average intelligence that have no problem with it. It's the users that aren't so smart that may have a hard time with it. Those users may want to consider an iPhone.
25. Re:I'm confused... by mea37 · 2010-07-29 06:16 · Score: 1
  
  I'm not a user or developer of Android apps, so this is just my assumption, but... The question is, how should it be known what permissions to request?
  In a desktop or server setting, typically the permission is requested when it is needed; but in cases where the user will be asked if the request is ok, is that really a good idea? If you're half-way through doing something cool with your new app, and get a message that the app wants permission to do such-and-such, don't you have an unbalanced incentive to say yes (since the cool thing you're doing will otherwise be stopped cold)? For that matter, if you have an app that's going to ask for inappropriate permissions, isn't that a red flag you'd like to see before the app has gotten the chance to do anything at all?
  It makes sense to me that the user should get any "will you let the app do X, Y, and Z" type messages at install time; or at the very latest when the app launches for the first time. But you can't know at that point everything the app is going to try to do; so instead you make the app tell you everything it might want permission to do (and if it tries to do anything else, it can't).
  If that is the environment, it doesn't seem odd at all. If you declare that you might do X, even if you never actually do X, then of course the user is asked if it's ok for you to do X - because the only knowledge on which the decision to ask can be based is whether you said you might do X.
  Solution: if you never do anything, don't declare that you might do anything.
26. Re:I'm confused... by MikeBabcock · 2010-07-29 06:48 · Score: 1
  
  I still have yet to understand why people download ringtone and wallpaper apps on Android. I can use any MP3/WAV/etc. music for ringtones and any JPG/etc. image for backgrounds. I figure anyone who installed either is so completely uninformed about their device they're just begging to get malware of some form.
  
  --
  - Michael T. Babcock (Yes, I blog)
27. Re:I'm confused... by thePowerOfGrayskull · 2010-07-29 07:13 · Score: 1
  
  I'm not familiar with the Android platform, but that seems like a really bad idea. "OF course you'll be honest with what your app does, Mr Malwharightar, you just go ahead and tell us what permissions you need."
  Are you 100% sure this is the case? I can't picture Google (or any competent team) making an error that fundamental in the platform design. The BB platform looks at the actions you take in code; I would expect Android to do no less.
28. Re:I'm confused... by Danse · 2010-07-29 07:19 · Score: 1
  
  I still have yet to understand why people download ringtone and wallpaper apps on Android. I can use any MP3/WAV/etc. music for ringtones and any JPG/etc. image for backgrounds. I figure anyone who installed either is so completely uninformed about their device they're just begging to get malware of some form.
  People seem to like apps that change their wallpaper based on various conditions, whether it be time of day, location, weather, etc. So they have apps to do these things.
  
  --
  It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
29. Re:I'm confused... by Blink+Tag · 2010-07-29 07:24 · Score: 1
  
  That's right. Only smart people should be allowed to use smart phones. Or any other technology. /sarc
  You're complaining that users' competence is ... at times inadequate. You may be right, but who's responsibility is it to compensate for that? By definition, such users can't, as they don't know any better.
  It's times like this where curated app stores start to make sense.
30. Re:I'm confused... by tknd · 2010-07-29 07:24 · Score: 1
  
  Android supports something called live wallpaper. This is how animated wall papers or dynamic wall papers are achieved. It basically runs an app and provides functionality for changing the wallpaper.
  I've made a live wallpaper myself and of course it doesn't just display a single jpeg. But for an app to request all of those permissions, users should be skeptical when installing the app. Unfortunately I don't think many users really read those messages or understand what they're getting into.
31. Re:I'm confused... by Archangel+Michael · 2010-07-29 07:24 · Score: 1
  
  What I don't get is the warning on a curling iron that says "Do not use on eye lashes". REALLY??? I would never have known!
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
32. Re:I'm confused... by Dishevel · 2010-07-29 07:27 · Score: 1
  
  And to those who do not know this intuitively?
  I say let em try.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
33. Re:I'm confused... by disambiguated · 2010-07-29 07:29 · Score: 3, Interesting
  
  Yes that is exactly how it works. You specify which permissions your app needs in the xml manifest. These permissions are displayed to the user. If your app attempts to use an API which requires permissions not specified in the manifest, the app gets a security exception. It doesn't rely on the developer being honest.
34. Re:I'm confused... by marcansoft · 2010-07-29 07:31 · Score: 1
  
  Presumably, you can request spurious permissions through the XML, but you can't use unrequested permissions in code. In other words, the OS makes no attempt to guess what permissions an app might need; it denies everything by default unless the XML lists the permission and the user accepts it.
35. Re:I'm confused... by SparkEE · 2010-07-29 07:36 · Score: 1
  
  You list what permissions your app will need up front in the manifest. If your app then tries to do something that wasn't in that manifest, it won't be able to, because it doesn't have the permission. If Mr Malwharightar tries to be sneaky and omit a permission to make phone calls, then the code will not be able to make phone calls. I don't see the flaw.
36. Re:I'm confused... by Anonymous Coward · 2010-07-29 07:37 · Score: 0
  
  I have to agree with all of this. We, as a society, have done our best to stop Natural Selection. This is a bad thing and has contributed to the general public being so stupid. Natural selection would allow more stupid people to filter themselves out of the gene pool.
  We need to stop protecting stupid people from themselves. If they're dumb enough to warrant a Darwin Award, LET THEM!
37. Re:I'm confused... by Drathus · 2010-07-29 07:54 · Score: 1
  
  Looks like others got to this before I did, and they all answered it well. =P
  The reason it's done this way is so that the APK installation process can present and verify the rights before the app even runs. As opposed to letting an app run merrily until it tries to do something it needs permission for for the first time.
  In the FroYo Market app it's also used with the user-settable permission to auto-update per App. Apps will update automatically so long as their required permissions don't change. If they do, it gets flagged as needing a Manual update.
38. Re:I'm confused... by notknown86 · 2010-07-29 08:40 · Score: 1
  
  My ADK running on eclipse under Linux definitely does not have this default. Usability-minded as they are at Google, I guess they throw in a couple of unchecked permission defaults on Windows, just to make you feel at home.
39. Re:I'm confused... by beakerMeep · 2010-07-29 08:50 · Score: 2, Informative
  
  IIRC this has to do with the API change from 1.5 and earlier to 1.6 and later. Because that permission never existed in 1.6, any app targeting that platform will show as requesting the permission on 2.0+
  
  See the second comment here: stack overflow
  
  The problem is that it comes up for any dev targeting 1.5 and earlier, so it comes up pretty often. Google probably could have handled the permissions differently but I cant think of any better ways off the top of my head at the moment.
  
  --
  meep
40. Re:I'm confused... by thePowerOfGrayskull · 2010-07-29 08:59 · Score: 1
  
  Ah, ok. That's a rather key piece of information left out by Drathus's comment which indicated that the XML was the ONLY indicator of permissions.
41. Re:I'm confused... by thePowerOfGrayskull · 2010-07-29 09:00 · Score: 1
  
  OP made it sound as if it relied solely on the developer adding the right permissions to the manifest and neglected to mention that Android would disallow actions not in the manifest.
42. Re:I'm confused... by johnthuss · 2010-07-29 09:05 · Score: 2, Informative
  
  No, this is known bug that occurs when you want to support android 1.5, which is the oldest used version still in active use (and fairly significant usage too). See this post for more info.
43. Re:I'm confused... by socz · 2010-07-29 09:35 · Score: 1
  
  Thank you. You are correct because I was working on 2.1 and got that.
  
  --
  My abilities are only limited by my imagination
44. Re:I'm confused... by CharlyFoxtrot · 2010-07-29 10:11 · Score: 2, Insightful
  
  This is what Apple figured out : KISS, keep it simple and stupid. The user (even the ones that understand it) shouldn't be bothered with this shit, if you're going to sell apps through a store you might as well do quality control at that point by a third party. Of course that approach comes with its own set of well publicized drawbacks and no approach has a 100% success rate.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
45. Re:I'm confused... by CharlyFoxtrot · 2010-07-29 10:23 · Score: 2, Interesting
  
  Android allows you to do more, but at the cost of a little extra complexity. I think an average user can handle it, I know a lot of people with average intelligence that have no problem with it. It's the users that aren't so smart that may have a hard time with it. Those users may want to consider an iPhone.
  It's not about smartness but intuitiveness. Apple doesn't want the user to have to learn a new OS (the different types of permissions, etc.) to be able to use his/her phone. The user should just be able to pick it up and do a task with as little interference as possible. We used to call this KISS and it's actually a lot harder to do correctly than to just offer up a bunch of options and configurations to the user. I picked up an android phone in a store the other day and my first thought was how busy the user interface was.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
46. Re:I'm confused... by Anonymous Coward · 2010-07-29 10:55 · Score: 0
  
  The permissions requested to make calls is worded much clearer. Something like "Actions that costs you money: Making calls". But apparently that is to hard already.
  What I don't understand is why you cannot deny specific permissions. A wallpaper app that makes calls doesn't make sense. Or have the option to force the program to ask every time it wants to perform a 'dangerous' action.
47. Re:I'm confused... by Chris+Tucker · 2010-07-29 11:31 · Score: 0, Offtopic
  
  Dude, What's with the Muhammad thing?
  Seriously, that was almost 1000 years ago, in a different culture and different country that essentially doesn't even exist anymore. Judging that culture at that time period is intellectual masturbation, at best.
  It would make more sense to vent your anger against the muslim assholes who use the koran to justify evil acts.
  Just like the christian assholes who use the bible to justify bombing abortion clinics and murdering gay people.
  It wasn't muslims that bombed the Murrah Federal Building in Oklahoma City, the worst terrorist act on US soil until 9/11.
  
  --
  Guaranteed! This comment 100% Anthrax free!
48. Re:I'm confused... by Anonymous Coward · 2010-07-29 11:40 · Score: 0
  
  And you're an idiot too.
49. Re:I'm confused... by mjwx · 2010-07-29 12:34 · Score: 1
  
  A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?
  The application downloads the .jpg for you and sets it as your wallpaper.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
50. Re:I'm confused... by Tibor+the+Hun · 2010-07-29 14:06 · Score: 1
  
  Yeah, we know.
  
  --
  If you don't know what AltaVista is (was), get off my lawn.
51. Re:I'm confused... by Vintermann · 2010-07-29 19:18 · Score: 1
  
  Should this program be allowed to make phone calls? There's really not much learning involved in being able to answer that question.
  
  --
  xkcd is not in the sudoers file. This incident will be reported.
52. Re:I'm confused... by CharlyFoxtrot · 2010-07-29 21:33 · Score: 1
  
  Most people don't even read the popups on their desktop OS's which they've used for years and you expect them to read, consider the implication of and then act on a message in a completely different format ? Yeah good luck with that. A phone should just work and not bother you with this stuff. I want to use my apps not fill out a questionnaire. What they're trying to do is force people to take ownership of the security administration of their phone but you can't force a thing like that, people will just tune out. Let a trusted third party audit the apps for problems and you'll get "good enough" security without the pain.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
53. Re:I'm confused... by mizhi · 2010-07-29 22:38 · Score: 1
  
  And that's precisely what happens with android apps, for the most part (see other messages in this thread for known bugs with older APIs). An android application is bundled with a manifest file that provides all sorts of information about the package. The developer of an app must specify in the manifest file what permissions it is requesting for the various activities and applications provided by the package.
  When a user installs the android app from the market, they are presented with a list of the operations the app may need permission to do. In initial versions of the API, the permissions list was pretty coarse, but later APIs have added much finer grained control.
  So, as a user, if a desktop background application tells me that it needs read/write access to my contacts, the ability to access the internet, read/write access to my SD card storage, GPS device access, then my first question is: why does it need access to my contacts and to my GPS? It doesn't seem reasonable, so I don't install it.
  This system doesn't 100% protect users from a malicious application sending personal data back to a database somewhere, but it does allow them to know what an application is capable of and make semi-informed decisions.
  
  --
  Humorless sig goes here.
54. Re:I'm confused... by thePowerOfGrayskull · 2010-07-30 02:40 · Score: 1
  
  Thanks for that insightful and yet meaningless contribution.
55. Re:I'm confused... by mcvos · 2010-07-30 03:06 · Score: 1
  
  It was extremely obvious from what he said. The XML specifies what permissions the program needs. Any permission not specified in the XML, it doesn't get. So it won't have that permission, and won't be making any phone calls that it wanted to.
  It sounds like a rather simple and obvious way to handle security.
56. Re:I'm confused... by thePowerOfGrayskull · 2010-07-30 03:40 · Score: 1
  
  Extremely obvious? I'm not seeing it. "You list the permissions your app needs in the AndroidManifest.xml file. They're not computed by what the app does in code.".
  I tend to think making assumptions from fairly broad statements is a good way to get into trouble. If a permission is not computed by usage, then what in that statement would make me think a runtime check is performed? It could just as easily mean that permissions are opt-in. This would be a stupid way to do things (that's why I asked for clarification as it seemed unlikely to be correct), but there's nothing in his statement that says it goes one way or the other.
57. Re:I'm confused... by mcvos · 2010-07-30 03:59 · Score: 1
  
  If a permission is not computed by usage, then what in that statement would make me think a runtime check is performed?
  Because it's called "permission". If there's no actual runtime check whether you have permission for what you're trying to do, then it's not really much of a permission, is it? It'd just be a meaningless flag that doesn't do anything.
  If this isn't obvious to you, then I hope you don't do anything that involves any kind of security.
58. Re:I'm confused... by thePowerOfGrayskull · 2010-07-30 11:52 · Score: 1
  
  If you frequently make assumptions that broad, I hope you don't do anything that involves code or end-users ;)
59. Re:I'm confused... by mcvos · 2010-07-30 18:21 · Score: 1
  
  The only assumption I'm making is that Google isn't completely retarded when it comes to security.
  When a seemingly competent company releases an OS based on a pretty good kernel, and the OS appears to have a permission-based security system, I consider it pretty safe to assume that that's what it is. Sure, it could be merely a facade without any actual security to back it up, but that's not something I'd expect from Google. I mean, why even bother with notifying users with the permission an app needs, when there are no permissions and the security is completely absent?
  I know Google employs a lot of really smart people, and I feel it's safe to trust they don't want Android to be a joke. My assumptions would have been different had this been a Microsoft product.
60. Re:I'm confused... by Chris+Tucker · 2010-07-30 20:19 · Score: 1
  
  Calling out someone on stupid, hateful, just plain dumbass shit like that clown's stupid, hateful, just palin dumbass sig about Muhammad is never off topic.
  Not here, not anywhere.
  
