Slashdot Mirror
Many More Android Apps Leaking User Data
eldavojohn writes "After developing and using TaintDroid, several universities found that of 30 popular free Android apps, half were sharing GPS data and phone numbers with advertisers and remote servers. A few months ago, one app was sending phone numbers to a remote server in China but today the situation looks a lot more pervasive. In their paper (PDF), the researchers blasted Google saying 'Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data.' Google's response: 'Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"
They finally get to the part I care about, which is the list of apps they tried. Look at page 9 of their paper in PDF format.
This is not the penguin you're looking for.
The problem here is that the apps themselves are closed, so you can't inspect the code to see if this kind of thing is going on.
It may just be sending some statistical data so the server can form better assumptions about the user and thus provide better service in the future. Or it may be sending such data for nefarious purposes. Without accessing the code, you can't know, and worse you can't control it.
Java was an interesting implementation language choice in Android, but with the browser-based interface, perhaps Javascript would have been a better system language. It would have been open and users could have more control over their own phone.
Unless removing such control is precisely why Google did it.
15 of the 30 got on their list due to providing location data for advertising. I hardly consider that a sending your personal data as the article implies.
Unstable Apps: Our Android Apps Don't Suck
Does anyone have a comprehensive list of which apps are sharing data? Or better yet, is there a website where we could report such behavior, and that information would be viewed by others?
"We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"
How exactly is one supposed to do this? What is the process for building trust vis-a-vis apps when the only protection you receive from your service provider is "don't walk into dark alleys you don't trust"?
All apps have access to r/w your sdcard, and to get your identity (esn/imei/meid/phone number). Once you give an app permission to access the internet, your identity and sdcard contents are public. Google needs to fix this. Don't believe me? Install a file manager app. Most won't ask for permission to access the sdcard, but they will be able to. Some permissions are granted without the app asking for it.
Not only the ability to display what permissions an app requests, but the ability to deny the use of those features on a per feature basis for each app.
For instance, an app may request internet access (cellular radio or wifi), the user should be able to choose to limit that to just wifi or even turn off connectivity for that app all together.
Doesn't someone spellcheck these summaries?
It is hard enough to know if I should trust my child, and I raised him. He doesn't
tell me much. App developers tell me less, and some of them are devious. This is not
a good security model. And Google knows better.
What a bunch of fluff. The relevant developers don't care about "best practices" or any other voluntary standard. And how the f*** are users supposed to establish trust in certain apps? The platform does not significantly monitor an application's ongoing behavior, nor is anyone performing serious code-reviews or blackbox testing. Google COULD HAVE set up profiling tests similar to those run in TFA, but didn't.
For ONCE would a company please admit that they reduced privacy in order to provide the dumbed-down usability needed to capture market share and attract developers?
FATMOUSE + YOU = FATMOUSE
Then I guess the problem is solved.
You are confused between Android OS and Android Apps. But don't let that interfere with your bashing of "open" and love for apple's walled garden. Please continue.
You got all that from an anonymous troll's 3 word line? Wow..
In any case, I know with Apple's stuff any app can request GPS information but the user will always get a popup asking for permission.
Rather than a blanket "you can send anything you want anywhere you want/you can send nothing to anywhere" switch, a finer-grained constrained set of permissions may be the way to go. Specifically:
And if an app provider doesn't like the light shone on their activities... that's a pretty good indicator right there.
Everybody gets what the majority deserves.
Can i buy your phone? serious question. Must accept sim cards and be 3g.
http://soylentnews.org/~tibman
And in other news, smartphone security sucks. News at 11.
The world's burning. Moped Jesus spotted on I50. Details at 11.
...after all, many more users are leaking Android app data.
Can i buy your phone? serious question. Must accept sim cards and be 3g.
He doesn't have a phone for you to buy. He's a "magical! revolutionary!" fanboi troll.
Don't take it personally, but I'm not going to read your pithy response to my post.
Your own statement of saying "apple's walled garden" just proves his "but its open..." statement even more. But please continue.
Your statement implying meaning to his implying meaning to the parent's comment implies... wait a second. Where are we going with this?
Android gives users and developers a lot more freedom than other alternatives - with that comes responsibility for both parties. If you want a platform where you are told what to, when to do it, and whom you can do it to get an iPhone.
Hope is the currency of fools
Foo U buttmunch but android IS linux.