  --
  Guaranteed! This comment 100% Anthrax free!
61. Re:I'm confused... by Dishevel · 2010-08-02 02:39 · Score: 1
  
  The point of the signature is too upset those who feel that I do not have the right to have that signature. That is all. It dose not upset all Muslims. The the crazy fucker bomber Muslims.
  Those are the ones who are getting all bent. Well them and their apologists. I want them upset.
  Also. I can name many things the Muslims are not responsible for as well. What was your point?
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
62. Re:I'm confused... by Chris+Tucker · 2010-08-02 13:43 · Score: 1
  
  Oh, I see.
  You're just a dick.
  OK.
  
  --
  Guaranteed! This comment 100% Anthrax free!
63. Re:I'm confused... by Dishevel · 2010-08-02 14:54 · Score: 1
  
  Well I guess to you I am. I have worked long and hard on my personality. It is specificly crafted to make those I judge unworthy to go away.
  So have fun. Later pretty sure I will not be missing much.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
64. Re:I'm confused... by MikeBabcock · 2010-08-03 02:49 · Score: 1
  
  So make a curated apps store for idiots. Android allows such a thing. Alternative store, replace the market icon with your own, link only to apps you approve of and sell access to your store to users who don't trust themselves.
  In fact, I'm surprised McAfee and Norton haven't done this already.
  While we're at it, cars should all be made with governors to limit speed to under 20km/h and have big rings of styrofoam all around them so that nobody ever gets hurt from incompetence with those either.
  
  --
  - Michael T. Babcock (Yes, I blog)
65. Re:I'm confused... by MikeBabcock · 2010-08-03 02:52 · Score: 1
  
  I should've been less generic. I meant apps that simply install a series of wallpaper selections, not apps that have real functionality.
  For that matter, I used Locale for quite a while while it was in beta and had it set to change my wallpaper to a darker theme at night.
  
  --
  - Michael T. Babcock (Yes, I blog)
This is a job for Droidwall by mlts · 2010-07-29 04:07 · Score: 2, Informative

This is a very good reason to run Droidwall. However, the bad news is that Android apps are going to a model where they ping one of Google's servers to check if they are licensed for that user. Of course, Droidwall can be updated to allow any apps to connect to that server farm's IP address range even if they are disallowed from anywhere else, but that may take some programming.
Droidwall also requires root access.
1. Re:This is a job for Droidwall by jsnipy · 2010-07-29 04:10 · Score: 2, Insightful
  
  this is a job for common sense. Whenever you install an app it shows you what it is requesting accessing to. If you see a 'wallpaper of the day' app wants access every aspect of your phone, you might reconsider installing it.
  
  --
  -- if you mod me down, I will become more powerful than you can possibly imagine
2. Re:This is a job for Droidwall by Anonymous Coward · 2010-07-29 04:15 · Score: 2, Insightful
  
  Common sense is the worst possible defense for the average user. If you want Android phones to have a tiny amount of market share among technically skilled users, that's fine. If you want a large number of Android phones available to, used by and recommended by the average user then showing such warnings is near completely useless.
  Dancing bunnies, man. Dancing bunnies.
3. Re:This is a job for Droidwall by jsnipy · 2010-07-29 04:20 · Score: 1
  
  You make a valid point. Maybe then, filter out market apps that require explicit combination's of permissions
  
  --
  -- if you mod me down, I will become more powerful than you can possibly imagine
4. Re:This is a job for Droidwall by abigor · 2010-07-29 04:23 · Score: 4, Insightful
  
  You mean they'd have to wait for approval by the App Store? An interesting proposal!
5. Re:This is a job for Droidwall by dsouza42 · 2010-07-29 04:34 · Score: 1
  
  ...though it wouldn't necessarily make the apps any safer: http://www.todaysiphone.com/2010/07/disguised-tethering-app-tricks-apple/
6. Re:This is a job for Droidwall by Lifyre · 2010-07-29 04:35 · Score: 1
  
  Not at all. An effective application filter based upon the explicit premissions that each app asks for is easy, fast, and automated. Hell it would be nice if the Android App store allowed you to filter programs to begin with...
  
  --
  I'll meet you at the intersection of "Should be" and "Reality"
7. Re:This is a job for Droidwall by causality · 2010-07-29 04:37 · Score: 1
  
  Common sense is the worst possible defense for the average user.
  Any defense is the worst possible if you refuse to use it.
  
  --
  It is a miracle that curiosity survives formal education. - Einstein
8. Re:This is a job for Droidwall by mlts · 2010-07-29 04:55 · Score: 4, Insightful
  
  There is the problem: People like you, me, and almost all Slashdot readers would click "no" if a generic fart app requires a slew of security privs (power, Net, access to SMS, access to contacts, ability to kill other apps, etc.), or even worse, prompted for root privs via su.
  However, the dancing bunny problem strikes here. Joe Sixpack will click "Install" to install a cool app, only to find all his contacts being spammed with "I need $900 ransom" notices, a sky high SMS bill because the app grabs a list of phone numbers and starts sending out text messages with ads on it, maybe even drained bank accounts if he left his banking info and passwords in the Web browser.
  I think Google made one mistake with Android, and that was assuming all users would be clued Linux types who know basic UNIX sanitation. I worry though, if there are more bad apples in the bunch that Android would be start being known as a hive for malware just because there is nothing stopping Joe Sixpack from installing a "pr0n viewer app" that reams his phone.
  I like the walled garden idea, with a way to hop out, that is foreboding to a nontechnical person, but for someone with half a clue, wouldn't pose a problem. For example, the "oem unlock" command with the N1 phones and the warning staying to say buh-bye to the phone's warranty if the user wants to continue. Something to make Joe Sixpack not want to do it and actually pass on watching the dancing bunnies.
9. Re:This is a job for Droidwall by IshmaelDS · 2010-07-29 04:56 · Score: 1
  
  How about a Safe and Stable section, and a bleeding edge section which has untested un-verified apps that the more knowledgeable of us could install and play with. That way they get the approval process for the bumbling idiot too.
  
  --
  letting an idiot know they are an idiot is not a game... it's a responsibility. - by Kristopeit, M. D. (1892582)
10. Re:This is a job for Droidwall by Keyslapper · 2010-07-29 05:36 · Score: 1
  
  this is a job for common sense.
  Ok, new favorite quote. I'm gonna use that one. A lot. Probably even on myself from time to time.
  
  Hell, I'll probably put it on everything but ice cream.
11. Re:This is a job for Droidwall by shadowfaxcrx · 2010-07-29 07:39 · Score: 1
  
  Yes, but it shows you what it's requesting access to by presenting you with a full screen, or more, of text.
  Remember what Spolsky said - normal users don't read dialog boxes. If it's more than a sentence, they just hit "OK."
  I really doubt that this story is going to have much of an effect on the average /. reader, but it will effect all those people who come running to us for tech support.
  
  --
  "I disagree with you" does not equal "flamebait."
12. Re:This is a job for Droidwall by jsnipy · 2010-07-29 07:42 · Score: 1
  
  please read again. Not an approval process, by default users won't see apps with certain sets of permissions. Techy users can set themselves to see all.
  
  --
  -- if you mod me down, I will become more powerful than you can possibly imagine
13. Re:This is a job for Droidwall by Anonymous Coward · 2010-07-29 09:20 · Score: 0
  
  the biggest problem is that it is not clear what security access is required for function X. If you have no idea what access permissions are minimally required for an application to function correctly or do what it is supposed to do then you cannot always make the best choice to install or not install.
  I see you are quite smug in how you might know that to perform x you need permission y but that is not clear from the marketplace. Sure the app lists the requirements in nice alarming colors but how do I know that the application really needs them all to function correctly.
14. Re:This is a job for Droidwall by lowrydr310 · 2010-07-29 09:30 · Score: 1
  
  I downloaded BarcodeScanner for Android, and was a bit surprised to see that it was requesting access to contacts, bookmarks, SD card, and WiFi settings. Fortunately they have a FAQ that addresses this.
  
  For those too lazy to follow the link, this application has the ability to generate a 3d QR barcode of your contacts, bookmarks, and WiFi settings, and also has the ability to read a barcode and store info about it on your SD card.
  
  They provide assurances that the data isn't used maliciously, however the only way for me to confirm that the application is 'safe' would be to review the code myself.
  
  The fact that they publish the code is a good thing and I'm led to assume that it's safe because the code is released and anyone can view it, but I wonder if someone did slip something nasty into a popular application, and still released the source, would anybody really catch it?
  
  I'm still a bit wary of the whole Android Marketplace and I try to be extra cautious because there are no guarantees that what I'm getting is perfectly safe. I just don't see how it's not possible for a popular application to have 200,000 downloads and a five star rating to be safe; couldn't one of these apps just harvest a ton of data anonymously, sending it off to one of their servers?
15. Re:This is a job for Droidwall by w0mprat · 2010-07-29 09:51 · Score: 1
  
  You mean they'd have to wait for approval by the App Store? An interesting proposal!
  Bah, It'll never work. You'll never get developers for your App Store if you do that. Developers put their principals and professionalism first before money.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
16. Re:This is a job for Droidwall by zuperduperman · 2010-07-29 12:46 · Score: 1
  
  it would be nice if the Android App store allowed you to filter programs to begin with
  Actually that would be a powerful idea to put a stop to this kind of nonsense. If Google made categories for certain apps and then applied some default filters it would go a long way. So if I am looking at wall papers then the default filter will have no permissions and honest wallpaper app developers will make sure they don't specify any more permissions than they need.
17. Re:This is a job for Droidwall by BitZtream · 2010-07-29 14:56 · Score: 1
  
  Thats just how awesome the OS is and totally what I want ... my phone to feel like I'm running Windows ... firewall hassles and all.
  Does Norton Anti-Virus run on Android yet? Thats about the only thing its missing.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
18. Re:This is a job for Droidwall by mlts · 2010-07-29 15:41 · Score: 1
  
  DroidWall is not a program that runs. It is a wrapper around iptables, making a list of what apps get allowed to connect out and which get denied. Unlike software firewalls, Droidwall can be resident, but it can happily be killed without losing any protection.
19. Re:This is a job for Droidwall by mlts · 2010-07-29 15:44 · Score: 1
  
  Correction: Droidwall doesn't have to be resident all the time for protection. It just makes a list of stuff, then writes some rules for the Linux kernel to allow/deny items. This is way different from Windows software "firewalls" which have to actively intercept each packet on the IP stack.
Not SMS history or voicemail passwords by mdm-adph · 2010-07-29 04:07 · Score: 3, Informative

According to this [http://phandroid.com/2010/07/29/another-app-stealing-data/].
"Your voicemail's password is also not transmitted unless you included the password in your phone's voicemail number field."

--
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
1. Re:Not SMS history or voicemail passwords by BitZtream · 2010-07-29 14:58 · Score: 1
  
  So ... you mean ... like when you want it to auto login ... like most people want their cell phone to do ... and most companies configure by default ...
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
WHAT app? by geminidomino · 2010-07-29 04:08 · Score: 5, Informative

What was the NAME of this evil app? Neither TFS nor TFA bother to tell us that. We got the Dev Name which is almost as good, but geez.
1. Re:WHAT app? by blowdart · 2010-07-29 04:12 · Score: 2, Informative
  
  There are multiple wallpaper apps from that developer; 75 in fact if the doubletwist search is to be believed.
2. Re:WHAT app? by moreati · 2010-07-29 04:32 · Score: 1
  
  Jackeey Wallpaper if it's the same one Engadget reported http://www.engadget.com/2010/07/29/lookouts-app-genome-project-warns-about-sketchy-apps-you-may-ha/
3. Re:WHAT app? by black_lbi · 2010-07-29 04:37 · Score: 5, Informative
  
  It's not just one single app ... all apps from Jackeey Wallpaper
  http://www.androidzoom.com/android_developer/jackeeywallpaper_bofz.html
4. Re:WHAT app? by Unequivocal · 2010-07-29 04:50 · Score: 1
  
  Awesome name. I'll just remember hi-jackeey..
5. Re:WHAT app? by jgoshorn · 2010-07-29 04:53 · Score: 2, Informative
  
  There are several - they show up as, for example Naruto Wallpapers by callmejack. The dev's email is jackeey.wu@gmail.com. Most, if not all, appear to have gotten a comment from helpful souls indicating that they are malicious. The quickest way to find them might be a google search. ;-) Cheers.
6. Re:WHAT app? by jgoshorn · 2010-07-29 04:58 · Score: 1
  
  I take that back. There are many, many. I just did a search in the Android Market for callmejack. Ouch!
7. Re:WHAT app? by alphatel · 2010-07-29 04:58 · Score: 1
  
  Jackeey = HiJack + HackeySac! Whooda thunkit?
  
  --
  When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
8. Re:WHAT app? by Anonymous Coward · 2010-07-29 05:48 · Score: 0
  
  I am also sick of "Andoid app rapes children, name of app not provided" stories on /.
9. Re:WHAT app? by Anonymous Coward · 2010-07-29 06:35 · Score: 0
  
  What was the NAME of this evil app?
  Bing Search
Face off? by notaspunkymonkey · 2010-07-29 04:08 · Score: 4, Funny

God help anybody who used facebook and this app... there's every chance they will get home tonight and find an imposter in bed with their wife.
1. Re:Face off? by jsnipy · 2010-07-29 04:12 · Score: 3, Funny
  
  the Chinese accent would be a tipoff :)
  
  --
  -- if you mod me down, I will become more powerful than you can possibly imagine
2. Re:Face off? by Anonymous Coward · 2010-07-29 04:25 · Score: 0
  
  ... and the significantly smaller penis
3. Re:Face off? by swb · 2010-07-29 05:58 · Score: 1
  
  You mean I can get out from under my Friday night obligation?
4. Re:Face off? by Anonymous Coward · 2010-07-29 06:18 · Score: 0
  
  maybe for your wife, but mine knows I like to roleplay...
5. Re:Face off? by Anonymous Coward · 2010-07-29 07:25 · Score: 0
  
  I'll confront him...after he manages to pay off all my bills...I promise
6. Re:Face off? by Anonymous Coward · 2010-07-29 09:36 · Score: 0
  
  You insensitive clod!
7. Re:Face off? by CharlyFoxtrot · 2010-07-29 10:28 · Score: 1
  
  God help anybody who used facebook and this app... there's every chance they will get home tonight and find an imposter in bed with their wife.
  Sex with your wife
  (42 people like this)
  
  --
  If all else fails, immortality can always be assured by spectacular error.
Wallpaper app, lol by Pojut · 2010-07-29 04:08 · Score: 1

Reminds me of advertisements in magazines where you text a code to a phone number, and they send you a wallpaper and sign you up for a subscription. Nope, they won't be sending you any text spam. Not a single piece. ::wink wink nudge nudge shank shank::

--
Living With a Nerd
1. Re:Wallpaper app, lol by ami.one · 2010-07-29 19:34 · Score: 1
  
  That's nothing, some people actually texted a huge 16 digit number in order to get some freebies but found out that it was a handset change code and their numbers got transferred to the bad huys who would use it for intl calls etc till the few hours/days that it takes to get the number/handset blocked !
Unfortunately by wraithguard01 · 2010-07-29 04:08 · Score: 4, Insightful

This is one good reason to have a unified app service, where all the apps are first vetted before they are released. I think mozilla's addon collection is a good model to follow.
1. Re:Unfortunately by Pojut · 2010-07-29 04:11 · Score: 2, Informative
  
  Right. Because that's worked so well. Keep in mind that these refer to apps that made it through the vetting process.
  
  --
  Living With a Nerd
2. Re:Unfortunately by BitZtream · 2010-07-29 04:26 · Score: 1
  
  Yea, except nothing is vetted on mozilla's addon collection. No one checks them before they get put on. They can come off if something is found by someone else but there is no one paid to sit there and verify BEFORE it gets put up.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
3. Re:Unfortunately by jellomizer · 2010-07-29 04:32 · Score: 1
  
  Although the Geek In me hates the Apple iStore Model. However its strict app approval process really does help remove most of the bad stuff for the phone...
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:Unfortunately by arkane1234 · 2010-07-29 04:35 · Score: 1
  
  Pssst... you pointed out Apple apps.. Just thought I'd let you know before someone else notices and you can do something about it...
  the GP was referring to Mozilla addon collection, not Apple which only looks at the coolness factor.
  
  --
  -- This space for lease, low setup fee, inquire within!
5. Re:Unfortunately by c0d3g33k · 2010-07-29 04:38 · Score: 1, Troll
  
  Explain to me how a few outliers are significant compared to the number of malicious apps might have been created WITHOUT a vetting process. This says more about the vetting process and how poorly it was implemented than it does about the value of a vetting process that successfully filters a substantial number of undesirable apps.
  Introduce a vetting process that is somewhat effective though not perfect and it will still be better than the wild west that is currently the Android Market.
  I'm honestly surprised that it took so long for something like this to happen, and I attribute it to the honesty and integrity of most of the developers (or maybe their skill in remaining discreet). But there are no barriers in place that I can see to prevent an ambitious and unscrupulous developer from taking advantage of the gullible.
  When it comes to the Android Market, Caveat emptor rules the day. Some might say that is how it should be, and to a large part I agree. But there is an implicit aura of trust that surrounds the market, since it is the only "official" avenue for getting apps. There is an option in the Android settings to allow apps from "unknown sources" that comes with an ominous warning about malicious apps if you choose to enable it. That strongly implies that the apps available via the Market are to be trusted. Despite this, I've never felt that Market apps were any more trustworthy than those from other sources, precisely because there is no evidence of any vetting or other quality control.
  I would very much welcome a multi-layered market that included a vetted set of apps that could (mostly) be trusted alongside a layer or two that were more free to developers.
  As it stands right now, I just don't install anything that looks suspicious. Everything else just gets ignored. So much for "we have more apps". That means nothing.
6. Re:Unfortunately by dfranks · 2010-07-29 04:39 · Score: 1
  
  Probably makes more sense to have a logo program and the ability to filter for "logo/approved" apps in the Android store. Turning on the filter by default and explicitly prompting users to turn it off the first time (with a decent warning page with guideline for what permissions apps should be asking for) would protect/inform the masses. That way Google could approve apps (and charge a nominal fee), but users with a clue can turn off the approved apps filter and avoid the Apple appstore issues.
7. Re:Unfortunately by AndrewNeo · 2010-07-29 04:40 · Score: 4, Insightful
  
  Excuse me? I somehow doubt you've ever submitted an addon to Mozilla before. I have, and a real person does indeed check your code.
  From the Editor's Guide:
  
  Every line of add-on code must be reviewed. The code validator can't detect all possible security or code quality issues, so we must always be in the lookout for bad code.
8. Re:Unfortunately by TangoMargarine · 2010-07-29 04:53 · Score: 1
  
  So basically, you just proved that the Apple app store sucks. Ergo no unified app service will ever be usable.
  Maybe it would be better if people didn't feel the need to buy a bazillion different apps. It's like the one-shot quiz apps on facebook: "Which ____ Are You?" "Ooh, ooh, I want to sign up for THIRTY-SEVEN of these!!!"
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
9. Re:Unfortunately by Anonymous Coward · 2010-07-29 04:56 · Score: 0
  
  Hmm, if only apps that duplicate built in functionality and run arbirary code in the background were somehow prevented from being installed. Perhaps by an OS level restriction from installing apps that haven't been vetted by a trusted athority, like the phone's manufacturer, or the writers of the OS, or an OS level restriction on what apps can run in the background...
  Oh right, lacking those saftey nets is what makes Android better than the iPhone.
  carry on.
10. Re:Unfortunately by Anonymous Coward · 2010-07-29 04:57 · Score: 0
  
  There was nothing wrong with the apps other than they were copyright violations. They got pulled because the developer used stolen Apple iTunes accounts to pump up the downloads and get money. And yet, time and time again I see people either falsely claiming that either iTunes got hacked or that the apps somehow hacked people iTunes account (even though they never downloaded them onto their iPhones).
11. Re:Unfortunately by jedidiah · 2010-07-29 05:00 · Score: 1
  
  > Although the Geek In me hates the Apple iStore Model. However its strict app approval process really does help remove most of the bad stuff for the phone...
  Ok then...
  Where is the non-curated version of this problem in Windows? In MacOS? In Linux? In FreeBSD?
  Trojans are a considerably different problem from the autoexecution of random binaries and files that are supposed to be "just data".
  Some people are trying to conflate one problem with another in order to excuse Apple's fascist policies.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
12. Re:Unfortunately by Anonymous Coward · 2010-07-29 05:08 · Score: 0
  
  Are you just hoping it does? You have no idea what's done for the app approval process. I know for a fact that source code submittal is not required, so I doubt it would be hard to get anything past them.
13. Re:Unfortunately by diamondsw · 2010-07-29 05:30 · Score: 4, Insightful
  
  Amazing what a gets a +5 Informative these days. Adding links?
  The first example was due to a developer "hacking" accounts (i.e., guessing passwords).
  The second example is the same story as the first, from a different source.
  The final example is the only one that holds any water. And that allowing crap apps through, not malicious ones.
  
  --
  I don't know what kind of crack I was on, but I suspect it was decaf.
14. Re:Unfortunately by Anonymous Coward · 2010-07-29 05:41 · Score: 1, Insightful
  
  That wasn't malware. It was copycat apps and someone hacking some iTunes accounts to purchase non-malware apps that had been approved for the app store. Kind of apples and oranges isn't it? Don't get me wrong, the hacking of people's iTunes accounts in order to make purchases was horrific. (Although I'm still not quite sure how he got their passwords) But the worry with Android is that it'll replace Windows as the next attack vector for malware writers. After all already many people access their bank more on their phones than their desktops.
15. Re:Unfortunately by Anonymous Coward · 2010-07-29 05:54 · Score: 0
  
  Explain to me how a few outliers are significant compared to the number of malicious apps might have been created WITHOUT a vetting process.
  As soon as you explain to me how a few outliers are significant compared to the number of malicious apps that have been created WITH a vetting process.
  Seriously, did you even read any of the links posted? Here's the headline for one of them:
  
  Apple's app store, filled with "App farms" being used to steal.
  
  How is that any different than what happened here, except that this is *ONE* "App farm", instead of many?
  
  I'm honestly surprised that it took so long for something like this to happen,
  So - evidence plainly contradicts your expectations, and you *STILL* think the evidence is wrong? You need to pull your head out of Steve Jobs' ass - you've suffered brain damage from having it up there too long. (And that goes double for the fucktard moderators who modded you up.)
16. Re:Unfortunately by c0d3g33k · 2010-07-29 06:57 · Score: 2, Insightful
  
  I've come nowhere near Mr. Job's ass. I am no Apple fan by a long shot (I've never purchased an Apple product in my life) and have no interest in going where the (reality distorted) sun does not shine.
  Your evidence is that malicious apps can exist in an environment where vetting takes place. You have not demonstrated that vetting has no effect on the number of malicious apps a person is exposed to. Nor have you demonstrated that the vetting was effective in your example. You might have demonstrated that Apple's vetting could use some improvement - I'll grant you that.
  I am claiming that an *effective* vetting process will *REDUCE* the number of malicious apps a user is exposed to, not that it will necessarily eliminate them entirely. So an effective vetting process is worth pursing, because in its absence, there is NO BARRIER to the presentation of malicious apps to the user, and a user will experience more of them.
  Ok, the volley is in your court. I await your reasoned and logical response.
17. Re:Unfortunately by isaaccs · 2010-07-29 07:03 · Score: 1
  
  It's worked quite well in the sense that Apple has built a massively successful app store by measure of revenue. But in terms of this conversation its meaningless. Bad programs will get through whether there is or isn't a vetting process. I'm inclined to think fewer bad apps would get through a market with a vetting process, but I acknowledge the necessity for a free and open market that isn't controlled by Apple as well. With regards to a unified market, make no mistake, Apple and Google are on the same page. Google is the only one of the two that has actually gone so far as to disable app's on their users devices. When Apple bans a program, it tends to ban its future sale, leaving previously purchased copies completely functional.
18. Re:Unfortunately by ADRA · 2010-07-29 08:25 · Score: 1
  
  Once these 'vetted' apps are gold star approved by Google and still rip you off for all your data, is Google now put in a liable state because they said it was OK?
  No, it really doesn't matter how well the app store works. If you allow an app to run with elevated privileges (REGARDLESS of what it is/does) you will have the possibility of getting ripped off. Lets say some guy decides to write a phone book app in ruby or python. Is Google going to sift through the entire language runtime for every app that implements them? Your solution is impractical and unrealistic.
  The better approach is to:
  1. Educate users on what permissions are before they can download an applications. Deny them the ability to download until they are well aware of what these permissions are, and WHY they are important. Add this to the EULA so that they can't get sued for doing it.
  2. Have Google consider sheltered hubs where apps with specific status cannot directly access public files, network, or other processes that may leak the data.
  Eg.
  I could have a 100% legitimate address book that just happens to clone all private contact data non-app disk storage as an encrypted data 'cache' file. The app could be amazing and do everything people wanted and eventually become very popular.
  Later on, I could introduce other apps that serves another purposes, like an online news reader from the same company or as a 3rd party (doesn't matter for the exploit). This app just reads all the data that application #1 has now exposed through the file system and uses its own internet access permission to transmit the data to my collection server. In the end I have two successful apps with a privacy leak that's very difficult to find / detect for even pro dev's. This is not a solution that Google (or any company) can just wave a magic wand and have disappear.
  Security is not easy, and by allowing that one malicious application on your system, you can basically throw away all privacy. Its the same on PC's, WinMo, iPhone, blackberry, etc...
  
  --
  Bye!
19. Re:Unfortunately by cmorriss · 2010-07-29 09:06 · Score: 2, Insightful
  
  Right. Because that's worked so well. Keep in mind that these refer to apps that made it through the vetting process.
  Actually, your examples do in fact prove how well the process is working.
  Not one of the apps you describe scammed people out of money or information. They are all examples of developers using other methods to get their apps to the top of the store list to get more people to buy them.
  If that's the best you can come up with, then I think that speaks volumes to how good a job Apple is actually doing.
  
  --
  10 minutes working on a sig. What a waste.
20. Re:Unfortunately by w0mprat · 2010-07-29 10:07 · Score: 1
  
  Right. It gets worse, it's completely possible to hide malicious code in plain sight http://underhanded.xcott.com/?page_id=2. I doubt Apple analyze every single line of code, let alone rigorously review and test applications for malicious behavior. It's simply not logistically possible. I would go so far as to say they cannot actually test for malicious code or exploitable flaws on any reasonable level, that one has little grounds for excuse in assuming any iPhone app is 'safe' because it gets Apples stamp of approval.
  
  If anything the walled garden vetting process is dangerous, it gives an enormous false sense of security to users, especially if it promises protection that is not only unfeasible but it demonstrably cannot give.
  
  Give me the open source + Android security model any day. So far it's pretty good, and it will see honest attempts to improve rather than Apples denial and lies machine.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
21. Re:Unfortunately by w0mprat · 2010-07-29 10:09 · Score: 1
  
  There are no links in your post so I will mod you down.
  
  --
  After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
22. Re:Unfortunately by Anonymous Coward · 2010-07-29 12:03 · Score: 0
  
  All of which explains how iPhones have yet to be targeted by malicious apps. Unless they have, but I certainly haven't heard of any.
  (posted anon to preserve mods)
23. Re:Unfortunately by zuperduperman · 2010-07-29 12:50 · Score: 1
  
  It's not surprising at all. To get an app onto the Android store you need to provide a credit card tied to your real name and agree to the Google developer agreement. Breaking the agreement at very least gets you kicked out of the store (all of your apps, not just your malicious one) but since it is tied to a real identity it can land you in court owing damages to Google. That is not a fun place to be. As a developer I actually had a long pause for thought before I agreed to that agreement because it is slightly scary.
24. Re:Unfortunately by BitZtream · 2010-07-29 14:59 · Score: 1
  
  You've obviously never submitted code to Mozilla before, I can assure you, that doesn't happen.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
25. Re:Unfortunately by BitZtream · 2010-07-29 15:07 · Score: 1
  
  Before you start to tell me how wrong I am, just think about the fact that Mozilla extensions can contain XPCOM objects. XPCOM objects are usually made out of javascript for simple stuff that doesn't really need to do anything abnormal.
  And then the rest are written in C++, and you get a binary, not source code in the extension.
  So ... if you can tell me how they are looking at the source of compiled XPCOM addons (particularly, the ones my company has published) I'll be very impressed.
  But that aside, I can assure you ...
  They ain't check'n every line of javascript either, Bub.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
26. Re:Unfortunately by 7-Vodka · 2010-07-29 15:35 · Score: 1
  
  No. Sir. There are no links in your post and you shall be modded down.
  Queue obligatory link: Muhaha
  
  --
  Liberty.
27. Re:Unfortunately by stephanruby · 2010-07-29 20:22 · Score: 1
  
  I am claiming that an *effective* vetting process will *REDUCE* the number of malicious apps...
  While you're at it, don't discount the price developers have to pay to publish on the iPhone vs. Android. On the iPhone, it's $99 per YEAR. On Android, it's $25 period (and you're free to develop using a Mac, Windows, or Linux). Also, the lower learning curve for Android vs. iPhone developers will probably mean more malicious apps and a faster turnaround time for creating more malicious apps on Android.
  So if we want to reduce the number of malicious apps even more drastically, may be we should just mandate that all app stores/markets increase their prices to $5,000 per year for developers. And may be, we should also think about creating a programming language that very few programmers can read or actually program in, such a language could be called 'Objective Assembly'.
News flash! by moogied · 2010-07-29 04:08 · Score: 0, Troll

In other news... stupid people get tricked by stupid tricks, rain is wet, and dry erase markers smell amazing.