I like the word "prevasive." Sounds like prematurely pervasive or something. How appropriate.
On the surface you don't pay anything for these tools. They integrate nicely into your app, and you only have to add a few lines of code -- the essence of what good developer's tool should provide. But it's free to you only because you passed the cost along to your users - often without realizing it. In exchange for the convenience provided for you, you've decided that your users' information, attention, viewing habits, and even privacy are fair currency with which to pay for that service.
If you value your customers, do the research before blindly incorporating these "free" tools into your applications.
It's a pissing match, where each party is trying to piss in opposite corners of a round room.
Remember to maintain your supply of
"...half were sharing GPS data and phone numbers with advertisers and remote servers."
Two words: DOUCHE.BAGS.
You are confused between Android OS and Android Apps. But don't let that interfere with your bashing of "open" and love for apple's walled garden. Please continue.
The Earth, too, is a walled garden. The US is a free country, but only from sea to sea. But, please, let's not generalize. How did Apple personally fuck you over with their walled garden? Because it seems like they just don't need any more great developers... nearly every cool feature exploited has at least a few decent apps to cover it. What were you gonna do that the "walled garden" stopped you from doing? (What almost comes to mind is.... damn... escapes me... what was it Morrison used to say about doors?) Or what is it that you THINK you MUST HAVE that Apple has forbidden? And how often is it on another smart phone that you are perfectly capable of doing this cherished activity, and what is it's true frequency of use?
All Apple has done is narrowed the field a bit, to figure out what the most common things are that most people want... and then they focused on perfecting that. Rather than being all things to all people, they try to enable the best things for most people. And now the curve is very steep.
The Admin and the Engineer
I don't get it, why is this being positioned as an Android problem? Last I checked, iPhone apps aren't even required to tell you what data they use in the first place -- is there an iPhone equivalent to the "uses internet access", "uses coarse location services" page that the Android Market displays to you? There's a ton of iPhone, Blackberry, Parlm, etc apps using advertising support, which is what the vast majority of this article is finger-pointing.
Nobody, at any marketplace service, is going to have time to do a code review of everything that gets submitted. Even console games -- which have a months-long and intensely painful approval process the likes of which you've never seen -- don't do code review. The very concept is ridiculous, there's way too much code and way too many people involved. You're going to have to trust your developers folks, and make use of the user-ratings tools if you don't.
Android's model of showing you what special access the software uses is about as good as I think you can get in the real world without learning to use a packet sniffer. RIM's ability to disable individual types of access is cool as well, but if the software needs it to function (or says it does) I'm not sure how the user is supposed to be in a position to use it intelligently. To avoid these sort of data harvesting problems, they'd have to somehow psychically know that the contact manager they're trying out uses that internet access for more than the occasional ad serve, and how would they know that?
Add Access Control Lists to the functions/API which grants access to personal data (such as email address, phone numbers/lists, browsing history, GPS location). Since it is an open platform, we can do this ourselves if we want. All applications which attempt to access such data will be verified against the ACL to see if it can receive such information. If the application is not on the ACL, then, the API returns either an error code (which requires the current applications to be recompiled...), or an empty response (either a fake email name, website, or phone number, or GPS coordinates in the south pole).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
"We consistently advise users to only install apps they trust."
How the hell am I supposed to know that? Compile and review every line of source myself? Sorry, I have a day job.
Maybe I'll just find some application marketplace where they (1) certify apps are safe and perform well, and (2) don't violate my privacy without sending data around without my permission. That'd be an awesome idea. Some kind of marketplace that would actually verify that the application works on my device, does what it says it does, and behaves itself. That's a service I'd really pay for.
Oh wait, I do pay for that.
Welcome to iPhone.
Apple has that platform locked down nicely.
Best Slashdot Co
The headline doesn't really match the contents of the paper as far as I can tell.
For example, "Evernote" is listed in the paper for:
1) Taking pictures with the camera
2) Recording audio with the microphone
3) Determining your location
And for transmitting this data to its servers.
These functions are, however, exactly what the application is designed for. You take notes (including snapshot notes and voice notes) and upload them to your account. When you launch the app, there are big buttons for "take a snapshot note" , "take an audio note", etc. Geo-tagging via the location APIs can be disabled from the Settings page, but this is another core advertised feature of the product.