--
So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
1. Re:News flash! by bonch · 2010-07-29 04:13 · Score: 2, Insightful
  
  Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?
2. Re:News flash! by Anonymous Coward · 2010-07-29 04:16 · Score: 0
  
  I do love the smell of dry erase markers..damn!
3. Re:News flash! by Pojut · 2010-07-29 04:19 · Score: 1
  
  Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?
  Yes. Yes it would have.
  
  --
  Living With a Nerd
4. Re:News flash! by denis-The-menace · 2010-07-29 04:19 · Score: 1
  
  Hey, the Flashlight app was approved
  http://apple.slashdot.org/story/10/07/21/0148214/Flashlight-iPhone-App-Enables-Tethering
  
  --
  Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
5. Re:News flash! by abigor · 2010-07-29 04:26 · Score: 2, Informative
  
  None of those apps stole data from people's phones. Instead, they artificially voted one another up to generate sales, and users' iTunes accounts were hacked. That's obviously still a grievous security failure, but it's server-side, and has nothing to do with the app store's approval process.
6. Re:News flash! by Pojut · 2010-07-29 04:32 · Score: 1
  
  So these apps were removed for being scams, or because they were doing questionable things...but Apple shouldn't have caught on to this during the approval process?
  That's...that's awesome. Nicely done. ::eye roll::
  
  --
  Living With a Nerd
7. Re:News flash! by abigor · 2010-07-29 04:45 · Score: 1
  
  The app store was gamed by a company or companies submitting thousands of near-identical and practically useless, though innocuous, apps that were voted up artificially. How would the app store approval process catch that, exactly? The apps themselves did not break any rules. It's more of a social engineering hack than anything else.
  The iTunes server hack was a separate thing altogether - a security failure on Apple's part, but nothing to do with apps or approval.
  Just to be clear, 95% of all apps submitted are approved by Apple. What they look for is simple:
  1. Does it work as advertised?
  2. Does it crash?
  3. Does it present a privacy violation or objectionable content (porn, basically)?
  The "objectionable content" thing is dubious, but if you want porn on your iPhone, just use the browser.
8. Re:News flash! by Unequivocal · 2010-07-29 04:55 · Score: 1
  
  Unless they read the code (do they?) they'd be hard pressed to detect this exact malicious behavior before it occurred.. Anyone know how this works on Apple's store?
9. Re:News flash! by TangoMargarine · 2010-07-29 05:01 · Score: 1
  
  Hey, it only took you three tries to make this post on-topic!
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
10. Re:News flash! by bledri · 2010-07-29 05:05 · Score: 1
  
  Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?
  Yes. Yes it would have.
  Those are examples of a developer "hacking" into people's itunes accounts to buy his crappy apps, not the app itself stealing data from the phone and sending it to a server. Still sucks, but it's a different issue. I think the itunes username and passwords were harvested via good old-fashioned viruses, trojans and phishing. Maybe some brute force attacks.
  
  --
  Some privacy policy Slashdot.
11. Re:News flash! by abigor · 2010-07-29 05:16 · Score: 1
  
  There's no requirement to submit source code, though you can if you want to, I suppose. I'm not sure if they look at network activity or not - I expect they do, as there hasn't been any malware on the scale of this Android app yet. But to be honest, I think it's only a matter of time before something slips through.
  As for the iTunes hack, I was wrong - apparently, people's credit card info was stolen from their Windows PCs by malware they installed. These numbers were used to purchase tons of copies of apps by a Vietnamese developer, thus improving his app store rankings.
12. Re:News flash! by Unequivocal · 2010-07-29 05:27 · Score: 1
  
  Thanks. It seems like a relatively trivial engineering activity to suppress the malicious behavior until the developer puts a "green light" beacon on his website. Having the app phone home wouldn't look suspicious on the wire during Apple's app review, and then once Apple signs off on the app, turn the beacon green and start stealing data. As you say it's only a matter of time. Unless you want to analyze every app's source code which seems ludicrous for a bunch of reasons.
  Thanks again for a little more insight into how all this is working.
13. Re:News flash! by bonch · 2010-07-29 05:43 · Score: 1
  
  I really doubt it would have. Apple would have put the app through its testing process and discovered its attempt to send personal data to a third-party server.
  The examples you give aren't the same as what is being discussed here. They didn't steal personal data.
14. Re:News flash! by bonch · 2010-07-29 05:45 · Score: 1
  
  The apps didn't steal personal data and send it to some third-party server. Instead, people's accounts were hacked through phishing so that the apps could be voted up in the store. So no, Apple wouldn't have caught onto it during the approval process.
  Anything else? You're not very good at this.
15. Re:News flash! by Anonymous Coward · 2010-07-29 05:58 · Score: 0
  
  An app that uses no custom API's (which would have been caught), and enables functionality that the phone supports natively. Had they attempted to get out of the sandbox with custom API's to steal user data, the app would have immediately failed certification.
16. Re:News flash! by nacturation · 2010-07-29 06:37 · Score: 1
  
  So these apps were removed for being scams, or because they were doing questionable things...but Apple shouldn't have caught on to this during the approval process? That's...that's awesome. Nicely done. ::eye roll::
  The apps were perfectly fine and didn't scam anything. From the Independent article a few posts up:
  "... it is estimated that hundreds of Apple customers have become victims. It is thought that some may have been hit by a "phishing" scam, in which an apparently legitimate email convinces the recipient to part with sensitive information."
  This is no different than if some phisher sends you an email purportedly from your bank, and you click on it and give them your banking account number and password. The phisher then goes on a spending spree and buys Android phones with your money. Now, you'd be hard-pressed to argue that Android phones are a scam... it's a means of generating revenue for the phisher if it's bought from their store or if they can sell the phones.
  Similarly, if users fall for a phishing scam through email and they click on a link in the email, go to some rogue iTunes-like website, give their iTunes account info, and the phisher uses that harvested account info to buy and positively rate the phisher's apps... that doesn't mean the apps being bought are a scam -- it's simply a means of generating revenue for the phisher.
  However, please don't let the facts interrupt a good eye roll. I'm sure it's cathartic for you to vent your anti-Apple sentiments on a routine basis.
  
  --
  Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
17. Re:News flash! by HeronBlademaster · 2010-07-29 06:39 · Score: 1
  
  but Apple shouldn't have caught on to this during the approval process?
  Please explain how an app approval process can catch something external to the approval process (hacking iTunes accounts through means other than apps) and which hasn't happened yet at the time the approval process takes place.
18. Re:News flash! by HeronBlademaster · 2010-07-29 06:42 · Score: 1
  
  Unless you want to analyze every app's source code which seems ludicrous for a bunch of reasons.
  Apple doesn't examine the source code but it does check to see if the app uses any unapproved APIs. That sort of check is relatively trivial and easy to automate.
  My understanding (which is possibly incorrect) is that you would have to use unapproved APIs in order to steal data, and that would get your app rejected.
19. Re:News flash! by Unequivocal · 2010-07-29 07:24 · Score: 1
  
  Unless your app's legitimate/purported purpose involves those same API's.. Apple may make malware authors jump through a few more hoops which might be deterrent enough for now, but they don't strike me as running a service that can inherently protect consumers from malware (as opposed to software which Apple or other trusted developers might provide which is much much less likely to have bad things in them).
20. Re:News flash! by IamTheRealMike · 2010-07-29 08:24 · Score: 2, Informative
  
  Read the paper by Nick Seriot to see what iPhone apps can do without users being aware of it. And given that iPhone apps can be obfuscated to avoid automatic analysis by Apple, the real question is, how many apps are on the app store that steal your data without anyone knowing about it? Bear in mind that this report is here because Android apps tell you what they can do when you install them. All this company did was grep the market for apps that seemed to request more permissions than they should for their category.
21. Re:News flash! by CharlyFoxtrot · 2010-07-29 10:36 · Score: 1
  
  But if you do include malicious code you are running real risks. First off you can be ejected from the store, second all your revenue goes through Apple so maybe they can claw some of it back, third you have to have a legit business to accept the money coming through Apple which you have now opened up to lawsuits from both Apple for not adhering to store policies and your customers.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
I'm not by toxygen01 · 2010-07-29 04:09 · Score: 0, Flamebait

an apple lover, but I believe there is a reason other than money, why appstore exists. It's because it offers people prevention exactly from cases like this one. ... and makes the platform "well bred".
1. Re:I'm not by Anonymous Coward · 2010-07-29 04:13 · Score: 1, Informative
  
  I'm not convinced that such an app would necessarily be caught by Apple's model. Apple doesn't even really review the source code; there was a tethering app disguised as a flashlight app that made it to the app store and stayed there until the media brought attention to it.
2. Re:I'm not by geminidomino · 2010-07-29 04:16 · Score: 1
  
  You might want to read this cousin post and the links contained therein before you hold on too tightly to that belief.
3. Re:I'm not by Anonymous Coward · 2010-07-29 04:45 · Score: 1, Insightful
  
  I'm not convinced that such an app would necessarily be caught by Apple's model. Apple doesn't even really review the source code; there was a tethering app disguised as a flashlight app that made it to the app store and stayed there until the media brought attention to it.
  The iOS App Store approval process might not have caught this; but there is a non-zero probability it might have. Of course, given the problems with the approval process, there is also a non-zero possibility that Apple might have unintentionally blocked it for reasons having nothing to do with security. In any case, it would be interesting for Apple to release statistics on how many malware apps the App Store has blocked.
  The current Android app distribution system, totally lacking any security review, has a zero probability of catching malware. Anyone with a brain knew that this was a significant possibility inherent in the more open model that Google has championed. However, this presents Google with a serious potential long-term problem--if Android phones are perceived as being insecure, it will impact sales. The market reaction will be interesting the first time somebody having a heart attack tries to dial 911 on an Android phone and dies because the phone said "u bin pwned noob!" instead of calling the rescue squad.
  Fans of Android can mock Apple for its antenna woes and screwy app approval process (and rightly so); but if Android ends up being constantly hacked, it will hurt the Android platform far more than Apple's antenna and App Store problems. Nobody wants to have to download and manage anti-virus apps or firewalls onto their cell phone. That would make Apple look prescient for establishing a system that offers at least some promise of blocking malware from the iPhone ecosystem.
4. Re:I'm not by h4rr4r · 2010-07-29 05:48 · Score: 1
  
  Too bad it does not. The fact is malicious and even tethering apps have gotten through. You are a fool.
5. Re:I'm not by HeronBlademaster · 2010-07-29 06:48 · Score: 2, Insightful
  
  What malicious apps have gotten through Apple's approval process? I'm open to any links you may have. Don't bother linking to the guy who hacked into iTunes accounts and used them to buy his otherwise legitimate app -- the app itself was not malicious, so there's no reason to blame the approval process for the incident.
  You say "tethering apps" as if that's a bad thing. The app didn't steal any data, or use any APIs that could reveal the user's personal data. Apple checks all submissions against their list of approved APIs... an app that steals personal data would have to use unapproved or custom APIs and would therefore be rejected from the app store.
  I'm not saying Apple's approval process is perfect, but it *is* set up to catch malicious data-stealing apps.
6. Re:I'm not by neonKow · 2010-07-29 07:05 · Score: 1
  
  I'd rather say it's because people find technology scary and would rather have someone hold their hands about it, and Apple's business plan relies and thrives on that.
7. Re:I'm not by isaaccs · 2010-07-29 07:22 · Score: 1
  
  A fool is someone thinks that because any given deterrent does not achieve 100% success, that all deterrents are completely useless. Go ahead and apply that logic to any scenario you can construct in life.
8. Re:I'm not by mjwx · 2010-07-29 12:40 · Score: 1
  
  an apple lover, but I believe there is a reason other than money, why appstore exists. It's because it offers people prevention exactly from cases like this one. ...
  And everyone then jailbreaks because the platform does not allow them to do what they want, which of course makes them more vulnerable to social engineering attacks as well as maintaining exploitable vulnerabilities in the OS.
  
  Jailbreaking on the Iphone I equate to showering in prison. It may seem like a good idea (from a hygene perspective) and you pretty much end up with no other choice but to do it due to the restriction of the warden but in the end you've just dropped you pants and left yourself exposed and very vulnerable.
  
  and makes the platform "well bred".
  The gentry of Europe tried this once, keeping the bloodlines pure and noble. In the end they became so inbred it's not funny (If you think this is a joke, think about Prince Charles and Camilla bumping uglies and there certainly is a lot of ugly to bump).
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
9. Re:I'm not by Anonymous Coward · 2010-07-30 11:15 · Score: 0
  
  Look, if you want to correct someone, fine.
  But don't talk like you know what you're talking about.
  "unapproved or custom APIs and would therefore be rejected from the app store."
  At that point, it's clear you are not a programmer, so..please..just stop...
10. Re:I'm not by HeronBlademaster · 2010-07-30 12:19 · Score: 1
  
  I'm not sure what you mean. Apple can easily scan for which iOS functions a particular app is linking against. If that list includes APIs which are not on Apple's official "approved" list, then they can reject the app on that basis alone. That part could easily be entirely automated.
  At this point, it's clear *you're* not a programmer, so please, just stop. (For the record, I am a programmer, and apparently a better one than you.)
Implied Racism! by darkmeridian · 2010-07-29 04:11 · Score: 4, Funny

I am surprised, shocked, and dismayed to see a fine journalistic source such as Slashdot stoop to yellow journalism, as it were. There is absolutely nothing suspicious about the origin of the website being being in Shenzen, China and the summary's implication of this is absolutely untoward. I expect a full apology posted immediately, then duped again tomorrow.

--
A NYC lawyer blogs. http://www.chuangblog.com/
1. Re:Implied Racism! by Anonymous Coward · 2010-07-29 04:20 · Score: 0
  
  The question begged is: Why would an (allegedly) non-Chinese application want/need to use a Chinese server?
  Could easily have been in Romania, Russia, Indonesia, Iceland, etc.
2. Re:Implied Racism! by Anonymous Coward · 2010-07-29 04:24 · Score: 0
  
  lol... "yellow" journalism... hahahahahahahahah
  good troll is good
3. Re:Implied Racism! by FuckingNickName · 2010-07-29 04:28 · Score: 1
  
  A NYC lawyer blogs. http://www.chuangblog.com/
  
  A catawampus squint reveals an implication that NYC lawyers chew wang.
  Well, a fight with RIAA is never clean...
4. Re:Implied Racism! by newdsfornerds · 2010-07-29 05:26 · Score: 1
  
  HAHAHA! I got chewed out my my girlfriend's Vietnamese friend for refering to an "oriental" market I shop at. I'm a round-eye, so according to her I'm not allowed to use that word. Problem is, the market has "oriental" in it's fricking NAME! Turns out the Vietnamese girl's brother is an "Asian Studies" major at a college in Calif. Heh.
  
  --
  Damping absorbs vibrations. Dampening is caused by moisture.
5. Re:Implied Racism! by Anonymous Coward · 2010-07-29 06:57 · Score: 0
  
  Shenzen... Isn't that where all Apple products ship from? Maybe the real problem is in Cupertino!
6. Re:Implied Racism! by Existential+Wombat · 2010-07-29 07:35 · Score: 1
  
  Ah, reading this as chewing out your girlfriends' Vietnamese friend - great mind-visual...
7. Re:Implied Racism! by newdsfornerds · 2010-07-29 08:08 · Score: 1
  
  She does body (bikini) waxing for a living although she may offer "happy endings" as well. I'm not sure.
  
  --
  Damping absorbs vibrations. Dampening is caused by moisture.
Why would you need it by Anonymous Coward · 2010-07-29 04:11 · Score: 1, Interesting

Do you really need to know the name of the app in order to avoid it? I think that you should know well enough to avoid wallpaper apps! Those (and screensavers) were something like number 1 way for viruses to spread on computers in the late 90s or so. The same people who fell for those then can now afford expensive phones and fall again for the same scam.
1. Re:Why would you need it by geminidomino · 2010-07-29 04:13 · Score: 2, Insightful
  
  No, you don't need the name in order to avoid it, but it might be useful, I dunno, to see if one already HAS it.
  Just sayin'.
2. Re:Why would you need it by Anonymous Coward · 2010-07-29 04:21 · Score: 2, Funny
  
  "Nobody has it in use. Once they discovered it, millions of Google security researchers downloaded it
  to run sandboxed or on AVDs." - Google Spokesperson
3. Re:Why would you need it by BitZtream · 2010-07-29 04:25 · Score: 1, Insightful
  
  ... The name of the app is the second most important factual peice of information that should have been gathered. Second only after the fact that it does it.
  Yes, it would be useful to know what it is called. Some non-geeks who bought into the whole 'the droid is better than the iphone' bullshit who don't realize its better for geeks, not idiots may download and install the app.
  Some of those people I may know, and if I simply knew the name I could tell them not to do it.
  Instead, I have to say 'the droid is known to have data stealing apps and no I can't tell you which ones suck ass, just get yourself an iPhone so apple can protect you, its far easier on all of us'
  What the fuck is wrong with you?
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
4. Re:Why would you need it by AltairDusk · 2010-07-29 04:43 · Score: 2, Funny
  
  Instead, I have to say 'the droid is known to have data stealing apps and no I can't tell you which ones suck ass, just get yourself an iPhone so apple can protect you, its far easier on all of us'
  What the fuck is wrong with you?
  You imply that you're tech-savvy and then in the same post assume Apple will protect them? Sneaking code by Apple is completely impossible! Oh wait...
5. Re:Why would you need it by Anonymous Coward · 2010-07-29 05:12 · Score: 0
  
  If it's idiot-proof security you need, RIM (or a "dumb phone") is the only real choice. Everything else get pwned all the time. Cue the whining fanboiz with their rationalizations...
  
  --
  DUH!
6. Re:Why would you need it by Anonymous Coward · 2010-07-29 05:19 · Score: 0
  
  You imply that you're tech-savvy and then in the same post assume Apple will protect them?
  Reading comprehension fail
7. Re:Why would you need it by h4rr4r · 2010-07-29 05:41 · Score: 1
  
  Such apps have been found on the apple app store as well. Idiots are not safe anywhere.
8. Re:Why would you need it by MrHanky · 2010-07-29 05:46 · Score: 1
  
  Oh, so you "have to" tell them to buy an iphone? What the fuck is wrong with you?
9. Re:Why would you need it by Anonymous Coward · 2010-07-29 05:47 · Score: 0
  
  The tethering app didn't steal your information and send it to China. Doing so on an iPhone would require custom API's that would be caught by the vetting process, as it would require a custom API to get out of the sandbox.
10. Re:Why would you need it by bm_luethke · 2010-07-29 06:58 · Score: 1
  
  The problem here, and it is a logner term on Apple and many of supporters run into, is that the iPhone isn't remotely secure from this in any shape form or fashion.
  So, you go tell someone who had this or this or this and see how far your credibility goes.
  These phones are now general purpose computers that happen to have devices that make them capable of making phone calls. If you think that your general purpose computing device is immune to these types of things then you will most likely one day get a nice big shock. Apple is relly good about thier reality distortion field making people think they are somehow can't have this type of thing happen, mostly people who should really know better, but reality is that it doesn't.
  Apple gets more apps submitted than their entire staff could filter to that level of security, indeed they would need to be one of the largest employers in the world to do so. Apple can't protect you, all they can do is make you feel good about having lousy security. It is not their fault it is lousy either, they simply can't provide non-lousy security for millions of devices and many many thousands of applications one may download. Personally the Android market place's significant difference in freedom more than outweighs the slight benefit in security and what little difference there is can be more than mitigated if you just read what the app accesses.
  
  --
  ------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
11. Re:Why would you need it by Anonymous Coward · 2010-07-29 09:03 · Score: 0
  
  Apple will protect you. Apple will protect you from the terrible secret of screen saver. Do you have root on your phone?
12. Re:Why would you need it by Zero__Kelvin · 2010-07-31 02:44 · Score: 0
  
  "Yes, it would be useful to know what it is called. Some non-geeks who bought into the whole 'the droid is better than the iphone' bullshit ..."
  You must be some kind of moron if you can't figure out that the Android OS is far superior to what Apple has to "offer". The only bullshit is the garbage you are spewing.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
What will they think of next??? by Anonymous Coward · 2010-07-29 04:12 · Score: 0

A screensaver with a virus?
1. Re:What will they think of next??? by Anonymous Coward · 2010-07-29 04:16 · Score: 0
  
  They already did that with Ubuntu users despite all the proclamations that Loonix was immune to such things.
2. Re:What will they think of next??? by 0123456 · 2010-07-29 05:25 · Score: 1
  
  They already did that with Ubuntu users despite all the proclamations that Loonix was immune to such things.
  I don't know what Loonix is, but no-one ever said that Linux was immune to a virus, only that it's very hard to create one because of the restrictive user permissions.
  The screensaver in question required you to download a .deb file from the web and then install it with root permission. When you're dumb enough to run random downloads as root it's game over on any operating system.
  And, in any case, wasn't it just a trojan rather than a virus? I don't remember it actively spreading anywhere.
3. Re:What will they think of next??? by mjwx · 2010-07-29 13:02 · Score: 1
  
  but no-one ever said that Linux was immune to a virus, only that it's very hard to create one because of the restrictive user permissions.
  Bingo, it's OS X users who claim an inherent immunity to virus and malware.
  
  Linux users take threats seriously. But this one came in via the user, which is the weakest point of any computer systems security no matter which platform. An unused Windows XP box connected to the internet with AV and Auto Updates on is safer then a used Ubuntu or Mac as almost all security in this day and age is dependent on the user not being stupid.
  
  And, in any case, wasn't it just a trojan rather than a virus? I don't remember it actively spreading anywhere.
  I'd say it was neither, perhaps a Trojan with the wall paper being camouflage but it fits the definition of spyware better, like Gator, Bonzi Buddy or Facebook.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
People will click through anything by Coopjust · 2010-07-29 04:13 · Score: 5, Insightful

Even if they're told exactly what the app will have access to, people will click through anything.
1. Re:People will click through anything by Nerdfest · 2010-07-29 04:23 · Score: 1
  
  Sadly there are reasons a wallpaper application would actually require full internet access, such as loading new pictures, etc. The fact it's a wallpaper application is not really that relevant, it could have been anything. I'm not sure of the depth of review at Apple, but I'm fairly sure the same thing could be slipped through without too much trouble. Poorly behaved applications are going to appear from time to time on any platform.
2. Re:People will click through anything by thePowerOfGrayskull · 2010-07-29 04:38 · Score: 1
  
  Sadly there are reasons a wallpaper application would actually require full internet access, such as loading new pictures, etc. The fact it's a wallpaper application is not really that relevant, it could have been anything. I'm not sure of the depth of review at Apple, but I'm fairly sure the same thing could be slipped through without too much trouble. Poorly behaved applications are going to appear from time to time on any platform.
  Internet? Sure. Phone, google account, location, and contact data? C'mon. Why would anyone grant these permissions?
3. Re:People will click through anything by duranaki · 2010-07-29 04:41 · Score: 1
  
  It wasn't the internet access that was suspicious, it was the access to your google accounts and your personal information. The app is relevant because it at least lets you identify absurd permission requirements. I've avoided installing some things because there is a clear mismatch between what it says it does and what it asks permission to do. But I do agree it's easy to make malicious apps that can justify their permission requests. If a wallpaper app claimed to make wallpapers using your contacts icons, it would obviously need access.
4. Re:People will click through anything by Actually,+I+do+RTFA · 2010-07-29 05:19 · Score: 1
  
  I agree... but is there some way to solve this?
  Because "popup dialog requesting access" is clearly a failed model. I wonder if there is a better permissions method.
  
  --
  Your ad here. Ask me how!
5. Re:People will click through anything by 0xdeadbeef · 2010-07-29 05:20 · Score: 1
  
  A kid tricked Apple into letting a tethering application through. So yeah, of course this could end up on the Apple app store.
  The thing this story misrepresents is that voicemail passwords were not "hacked". Everything else this application purloined is also available to every other application with the same capabilities, because there are legitimate reasons for some applications to use them.
  All of these problems would go away if people had more knowledge and control over the data that goes in and out of their devices. For some reason, we built our computer infrastructure on a model of secret promiscuity, on the ideology of "it's good to share everything!" and "hide everything complicated from the user, and make decisions for them!"
6. Re:People will click through anything by arth1 · 2010-07-29 05:42 · Score: 1
  
  Location can be relevant. Backgrounds might change based on where you are (flags, languages, weather, moon phase, what have you).
7. Re:People will click through anything by HeronBlademaster · 2010-07-29 06:57 · Score: 1
  
  A kid tricked Apple into letting a tethering application through. So yeah, of course this could end up on the Apple app store.
  Right, because an app exposing native phone functionality using approved APIs is totally the same as an app using unapproved APIs to steal user data.
  (Remember, Apple's approval process checks the app to see whether it's using any unapproved or custom APIs.)
8. Re:People will click through anything by thePowerOfGrayskull · 2010-07-29 06:58 · Score: 1
  
  True; but location also wouldn't give away anything personal. Doesn't help with the others though...
  I've taken to being less forgiving of apps that don't explain specifically what each permission is needed for. Developer laziness (or more likely - simple lack of awareness) is a lot of what contributes to the "click through it" mentality. When users want to use an app and are given no guidance as to what it's actually needing permissions for - they'll grant them out of habit, so that they can do the task at hand.
9. Re:People will click through anything by ADRA · 2010-07-29 08:30 · Score: 1
  
  All of which can pretty well be extrapolated to a comfortable level of accuracy with IP geo tracking features. If not, there's always 'course' geo location which doesn't specifically know where you are, just the general area. I don't know the range of accuracy here, so it still may be pretty invasive.
  
  --
  Bye!
Update from TFA - No capture of text messages by miknix · 2010-07-29 04:13 · Score: 2, Informative

Update from TFA:

Update: Lookout notes it does not capture browsing history and text messages: It collects your browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voicemail password, as long as it is programmed automatically into your phone.
Looks like it doesn't collect browsing history and text messages after all.
1. Re:Update from TFA - No capture of text messages by ircmaxell · 2010-07-29 04:28 · Score: 1
  
  From the actual article linked by the OP:
  
  Specifically, the app does collect data from your phone, but only the device's phone number, subscriber identifier, and voicemail number fields are retrieved.
  I understand that this is newsworthy, but the Summary is blatantly wrong when it was posted, yet alone with future information...
  
  Besides, the app requested this info from when it was installed. If you just clicked "ok" when it asked for permission to access your personal data and the internet, then it is not malware. Malware is doing something besides what it is telling you. Sure, it's not telling you its sending that info elsewhere, but it is telling you that it is accessing it.
  
  Besides, there have been a LOT of Apple fanbois that have been using this to bash the "open system"... One thing that I must ask is if it asked you for access to that information, and you said ok, how is this the fault of the open system? In fact, I would rather have the system tell me what an App has access to than to trust a draconian dictator...
  
  Yes this is bad. Yes it should be pulled from the market. But how many apps like this exist for both platforms that just haven't been found first? At least with Android, you get to see what the app has access to, so if you don't think it needs that access don't install the app. It seems (oddly enough, given Google's privacy nightmare) the better platform if you care about your privacy IMHO...
  
  --
  If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
Developers Bitch by codepunk · 2010-07-29 04:15 · Score: 1, Flamebait

Developers bitch about the app store approval process but this is exactly why it exists. Yes it would be nice to sever ties with the app store but apple is doing a fairly good job of protecting it's ecosystem.

--

Got Code?
1. Re:Developers Bitch by mdm-adph · 2010-07-29 04:19 · Score: 2, Insightful
  
  As we've seen from the "colored flashlight app that's really a tethering app," I don't know why people are still putting their trust in Apple's "approval" process as far as safety is concerned. They obviously don't check the code behind an app -- today it's a tethering app, tomorrow it's one that's sending your data to China (if it doesn't already exist, and I'd be surprised if it didn't).
  
  --
  It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
2. Re:Developers Bitch by Skuld-Chan · 2010-07-29 04:23 · Score: 1, Informative
  
  Yet this happened to Apple (according to Steve Jobs interview with Walt Mossberg at All Things D) - there was an app that shipped that was reporting prototype OS versions back to a marketing company - and it was an approved application.
3. Re:Developers Bitch by Pojut · 2010-07-29 04:24 · Score: 0, Redundant
  
  Right. Because that approval process has worked without any flaws.
  