So this is a bit like making it into Slashdot by discovering that a mail client transmits text that you type (and your email address!) to a mysterious "SMTP" server. ... on the INTERNET!"
Headline: "Researchers discover nefarious 'e-mail' application leaking your data
Personally, I think this is going to be a larger issue as time goes on. Right now, it's more of an annoyance with advertisers and marketing companies, but who's to say that in the near future some other companies don't start providing apps that track users for other reasons.
Could you imagine a company that provides location data for your ex-spouse, or perhaps girlfriend or boyfriend, or even your children? I know this is kind of tin-foil hat paranoia, but I think the recent problems with things like the Google Buzz fiasco, here, here and here, show that good intentions can sometimes have bad consequence.
Weather it be Google, Apple, MS or whomever, they need to enforce policies and procedures that to ensure that their user's personal data is protected. Yeah, its a walled garden, but I think its a neccessary walled garden. I don't mind companies using my location data, but only if I know of it and have approved of it.
The real Sig captains the Northwestern. This one captains
...at the application named 'taintDroid'? I must be really bored today.
ha ha, go anti-apple mods (this is the flaimbait, not the parent)
The Admin and the Engineer
The apps aren't leaking information. Leaking implies the information is being sent accidentally.
The apps are taking the information and sending it to whomever intentionally.
It sure is.
sorry to piss on the fanbois flames spouting "iPhones walled garden is much safer" and other such uninformed crap
the iPhone App Stores dirty secret is its worse, much worse
http://www.slashgear.com/iphone-spyware-debated-as-app-library-phones-home-1752491/
http://gadgets.boingboing.net/2009/04/13/pinch-media-statisti.html
One of the reasons that BB's are so popular with the corporate crowd - despite lacking some of the "nifty" features of other phones - is that they're really good on security. BES allows the corp to do a lot of things to a lost/stolen/etc phone. The data on the handset is supposed to be encrypted, and can easily be reset or wiped. Most apps have varying levels of security that *ASK* the first time (to access the internet, or whatever) whether they should be allowed a one-time or consistent access to various permissions.
I don't see why Android couldn't use a similar model, as it does this for "root" (su) access when it's unlocked. Just keep a small DB listing what apps are allowed to access what features. The problem with the current coarse controls is that they don't really say what access is needed for. Sure, a VOIP app might need your phonebook for making calls, and internet access to do so. How about a game needing internet access to update high-scores (just deny that part if you don't trust the app not to send important data home), or the almighty "can change data on the storage card" access...
The last time this issue came up, I started sending emails to the developers of my apps challenging their need for permissions that don't seem to make sense. I got several replies that stated that the legitimate permission the developer needs is buried under overly broad packages.
For example, a battery monitor app needs to request access to "Phone Calls" to read the battery state.
With such granularity developers can't be responsibly specific and end users have no rational way to accept/reject apps based on the permission requested. Whatever else, the granularity of permissions packages must be changed first.
There's a Mac program called Little Snitch which tells you which apps are sending out data, and what kind, and where it's headed. Any idea if there's a similar program for Android? I don't so much mind that some apps can do things they don't need to. But if users can identify which ones it would help a lot.
> 15 of the 30 got on their list due to providing location data for advertising. I hardly consider that a sending your personal data as the article implies.
That's fine. I do.
You can allow/deny each app permission to access your address book, calendar, internet connection, send SMS, open your mailbox, etc.
This is the only thing keeping me on BB right now.
I get to give apps a choice: "Do you want access to my (private) data, or access to the internet?"
A much better arrangement than having the app dictate the terms.
I wish BlackBerry could promote these security features more.
Agreed... I was quite surprised when I tried - and was unable to - find a screenshot of the security options screen so I could gloat to one of my android friends who discovered some of his favorite apps had access to a lot more information than wanted.
That's the real problem. Malicious code aside, many lazy programmers (big thanks to Java for helping the uncontrolled growth of that subspecies) write their apps without caring a flying fsck for what resources they should require and more importantly what resources they should not. The result is a plethora of apps, sometimes even nice ones, that don't install or don't work if the user blocks the access to private data they should never deal with.
I like to think of it like a pissing match where they are hitting both streams dead on trying to push the piss to the other guy, not realizing all the splashback hitting them in the face.
...Protecting you from "Open Sores" since day one!