  --
  Living With a Nerd
4. Re:Developers Bitch by Anonymous Coward · 2010-07-29 04:26 · Score: 0
  
  Developers bitch about the app store approval process but this is exactly why it exists. Yes it would be nice to sever ties with the app store but apple is doing a fairly good job of protecting it's ecosystem.
  They do not. We've got a nice stream of gps locations and other statistics pouring in, and selling this data for good revenue.
  I won't tell you what the app appears to do but let's just say apple didn't check the code.
5. Re:Developers Bitch by codepunk · 2010-07-29 04:29 · Score: 1
  
  I never said their process is safe but I can tell you for a fact that they do a comprehensive check on each and every app. Will it catch everything? Nope in fact I am pretty certain I could get quite a bit of stuff past the approval process. It may however be very difficult to do so without getting found out or tracked down for doing something like that.
  
  --
  
  Got Code?
6. Re:Developers Bitch by mdm-adph · 2010-07-29 04:34 · Score: 1
  
  "Comprehensive" apparently means a different thing to Apple than it does to the rest of the world, eh. I'd imagine it means they'd check the code. Apparently, as with the magic flashlight-tethering app, it doesn't.
  I'd much rather they spend that time looking at the code rather than making sure the app doesn't have "teh boobz" so that Jobs' delicate humors won't be upset.
  
  --
  It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
7. Re:Developers Bitch by kyz · 2010-07-29 04:44 · Score: 5, Informative
  
  Apple is doing an equally bad job of protecting its ecosystem.
  There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.
  Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html
  Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077
  MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/
  Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/
  Apple don't look at the source code of apps, they just test the binary and scan it for badness.
  Provided the binary encrypts its strings, and does nothing dodgy during the short testing window (less than two weeks), Apple approve it.
  Apple's custodianship doesn't protect you from determined data thieves, only the incompetent ones.
  Android market, while just as bad as Apple, at least gives you the opportunity to decide if you want an app based on what permissions it demands. If it demands too much, you reject it. Once you give it the "OK", it can't turn around and demand more. I'd prefer that Apple added that (telling you what permissions the code has, not letting it have more), even if they keep their approval process.
  
  --
  Does my bum look big in this?
8. Re:Developers Bitch by kyz · 2010-07-29 04:58 · Score: 1
  
  they do a comprehensive check on each and every app. Will it catch everything? Nope
  "Comprehensive". You keep using that word. I do not think it means what you think it means.
  
  --
  Does my bum look big in this?
9. Re:Developers Bitch by Anonymous Coward · 2010-07-29 05:11 · Score: 0
  
  The approval process didn't do any good when data was stolen from Apple users a month or two ago. A bunch of people were charged for apps they never bought, and several apps were removed from the app store, but a full explanation from Apple was never offered.
10. Re:Developers Bitch by godrik · 2010-07-29 05:14 · Score: 1
  
  Well, I like the repository debian-like (or whatever-like) version of that which basically states : "I, a debian developper, believes this application is safe". You can add more repository if you want but you acknowledge that they are not debian-signed by doing so.
  That won't protect everybody, but that definitively helps.
11. Re:Developers Bitch by diamondsw · 2010-07-29 05:34 · Score: 2, Interesting
  
  The tethering app wasn't discovered because it was extremely difficult to trigger - it required very specific network settings, a multi-step setup process, and tapping different colors in a specific pattern just to enable the tether. Very different from discovering an app is sending your data off wholesale.
  The hidden tethering app is only going to be discovered via thorough code decompilation and analysis. Sending chunks of data to a random server for no appreciable purpose can be found easily via tcpdump.
  
  --
  I don't know what kind of crack I was on, but I suspect it was decaf.
12. Re:Developers Bitch by diamondsw · 2010-07-29 05:37 · Score: 3, Insightful
  
  Such reporting wasn't disallowed until very recently. There was a very good reason for it as well - developers then got that data back so they could tell how many people were still on old OS versions, what the uptake was on a new OS, and could plan their features and releases accordingly.
  The only reason Apple got upset is it revealed prototype OS versions in their lab as a side effect.
  
  --
  I don't know what kind of crack I was on, but I suspect it was decaf.
13. Re:Developers Bitch by Anonymous Coward · 2010-07-29 05:44 · Score: 0
  
  Stop reposting this off-topic stupidity, please.
14. Re:Developers Bitch by ultramk · 2010-07-29 05:45 · Score: 1
  
  I don't know. If malicious apps have actually made it through the app store approval process, we certainly haven't heard much about them. There have been instances where people's iTunes account info was grabbed off a compromised PC and then used to generate fraudulent app sales, but that isn't quite the same as having a malicious app. That's probably why the flashlight tethering app was such a surprise--with the number of submitted apps that have gone through, this is the only one to be able to pull off something like this? On the other hand, there have been quite a number of Android marketplace apps identified as having malicious intent.
  Neither approach is perfect, but it's not as if the risk is identical.
  I realize that this isn't a popular viewpoint on this site, but I'm glad that both models exist (walled garden and wild west) in the marketplace right now. Competition is good, especially when the alternatives have markedly different approaches. (unlike say, Visa and Mastercard, which are essentially identical)
  Eventually, there are a couple different possible outcomes: 1. one model or the other will prove to be so overwhelmingly superior that the other will either fold up, or incorporate the relevant parts of the others strategy. 2. It will turn out that there are enough users with such divergent tastes/priorities/platform loyalty that both marketplaces will flourish and grow independent of each other.
  
  --
  You catch enchiladas by picking them up behind the head and holding them underwater until they don't kick anymore -VeGas
15. Re:Developers Bitch by h4rr4r · 2010-07-29 05:57 · Score: 1
  
  No they do not, they don't even check the source. This means I can make an app that looks at my webpage for a string and during the approval process have it say "Do No Evil", then later change it to "Rape the Bastards" which tells it to steal everything.
16. Re:Developers Bitch by goofballs · 2010-07-29 05:58 · Score: 1
  
  The tethering app wasn't discovered because it was extremely difficult to trigger - it required very specific network settings, a multi-step setup process, and tapping different colors in a specific pattern just to enable the tether. Very different from discovering an app is sending your data off wholesale.
  yup, different. much more like THIS iphone app. ;D http://www.pcworld.com/article/188595/
17. Re:Developers Bitch by MrHanky · 2010-07-29 06:16 · Score: 1
  
  You know perfectly well that it's not the reason why it exists. And as others have pointed out, it doesn't really work all that well either.
18. Re:Developers Bitch by mdm-adph · 2010-07-29 06:23 · Score: 1
  
  Like I continue to say -- all it would've taken was a look at the codebase, as Apple apparently doesn't do. I'm not talking about the front-facing UI of the app -- I couldn't care less.
  A halfway competent programmer would've been able to take one look at the code for this "flashlight app" and seen that it wasn't what it claimed to be.
  
  --
  It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
19. Re:Developers Bitch by Anonymous Coward · 2010-07-29 06:56 · Score: 0
  
  I checked out a number of the developers apps (seemingly now "callmejack")... (for example: http://www.androidzoom.com/android_themes/wallpapers/kitty-wallpapers_caxy.html)
  * android.permission.ACCESS_NETWORK_STATE
  * android.permission.INTERNET
  * android.permission.READ_PHONE_STATE
  * android.permission.SET_WALLPAPER
  * android.permission.WRITE_EXTERNAL_STORAGE
  Some of the apps have fewer permissions. I can't see which of these permissions grants access to the "your voicemail password, as long as it is programmed automatically into your phone", can you? It does ask for your phone identification (READ_PHONE_STATE), but a lot of the applications use this to lock apps on to your phone as a poor-man's DRM.
  I think this is more of a scare tactic than anything else. (notice the two laptop from Google's "archnemesis" =P sitting in the picture of the article)
20. Re:Developers Bitch by Anonymous Coward · 2010-07-29 06:57 · Score: 0
  
  Developers bitch about the app store approval process but this is exactly why it exists. Yes it would be nice to sever ties with the app store but apple is doing a fairly good job of protecting it's ecosystem.
  Pundits bitch about the great firewall's approval process but this is exactly why it exists. Yes it would be nice to sever ties with the great firewall but China is doing a fairly good job of protecting it's ecosystem.
21. Re:Developers Bitch by HeronBlademaster · 2010-07-29 07:00 · Score: 2, Insightful
  
  The approval process didn't do any good when data was stolen from Apple users a month or two ago. A bunch of people were charged for apps they never bought, and several apps were removed from the app store, but a full explanation from Apple was never offered.
  So I guess you think that it's totally irrelevant that a) the stolen data had nothing to do with the app approval process, and b) the data was not stolen by the approved apps?
  Yeah, let's blame the approval process for something to which it is completely unrelated. *eye roll*
22. Re:Developers Bitch by chartreuse · 2010-07-29 07:02 · Score: 1
  
  A halfway competent programmer would've been able to take one look at the code for this "flashlight app" and seen that it wasn't what it claimed to be.
  ... So apparently Google doesn't have any halfway competent programmers. Good catch!
23. Re:Developers Bitch by neonKow · 2010-07-29 07:09 · Score: 1
  
  I can tell you for a fact that they do a comprehensive check on each and every app.
  citation needed! so much citation needed!
  They apparently don't even check the size of the code, so unless you've got something more convincing than "you can trust me," I call BS. You know less about the process than a 15 year old developer.
24. Re:Developers Bitch by mdm-adph · 2010-07-29 07:30 · Score: 1
  
  No... Google doesn't "screen" applications, nor claims to.
  Try again.
  
  --
  It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
25. Re:Developers Bitch by isaaccs · 2010-07-29 07:40 · Score: 1
  
  Apple is so sloppy with their corporate operations, their retail operations, their user interface conventions, their marketing campaigns, their software and hardware engineering... don't even get me started on the app approval process. It only follows that they're massively successful in every arena they play in (ok, 'cept appleTV).
26. Re:Developers Bitch by Anonymous Coward · 2010-07-29 08:42 · Score: 0
  
  "I can tell you for a fact that they do a comprehensive check"
  Having just had our app approved...
  Apple filled out the wrong name for the company (they copied the wrong field from the paperwork) . Never fixed it, when asked, claimed it's too hard to fix, so they won't bother.
  - So if our App was malicious Apple's users would have no idea who wrote it.
  Every feature in the app depends on a web service. Apple never asked if we control it, let alone requiring proof. If the service changes, the behaviour of the app changes...
  - So if our App starts behaving in an unacceptable fashion we have an easy excuse, which Apple can't invalidate
  For testing we provided Apple with a user account on the web service. They used it exactly twice, doing practically nothing.
  - So they didn't see more than a fraction of the features, and have no way to know if it behaves the same for other user accounts (we provided them exactly one) or under other circumstances.
  The reality is that the "Comprehensive" check is like the searches at airports. Its inconvenient but it doesn't really do much to make anyone safer. Follow the money, in this case, right into Steve Jobs' pockets.
27. Re:Developers Bitch by recharged95 · 2010-07-29 08:44 · Score: 1
  
  Huh, last I knew most [big company] apps in the apple app store take your location,contacts, and other information for the purposes of sharing with other vendors, aka spam data (pretty much the same stuff). And with the adoption of iAds... And the app approval process has no problem approving and the selling of those apps. And all you need are trojans to the approval process to game it and unlock features to get more critical info like passwords.
  
  The approval process is not there for your security, it's there to maximize Apple's 30% [free-n-clear] take away from developers and to protect its IP/apps. Basically, it's for their security.
28. Re:Developers Bitch by Anonymous Coward · 2010-07-29 09:20 · Score: 0
  
  Yes because this article clearly shows android users are capable of intelligently deciding what an app should and shouldn't have access to. Tool.
29. Re:Developers Bitch by mjwx · 2010-07-29 12:46 · Score: 1
  
  Developers bitch about the app store approval process but this is exactly why it exists. Yes it would be nice to sever ties with the app store but apple is doing a fairly good job of protecting it's ecosystem.
  No, Developers bitch about the AppStore approval process because it's more about keeping out applications and developers that steve doesn't like rather then acutally checking applications. This is why developers can re-submit a rejected application with nothing more then a version number increment and get it approved. The process is so vague and inconsistent, this is what people are complaining about.
  
  Further more, the "master Steve doesn't like your app" policy is what is driving end users to jailbreak which leaves the Iphone more vulnerable. With Android, even a rooted Android an application needs to ask permission to read the phone state (which is all this one did) so if you click through it's your own damn fault.
  
  Has Apple caught one malicious application within the App store?
  No.
  Then how do we know it's working? At least Google and the Android community is watching out for me and I know they can spot problems.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
30. Re:Developers Bitch by BitZtream · 2010-07-29 15:21 · Score: 1
  
  I'd prefer that Apple added that (telling you what permissions the code has, not letting it have more), even if they keep their approval process.
  The OS asks you for permission before many operations. I'm not sure what the complete list is but it at least includes dialing, contacts and geo location. It has since it first came out.
  After you say yes so many times it seems to stop asking you, not sure what the logic is there. I know Safari keeps prompting me when using location stuff on web pages like Buzz.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
50k or 4 million? by SuperKendall · 2010-07-29 04:16 · Score: 0, Troll

The original VentureBeat article claimed the wallpaper app had been downloaded 50k times. So where is the new figure from?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:50k or 4 million? by Aladrin · 2010-07-29 04:23 · Score: 1
  
  They've both pulled out of someone's ass. Google doesn't release those stats.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
2. Re:50k or 4 million? by HTH+NE1 · 2010-07-29 04:49 · Score: 1
  
  PC Mag reports 4.6 million. However...
  Brian Heater writes:
  
  News about the app serviced during a talk given by Lookout yesterday at the Black Hat conference in Las Vegas, the app, which offers desktop wallpapers featuring designs from Star Wars, My Little Pony, and more, collects SIM card numbers, text messages, browsing history, and voicemail passwords. The app in questions has reportedly been downloaded as much as 4.6 million times.
  
  ...due to the multiple errors in writing, it accuses the Black Hat conference of doing the data theft.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
3. Re:50k or 4 million? by AndrewNeo · 2010-07-29 04:51 · Score: 1
  
  Huh? It says right in the Marketplace listing how many times an app has been downloaded.
I was going to troll, but... by Xaedalus · 2010-07-29 04:16 · Score: 3, Insightful

When I read TFA, I saw the part where 47% of Droid apps use third party coding, and 23% of Apple apps also use it. Then I realized, there's no safe place to hide. I like my walled garden, but even that has leaks.

--
Here's to hot beer, cold women, and Glaswegian kisses for all.
Android needs a sandbox. by yog · 2010-07-29 04:17 · Score: 4, Informative

This is sort of like the early days of MS-DOS, back when everyone trusted everything they downloaded.