Guaranteed! This comment 100% Anthrax free!
One way to do this would be for the android market to list (or provide a filter for) how the app developer makes his money.
Of course I prefer GPL apps, but I'm willing to install free (beer) apps, trial versions (if clearly indicated), or paid apps.
However, I don't want to have to install an app just to discover that it's adware.
An appropriate approach might be to define trust levels. It would define "sensitive data packages", such as user name, GPS location, camera input, microphone input, etc - which apps could request be transmitted (with user permission settings or per-use acceptance), OR could be provided to the application. Applications would be installed at a trust level that grants them different access permissions to sensitive data, and would be prohibited from getting or manipulating data packages above their trust level.
Most trusted would be "obtains no sensitive data, engaes in no communications, does no data storage".
Next most trusted might be "All communications via a module that requires user permission settings to transmit specfic "sensitive" data packages"
Then there'd be "Transmits arbitrary data, but explicitly asks user permission for pre-packaged sensitive data."
Worst might be "Reads sensitive data (with user permission control), reads data stored by other apps, stores data for other apps, transmits arbitrary data".
NEVER CROSS THE STREAMS! :p
Remember to maintain your supply of
After all, they're an advertising company, not a software company. Trading personal data is big business. Of course, you'd think Google would really put the clamps down on forcing apps to use Google as the middleman for that data exchange so they can take their cut. That was pretty much the entire strategy behind the original Android acquisition.
I personally wouldn't use a mobile phone put together by an ad company, as I'm sure unlimited data won't be forever (and the more you sync with the cloud and play Pandora on your smartphone all day). But if I had one, I'd really like to know that the ad company had some control over where my personal data was going.
Sure... but now try a navigation app.
The navigation app wants access to your position - sounds reasonable, right? Difficult to do that turn-by-turn thing otherwise.
The navigation app wants access to the internet - sounds reasonable, too, right? Lets you download map updates, POI data, etc.
But that doesn't mean there can't be a piece of code in there that uploads your position to some server.
Can't really protect against that sort of thing either except with code review... but who's going to review the code of all those apps? Even Apple let a few sneaky things through.
At some point, warnings or no warnings, you just have to decide whether you trust the app/author or not.
Obligatory:
http://pleaserobme.com/
Dump the responsibility onto the user base, and then shrug when things don't work out. Did they learn nothing from 20 years of people happily clicking/approving whatever they have to in order to get that nifty screensaver or cursor collection? Apparently not. Making the user the final arbiter of whether or not something is deemed safe/secure negates anything else you've done to promote safety/security.
This is not a problem for geeks, who are already conditioned to be careful, but sooner or later the great unwashed masses of clueless Android users are going to get pwned badly by something.
That's when I'll peer out from the safety of the oh-so-terrible walled garden I inhabit, and laugh.
Forgive me if I'm restating something someone already said (I seriously can't read every comment here). I hate the idea of forcing Google to follow in Apple's footsteps. I believe in free market solutions. Locking down the market may discourage developers. In the Windows market (where malware is rampant), this problem has already been solved. Most people don't download something unless it has been recommended by someone else (i.e. credible website, friend, colleague). If you aren't following someone's recommendation, then you knowingly accept the risk of being infected.
Granted, the majority of people using Android Market have yet to adopt this same ideology. It's only a matter of time before third-party companies play the role of Apple, investigating applications and applying their "seal of approval." Surly Google will allow developers to include these seals in their market descriptions if they've earned them. A solution like this allows the free market to continue, meanwhile giving credit to legitimate applications, and outing the "bad apps." People will naturally respect these third-party authorities.
I believe Google is doing the right thing. I think they should encourage what I've prescribed above.
interactive hologram, or it didn't happen.
I never realized my phone had a taint.
Congratulations, you just described how Android permissions already work.
Any other irrelevant posts to make based on not knowing the subject in question?
Android already notifies you which services an application uses before you install the app. You have the option of allowing the app to install and have access to ALL of those services or don't install the app at all. Some users may want to use an app, but they may want to deny certain services they deem are unnecessary. Google could add functionality that would allow the user to deny certain services to certain apps.
However, this may render the app completely useless. For example, what good would an alternate reality app be if it was denied access to the camera. To account for this, maybe there should be a list of required services that are absolutely required for the bare functionality of the application and then a list of non-required services that enhance the app but can be turned off by the user.