Although Android apps do run in a security "sandbox" whereby they can't access the user space of other apps (see http://developer.android.com/guide/topics/security/security.html for more information), they can and do access the general configuration information of the phone such as personal data, phone calls, and SIM information, and some apps obviously need to use the phone's dialup or networking capabilities.

At install time, the user is shown a list of resources the app will access, but since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.

I think there needs to be some sort of sandbox where apps can reside prior to full release into the wild. Probably, most users won't understand how to use such a feature, but knowledgeable users would make use of it, and ultimately it would help promulgate security concepts into the general consciousness. Power users who write reviews and prominent blog pieces on Android will be able to help guide the masses to safer use of apps.

--
it's = "it is"; its = possessive. E.g., it's flapping its wings.
1. Re:Android needs a sandbox. by MistrBlank · 2010-07-29 04:20 · Score: 1
  
  You mean like the much aligned method used in iOS.
  The end result is users and developers complaining they are walled in.
2. Re:Android needs a sandbox. by MistrBlank · 2010-07-29 04:21 · Score: 1
  
  should have been maligned...
  And no I'm not saying it's bad, I agree that's how it should be, but the stupid users clamor for things they don't understand.
3. Re:Android needs a sandbox. by Skuld-Chan · 2010-07-29 04:25 · Score: 1
  
  Its actually very similar to Windows now. Every single infected machine that ends up on my desk was because of some wallpaper/cursor pack/toolbar app that ran amuck because it was actually malware.
  Users really need to get into the habit of not downloading frivolous apps. If you want a cool wallpaper - download the picture and use the included gallery to crop the picture the way you want it.
4. Re:Android needs a sandbox. by thePowerOfGrayskull · 2010-07-29 04:41 · Score: 1
  
  At install time, the user is shown a list of resources the app will access, but since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.
  That's a bad habit to be in - why would you get into it? Deny first - go back and approve only after you see what doesn't work.
  This isn't an Android issue, it's common sense for any platform.
5. Re:Android needs a sandbox. by Anonymous Coward · 2010-07-29 04:50 · Score: 0
  
  O the naivety of Usenet denizens in the early 80s!
6. Re:Android needs a sandbox. by AndrewNeo · 2010-07-29 04:53 · Score: 1
  
  See, there's the thing. They -can't- access this information unless you give them permission. Trying to read it without throws an exception. And it's been said plenty of times before, this app, like all others, had to ASK for permission at install time, and the users hit Install nonetheless.
7. Re:Android needs a sandbox. by Anonymous Coward · 2010-07-29 05:07 · Score: 0
  
  It had better be a well-written sandbox!!!
  if (check_for_giveaway_clue_of_sandboxing() == TRUE)
  play_nice();
  else
  do_dirty_stuff();
8. Re:Android needs a sandbox. by Anonymous Coward · 2010-07-29 05:11 · Score: 0
  
  Were people actually downloading in the early days of MS-DOS?
9. Re:Android needs a sandbox. by Spad · 2010-07-29 05:27 · Score: 1
  
  we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way
  We're not, we always check what an app will have access to and weigh it against what the app is claiming to do to see if they match up - or were you using the royal we as well?
10. Re:Android needs a sandbox. by 0123456 · 2010-07-29 05:33 · Score: 1
  
  Were people actually downloading in the early days of MS-DOS?
  Ever heard of a BBS? Ah, guess not.
11. Re:Android needs a sandbox. by monkeySauce · 2010-07-29 05:42 · Score: 1
  
  we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.
  Speak for yourself. If something doesn't look right about the permissions an app requires, I don't install it. If I wanted it badly enough I might contact the developer for clarification but so far there are enough apps out there that I've always just found another app that performs the same function without requesting whatever permission I thought was suspect.
12. Re:Android needs a sandbox. by Anonymous Coward · 2010-07-29 05:46 · Score: 0
  
  Letting the user know what resources the app will access seems like a superficial step for security. Actually being able to see what the app is doing beyond the sandbox might help. How do you tell if an app that has a legitimate use for a permission isn't doing something illegitimate in the background, i.e. big wooden horse.
13. Re:Android needs a sandbox. by h4rr4r · 2010-07-29 05:59 · Score: 1
  
  Considering windows never tells anyone what apps are going to be touching, I say it does a far better job.
14. Re:Android needs a sandbox. by BancBoy · 2010-07-29 06:15 · Score: 1
  
  Assuming you are not a troll, yes.
  I was downloading at least as far back as DOS 2.1 on my own hardware and on earlier versions as well.
  And now you know...
  
  --
  [UID-HeinzIntel]
15. Re:Android needs a sandbox. by Anonymous Coward · 2010-07-29 06:24 · Score: 0
  
  1) the '== TRUE' is unnecessary
  2) that's the point of a sandbox
16. Re:Android needs a sandbox. by Nethead · 2010-07-29 07:01 · Score: 1
  
  Even my Commodore 64 had a modem.
  
  --
  -- I have a private email server in my basement.
17. Re:Android needs a sandbox. by Nadaka · 2010-07-29 07:07 · Score: 1
  
  My older brother downloaded off BBS's with a c64 and 300 baud modem in the early 80's.
18. Re:Android needs a sandbox. by ShadsKitty · 2010-07-29 07:21 · Score: 1
  
  That's not how it works--you don't get to pick and choose which permissions an app gets. It's "this app will access these things, install or cancel"
  not to say being able to select what permissions each app gets wouldn't be a nice thing in some respects, but it's not how it works.
19. Re:Android needs a sandbox. by Rich0 · 2010-07-29 07:59 · Score: 1
  
  The problem is that you can't revoke permissions for an app - you can only not install it.
  What I want is to be able to run that app that wants 48 permissions, but only give it 3. The other 45 then give bogus data to the app. Maybe that means the app can't run, or maybe it just means that I get the utility of the app without it phoning home with all my personal info.
  Android forces a false dichotomy.
20. Re:Android needs a sandbox. by initialE · 2010-07-29 12:00 · Score: 1
  
  Thing is, a app can have a legitimate use of a certain function, and an additional malicious use of it. Without code review, you're only going to get a single security prompt, which you would allow of course, that's what you wanted your app to do for you.
  
  --
  Starbucks, Harbuckle of Breath.
21. Re:Android needs a sandbox. by Tim+C · 2010-07-29 22:33 · Score: 1
  
  since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing
  Speak for yourself. I have certainly declined to install a few apps that asked for permissions that I did not believe they really needed.
  
  --
  It's official. Most of you are morons.
Middle Ground by djpretzel · 2010-07-29 04:24 · Score: 0

I think it's time to explore the happy medium between the "Big Brother" Apple vision and the "Wild West" that is the Android marketplace... this is the type of bad PR that can & should change some policies.
1. Re:Middle Ground by cduffy · 2010-07-29 04:43 · Score: 2, Informative
  
  The apps (or rather, the Android Market) told you at install-time that they wanted access to your Google accounts. Anyone who didn't back out on seeing that... well, I wouldn't say "deserves what they get", but I will say "was adequately forewarned".
2. Re:Middle Ground by thePowerOfGrayskull · 2010-07-29 04:44 · Score: 1
  
  ;this is the type of bad PR that can & should change some policies
  This is the type of PR that has nannies running about to enact new policies to "protect the users" -- when if the users had paid attention in the first place (eg - denied the requested permissions) this never would have been a problem. Don't punish the few because the many can't or don't read.
3. Re:Middle Ground by djpretzel · 2010-07-29 05:01 · Score: 1
  
  Bad, knee-jerk analogy - removing this application from the marketplace isn't "punishing the few" - who on Earth would ever want it? Policies to prevent similar apps would only be beneficial, so long as they were *sanely* implemented, and specifically addressed security/deceptive practices, not profanity, obscenity, etc. A basic level of review for security and some very OPEN standards would be a good thing. Doesn't /. moderate its comments for a reason??
4. Re:Middle Ground by djpretzel · 2010-07-29 05:08 · Score: 1
  
  Hey, don't tell me, I know. But studies show people will basically answer "Yes" to anything, and there's no reason a BASIC level of scrutiny couldn't be applied to Android marketplace apps, especially those that do access account info, without going too far and blocking legitimate apps as Apple has. Actually, there is a reason, and I suppose it has to do with cost and trying to juxtaposition Android as the "open" alternative, but "open" doesn't have to mean "jam-packed with spam apps & sexy wallpaper crap that steals data if you're not careful"...
5. Re:Middle Ground by c0d3g33k · 2010-07-29 05:41 · Score: 1
  
  That can be easily addressed via social engineering.
  Here's an example of what seems to be a benevolent app that required some questionable permissions to do some very useful things. The app in question is the official XBMC remote control app, for which the source code is thankfully available. The point is, however, that certain potentially dangerous permissions (or combinations of permissions, like Internet access plus access to contacts) are sometimes needed to perform harmless but useful functions. In the wrong hands, though, the same permissions can be fraught with danger.
  Here are the XBMC Remote App's permissions explained (http://code.google.com/p/android-xbmcremote/wiki/Permissions):
  We don't like apps demanding permissions that don't seem obvious, so here we'll explain each permission XBMC Remote asks prior to installation:
  INTERNET - We need to connect to XBMC. The INTERNET permissions actually controls any socket, internet or not, so this is unavoidable.
  ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, CHANGE_WIFI_STATE - We've introduced an option that avoids connecting to XBMC when not connected to WiFi. In order to check this we need this permissions.
  VIBRATE - Remote control screen lightly vibrates to give a more realistic user experience (configurable).
  READ_PHONE_STATE - We have a feature that pauses anything playing on incoming calls. In order to receive this event, we need this permission.
  RECEIVE_SMS - The feature that displays SMS on the TV screen needs this permission in order to obtain the messages.
  READ_CONTACTS - In order to display contact info (and picture) on incoming calls or messages, we need permission to read the phone book.
  READ_SMS - When displaying SMS, we actually display the first part of the message, so we'll need read permissions of SMS.
  WAKE_LOCK, DISABLE_KEYGUARD - A requested feature was overwriting the power manager to keep the processor from sleeping or the screen from dimming. This is configurable, but we'll need the permissions in any case (activated or not).
  WRITE_EXTERNAL_STORAGE - In order to save cover and poster thumbnails locally for caching purpose, we need write access to your SD card. This permission was introduced with Android 1.6.
  Explained this way, the permissions seem quite reasonable. In fact, they are necessary for the app to work properly. Yet because Google/Android grants permissions as they do, they still require a "trust us" post like this to explain why the permissions are needed.
  The take-home point is that even people that are actively trying to personally filter apps by screening the permissions can't do a good job of it, because quite a few apps need risky permissions to be useful. So often it still comes down to "trust us", and that's just not the most comfortable situation. It could be done much better.
  I'd prefer the ability to selectively reject certain permissions, or at least be able to whitelist them rather than allowing everything wholesale at install time. NoScript can be a PITA, but it's a good model of how this could work. Allow questionable actions only by permission at run time, and allow them to be revoked at any time. I could live with that.
6. Re:Middle Ground by thePowerOfGrayskull · 2010-07-29 07:09 · Score: 1
  
  Removing the application shouldn't be necessary. In the same way a /. comment will get modded into oblivion, the app will lose all credibility.
  There comes a point where you must expect users to be responsible for themselves. The OS already does what it should: it provides granular permission controls and allows the user to decide what to allow. (I daresay BB OS does it one step better, in that it allows the app to include detailed explanations with the prompts. Though Android's UI for it is better... )
  Whether the user chooses to blindly accept that; or whether they actually question why a wallpaper app needs access to their phone books should absolutely be up to the user.
  The only thing you can put on top of the controls already in place are the standards you mentioned -- but those standards require people to sit down and review the code of every app coming in the door.
  I think comparing this to /. comments is a good analogy though not in the direction you intended: anyone can submit anything and it is published. Only after the comment is published does it get reviewed for behavior (community etiquette/standards); if it fails that test it gets hidden from view -- though not deleted if you want to see it anyway.
  Apps today already have stringent requirements: the OS will not allow them to do anything that the user says is bad. Trying to add additional review requirements on top of that will only slow down the process for the vast majority of legitimate developers; and punish those few people who are willing to take responsibility for themselves when installing applications to their devices.
7. Re:Middle Ground by djpretzel · 2010-07-29 07:14 · Score: 1
  
  Excuse my ignorance, but to continue your supposedly improved analogy, if I post a comment that is nothing but spam, filled with links to malware, illegal torrents, or whatever, it doesn't get deleted, and /. readers can still see it? I would have expected otherwise, based simply on the potential legal repercussions & CYA policies... that's really what we're talking about, here - violations of law, or at least terms of service...
8. Re:Middle Ground by thePowerOfGrayskull · 2010-07-30 02:46 · Score: 1
  
  As all analogies must, that one begins to fall apart there -- 230 of the Communications Decency Act ensures that forum owners are not generally liable for the content posted by participants.
I saw this app... by bit+trollent · 2010-07-29 04:27 · Score: 1

I remember looking at the permissions required required for this background image application thinking, why could a wallpaper application really need my contacts, location, browsing history etc..
If you live and breathe technology like we do, it was obvious that this application was spyware.
I've got the "Lookout" application on my phone, both for the location based phone recover, backup, and antivirus. I wonder if the company will one day use my backups for profit, sleaze, or stupidity.
At the end of the day, life is insecure. I fret over every application I install to my computer. The same is true of my phone. I also assume that the government already reads all my text messages.
I don't begrudge Apple for keeping a close eye on application store. I just insist on the kind of flexibility and power that android applications have.
You won't find a text message reading background application on the iPhone app store. You also won't find a replacement for the home screen, because Apple doesn't approve of that.
You win some, you lose some.
Who's gonna start an Apple scrutinizing flamewar? by adosch · 2010-07-29 04:30 · Score: 1

It's too bad that malicious people have to ruin an open-source forum like the Android with crap like this. I can see why Apple scrutinizes over the application approval process because I'm sure this is one concern on top of just being plain difficult about the whole matter.
I guess don't have a criminal mindset and have put my tomfoolery hat away, it's bad enough having hack and malicious threats on the computer level, now my phone? I miss the days of my 2x10 backlit serial display analog cell phone that did nothing more than dial a phone number.
News Flash Stupid People Dupped Again! by Nethemas+the+Great · 2010-07-29 04:30 · Score: 1

The platforms may vary but at the end of the day, this is just yet another stupid article about stupid people giving away their private data because they did something stupid. Since we, or at least anyone in IT, engineer and support alike already know that stupid people do stupid things why are these articles considered "news worthy" here? Is it meant to inspire us to come up with our own interesting ways to dupe stupid people? Surely we get enough reminders in our day to day that we don't need them for that.

--
Two of my imaginary friends reproduced once ... with negative results.
1. Re:News Flash Stupid People Dupped Again! by Anonymous Coward · 2010-07-29 05:24 · Score: 0
  
  News Flash Stupid People Dupped Again!
  Dupped is not a word, Alleged Smart Person.
2. Re:News Flash Stupid People Dupped Again! by sjonke · 2010-07-29 06:01 · Score: 1
  
  Millions of Android users can't be wrong!
  
  --
  --- What?
3. Re:News Flash Stupid People Dupped Again! by Nethemas+the+Great · 2010-07-29 07:29 · Score: 1
  
  My humblest apologies for accidentally including an extra 'p'...
  
  --
  Two of my imaginary friends reproduced once ... with negative results.
Re:Private API's by uprise78 · 2010-07-29 04:33 · Score: 1

let the down-modding begin! adios to your score. you can't go into an android thread and start saying private API's are a good thing. recipe for disaster. Open is god! Open is right!
Well, they do ask by AC-x · 2010-07-29 04:35 · Score: 1

Looking at one of these apps ("Dark World Wallpapers") the app asks for the following permissions:
- Storage - modify/delete SD card contents
- Your location - coarse (network-based) location
- Network Communication - full Internet access
- Phone calls - read phone state and identity
It's nice android warns what permissions an app needs, but some of them (especially the "Phone calls" section) could be worded better to make it clearer what an app can potentially do.
And the evil overlord said by cyberzephyr · 2010-07-29 04:38 · Score: 1

(Deep voice): Hahahahahahaha we got them my minions

--
I'm here for the experience, not the Hyperbole.
Typo in summary. by ElectricTurtle · 2010-07-29 04:38 · Score: 1

It's Shenzhen, not Shenzen. And note to gweilos: 'zh' is pronounced roughly like a 'j' in 'Benjamin'.

--
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
1. Re:Typo in summary. by mjwx · 2010-07-29 12:55 · Score: 1
  
  It's Shenzhen, not Shenzen.
  Oh for Mao's sake, this is /. what did you expect. Consider yourself lucky that the submitter ran the thing through an En_US spell checker.
  
  And note to gweilos: 'zh' is pronounced roughly like a 'j' in 'Benjamin'.
  Some of us have actually been to China and know this. Oh fuck it, /. is American (or so they tell me), knock yourself out.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
what are permissions for ? by Anonymous Coward · 2010-07-29 04:41 · Score: 0

people that installed that app are just stupid... I don't mean you... I mean people.... there should an app something like 'faceplant' counting how many apps you have that require permissions for thing that they aren't suppose to do...
Agreed by Anonymous Coward · 2010-07-29 04:42 · Score: 0

This is also a good reason for companies like Apple, Microsoft and Intel to work towards integrating strong encryption in their own products to prevent the free development of applications for any computers, handheld or otherwise. In essence, all computers should be like iPhones and Xbox360's. Only by locking down the software and making sure no one can freely develop apps can we prevent the scourge of malicious applications! This is why I oppose all open source development, as well. When you use an "open" platform where there is no centralized authoritarian approval process, you are in essence, promoting malicious software. Linux is used by hackers, for example. This has to be stopped by whatever means are necessary.
Parent didn't say "iPhone" or "Apple" by weston · 2010-07-29 04:45 · Score: 1

Right. Because that's worked so well. Keep in mind that these refer to apps that made it through the vetting process.
Knees jerking much? The parent mentioned Mozilla's add-ons, not Apple's App Store.
Also, you should note that the stories you're linking to are about the hacking of iTMS accounts for the abuse of a community rating system, rather than rogue spyware apps stealing personal data.
I personally don't know whether Apple's approval process or Mozilla's add-on review process has a better or worse record or screening out such things, but if you're going to go all "linky! looky! Apple has apps with these problems too!" you should make sure that you're talking about the same thing as the article. Or the parent comment you're responding to.

--
Tweet, tweet.
soylent green is people by Anonymous Coward · 2010-07-29 04:45 · Score: 0

tell everyone!
Oh and wallpaper apps are trouble... but just about everybody knows that right?
The developer was given funding by... by aapold · 2010-07-29 04:47 · Score: 1

someone named "Job Stevens"

--
"Waste not one watt!" - CZ
Open Source Apps only! by Alain+Williams · 2010-07-29 04:52 · Score: 1

Seems like a good reason for a repository of open source apps for android, these can be built by an independent team - ie not the author. Then, hopefully, 'many eyeballs' would spot issues such as this.
OK: there is still an opportunity for new apps, or recent 'urgent' patches, to do evil before they have been looked at, but the risk is greatly reduced.
1. Re:Open Source Apps only! by operand · 2010-07-29 05:36 · Score: 1
  
  You can only spot an issue when you see the issue. The problem with simply applying the tag of *Open Source will correct the problem* is garbage. Do you really think people will search through every single app available on any Market place looking for security flaws?
  Windows 7 Phone/Marketplace will actually scan applications before they go live looking for patterns across the code. If they find that parts of the code is accessing secured data then they are investigated by the Development team or some other Level. Then it's up to that group to determine the risk.
  
  --
  string.Empty();
Re:Private API's by brainboyz · 2010-07-29 05:08 · Score: 1

Apple's private API setup would work for geeks IF they put a checkbox in the config like Android does for app installs to allow 3rd party utilization. Walling off the API is fine if I can override the manufacturer's wall if desired.
Remote Application Removal by I'm+Not+There+(1956) · 2010-07-29 05:11 · Score: 1

Now they can use their Remote Application Removal feature.

--
"If fifty million people say a foolish thing, it's still a foolish thing."
We need to advance security another step by bill_kress · 2010-07-29 05:14 · Score: 1

Okay, so the iPhone vetting process sucks and the Android is to easy to install malware.
I've noticed that with chrome, each extension I install asks for permission to use a specific list of services. I'm assuming that if they try to use a service that they haven't asked to use, they will be denied.
I'd really like this to be THE universal security measure. When I install a game, I expect it to tell me that it wants to use the registry (under it's name only), read/write the hard disk (under it's directory and user/saves) and the Network.
If I install word and it tells me it want's to use the network, I expect I'd be able to uncheck that selection and word would function but it would be completely blocked from using the internet at the OS level.
These apps really need to be sandboxed. This generally involves a virtual memory space, but I think Google should be able to pull it off.
In the long run I think Google is headed in the right direction, I'm not sure Apple will be able to keep up in the security arena. Apple is stuck compiling to C which is a little harder to sandbox--Google can manipulate it's code a little better and already has the right idea (if not in the right department yet).
1. Re:We need to advance security another step by mlts · 2010-07-29 08:07 · Score: 1
  
  Maybe a good idea is to have three sets of ACLs an app needs to function:
  The minimum set so the item can run: For a game, it would be no added permissions, although the user wouldn't be able to save their high scores on a networked server.
  Typical permissions: Network access, etc.
  Maximum permissions: This is to ensure that an app that is handed carte blanche is not given everything. For example, an app that stipulates that it does not need root permissions, etc. For example, a fleshlight app (unless it has a hidden SOCKS proxy) should not need access to the contact list, nor need to have incoming/outgoing SMS rights available to it.
2. Re:We need to advance security another step by ADRA · 2010-07-29 08:49 · Score: 1
  
  Android may be in Java (for the non-NDK based code anyways) but there is still a lot that one can do to bleed information to other apps. My first post on this topic described a quite viable and very difficult security hole to find or fix. Google may have an easier time attempting this, but its still a LOT of work to get it done. BTW, Android does have inter-app RPC which is yet another conduit of communication beyond just internet / filesystem.
  One could say that Google's easy to integrate android API encourages apps to reuse each-other's functionality to better lift the platform and its integration. This also means that there are many vectors where apps can leak data between one another. Take a stupid example: From my non-internet permission contact book app, I can ask the web browser to navigate to 'http://myhomepage/a/encryptedcontactdata' which could just redirect the browser user to Google, an about page, or whatever. The only issues with such a vector is:
  1. The activation of the internet browser has to be legitimately integrated with the app in order for savy users to not get suspicious. An about page would be a great example. The user may have forgotten that the app in question didn't have internet access to begin with.
  2. If there are multiple browsers on the system, the user will be prompted to select the browser they want to use. At this point the user could just hit the back button to cancel the activity all together.
  
  --
  Bye!
Android really needs something akin to UAC by DrXym · 2010-07-29 05:18 · Score: 1

It's not enough for an app to say what things it needs to do. By default any action by a 3rd party app involving personal data or phone calls should explicitly request user permission each and time it is accessed. If the user really trusts an app they could disable these screens from the app's management settings.
1. Re:Android really needs something akin to UAC by Anonymous Coward · 2010-07-29 12:41 · Score: 0
  
  No. Vista tried that and it failed miserably. At some point people who use tools need to learn HOW they work. We don't expect people who drive to be isolated from the rules of the road, why do we expect people who use computers to be isolated from the rules of application management?
2. Re:Android really needs something akin to UAC by DrXym · 2010-07-29 19:11 · Score: 1
  
  UAC didn't fail at all. It was the incredibly annoying dialogs popping up all the time that forced vendors to make their apps compliant with the security model and to stop abusing it. Windows 7 got an easier ride precisely because Vista took the pain and whipped the apps into shape. Where UAC had failings was that there was no way to train, tweak or otherwise affect its behaviour except to turn it off completely.
Why I like the App Store process by TheSync · 2010-07-29 05:43 · Score: 0, Flamebait

This is one of the reasons why I don't mind the Apple App Store process. I'm sure its not perfect, but at least I know Apple has taken a look at apps I run on my phone (although I think they should ask for the source code and have Apple compile it themselves if they want to be really sure).
Regarding App Store approval, I wrote an iPhone app and it took just 1 week for approval.
Gee, if only... by Nitewing98 · 2010-07-29 05:56 · Score: 1, Flamebait

..if only there was a phone that had a tightly controlled app store that would at least have a chance of catching stuff like this before it gets into the wild. Oh. Wait. There is. Never mind.

--
Nitewing '98
Everything works...in theory.
1. Re:Gee, if only... by DeskLazer · 2010-07-29 08:19 · Score: 3, Insightful
  
  you apparently missed the comments in the threads above; things have still snuck by the apple store folk. the only real way to catch this stuff is be conscious of what you're installing, and report suspicious items.
  
  from user -kyz:
  Apple is doing an equally bad job of protecting its ecosystem.
  
  There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.
  
  Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html
  
  Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077
  
  MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/
  
  Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/
  
  the moral of the story is, it doesn't matter if it's closed or open-source. the end user is still the difference maker.
Re:Who's gonna start an Apple scrutinizing flamewa by Anonymous Coward · 2010-07-29 06:51 · Score: 0

If it was black, square, and actually made phone calls I'd buy one just to look badass. Especially if it was only 2x10 serial. Maybe 3x20 or something so it could say 'incoming call from'
Who is behind it? by Anonymous Coward · 2010-07-29 06:55 · Score: 1, Interesting

Lets see, a simple whois shows:

Administrative Contact Name: Ice Ysl
Administrative Contact Organization: 1sters
Administrative Contact Address1: china
Administrative Contact City: shenzhen
Administrative Contact State/Province: guangdong
Administrative Contact Postal Code: 86
Administrative Contact Country: China
Administrative Contact Country Code: CN
Administrative Contact Phone Number: +7.5526814587
Administrative Contact Email: iceskysl@gmail.com

A google search on iceskysl@gmail.com comes up with a surprising number of hits. No fake email here.
Android Intent is so powerful and great.
Our boy has been busy on the Android
And it goes on...
Copyrighted Material? by Anonymous Coward · 2010-07-29 07:06 · Score: 0

Was stating that the app is used to render stolen copyrighted material your big chance to try to impress us with a big word?
Just because an application displays pictures doesn't mean it's sole intent is to somehow promote copyright infringement anymore than implying that a camera's sole purpose it to do the same.
There is a lot of FUD in these stories by gotpoetry · 2010-07-29 08:14 · Score: 3, Interesting

These wallpaper apps cannot access your contact's phone numbers, SMS messages or personal information.

Check out the manifest permissions on the apps in question. It is the last item that is the problem.

!Storage
modify Delete

!Your location
coarse (network-based) location

!Network communication
full Internet access

!Phone calls
read phone state and identity

The permission only allow the app to read the IMEI number of your phone (your hardware's unique identifying number), your phone number, and your currently programmed voice-mail number. If you hard coded your voice-mail password as part of your voice-mail number, then they have that too.

They shouldn't be stealing this info, and Google should separate "read phone state" from "read identity", but the stories on this app stating that your SMS's, contacts and grandmother's girdle being stolen and sent to China just plain wrong.
But Apple had one first by initialE · 2010-07-29 11:53 · Score: 1

You can get it here - http://www.apple.com/webapps/socialnetworking/facebook.html

--
Starbucks, Harbuckle of Breath.
Android needs a less overwhelming security UI by dirtyhippie · 2010-07-29 20:40 · Score: 1

Android has really granular security, which is great! Everything from using bluetooth to writing to the sd card has a permission which the developer must explicitly ask for.The problem is that there are *lots* of these permissions, and a user is presented with a list at install time! I installed an IM client the other day (Nimbuzz, which is popular enough and has a good reputation AFAIK), and I don't even remember the 2 screens of permissions which I agreed too.
When presented with "This application has access to the following":
Your location: coarse (network-based) location
Network communication: full Internet access
Phone calls: Read phone state and identity
System tools: display system-level alerts, modify global system settings, prevent phone from sleeping, retrieve running applications ...
Uses bluetooth
Writes to your sd card
Changes your volume settings .....
Executes instruction 0xdeadbeef
Even a geek's eyes glaze over - everybody just clicks ok and hopes for the best.
And to take the Nimbuzz example again, I am quite sure I agreed to authorize permissions which are associated with features I will never use. The fact that there is no way to say "grant this permission but not that one" is a shortcoming which needs to be fixed. There should probably be an "Advanced..." dialog for that, and some system that catches runtime violations and asks if you want to change your settings to allow them or not.
1. Re:Android needs a less overwhelming security UI by crimperman · 2010-07-30 00:22 · Score: 1
  
  The fact that there is no way to say "grant this permission but not that one" is a shortcoming which needs to be fixed. There should probably be an "Advanced..." dialog for that, and some system that catches runtime violations and asks if you want to change your settings to allow them or not.
  Couldn't agree more. There should also be some way to find out _why_ this app needs access to those services and whether they can be disabled within the app. For example a game that says it needs access to the Internet might only "need" it if you use the high scores submissions part, but would otherwise be safe to use if you disable that bit.
Doubt anyone can pull that off... by caekys · 2010-07-30 02:58 · Score: 1

Doubt anyone can pull that off, I have full faith with my left hand.