To go even a step further, rather than just offer the option to "allow" or "deny" a service, they could also have a "prompt" option. For instance, if I had a camera app, it should only be able to use the GPS when tagging the photo, not track my every movement at all times. Therefore it could prompt me every time it attempted to use the GPS. This would allow for fine-grained privacy settings and security that can be controlled by the user.
Google needs to implement a standard for Adware services in the same vein as their Licensing Server. The only reason many apps need the Internet permission is for ads and they pay more if you give them more information (like GPS Coarse/Fine) in addition to the ad revenue. I do not use ads for my current set of apps because my apps would be a huge security risk if it had permission to access the Internet in addition to what they already do as an app.
In order to fix this issue, Google needs a dedicated ad server mechanism with specific permissions to allow "ads, geographical targeted ads (neighborhood store sale), language based, and maybe even cell service based" kinds of ads so that an app can specify permissions for the app and separate permissions for the ads it services. In no instance should the ad agency get your phone info beyond "my closest city is X, what are my nearby ads". If Google can provide this functionality, app abuse would be significantly reduced and in some cases eliminated entirely.
I think the flaw is it asks too late, and you can't block any of them to still use the App.
IE I wanted a app to track car maintenance and MPG, I find the one that looks best, best reviewed...
Now it comes up and says it wants phone, and internet access...
Not needed for what I wanted, but what do I do now?
Look for another, buy, install, and wait to see if it is worse?
Would be nice if google also disclosed that in the app market before choosing,
then maybe developers would explain what they used the connections for...
I'll grant you the facts that:
but you CAN view which features an application needs before buying/installing/running it.
This will let you review what privileges an app will have if you install it without requiring you to buy, install, and find out the hard way.
If you have a problem with the app needing access to your fine GPS location (probably for adverts) instead of coarse Geo-IP location
or receive an SMS, you could now avoid downloading this app (or buying it if it weren't free).
If you scroll down, there's usually a section for further clarification on specific features requested.
Disclaimer: I neither own nor am I affiliated with any application in the Android Market.
* - My phone is 1 year old and runs Android 2.1, which (I believe) introduced the new Android Market.
For reference, some older phones have 1.5/1.6, & the newest is 2.2.
I'm sure there may be a range of obstacles to this, but couldn't we have something like an app for a separate app store, where only fully "trusted" apps will be hosted?
Then we can have a range of apps we know for sure do not misbehave. Kind of like a walled garden inside an open garden.
Of course this leaves the big problem of who we can trust, or who can be the benevolent dictator, but with an open market outside this shouldn't be a big problem.
We could even have different layers of app stores, such as those that have been reviewed or are created by trustworthy individuals, peer reviewed (wiki for apps?), and apps whose permission sets guarantee that they will cause no harm.
I don't see why everybody has a problem with security on Android. Like others have said, a dialog shows everything an app needs permission to do. Beyond that, install Droid Wall. It lets you approve or deny access to the Internet for each app (it's an iptables front end). You can also set it to block by default as I have, so that new apps never get the chance to connect until you allow them to. It requires root, but it's worth it. Don't forget to install a superuser whitelist program too so that you must approve any apps that want root.
Google says: "We consistently advise users to only install apps they trust."
So how does Joe User know "Who to trust?" Is Google trustworthy? How would I know? Because they say they're not "evil" ??
Its kind of bullshit advice.
OK, the app can send GPS data, imei and phone no., contacts numbers - if you grant GPS and internet.
What make you think iphone or any other phone app cannot do the same?
They could send all your contact numbers to the Japanese right-ring terrorists for all I know.
I proposed something to Google that would certainly help with this issue. But they seemed more interested in bending over for the app. developers.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master." -Pravin Lal
This is available since at least Android 1.6, and yes, as stated you can see a fine grained view of the things an app wishes to perform.
Also, the GP seems to be implying you don't see the permissions screen until you've installed an app, this is complete FUD, you see it before you agree to download it.
I've also seen the argument recently that the app store is more safe because developers have to give their name, address and bank details to Apple- this is also FUD because it's exactly the same with Google's Android marketplace.
The only difference between Apple and Google's marketplace in terms of security are that Apple pretend they somehow manage to do a security audit on the thousands of apps they receive each week, whereas Google doesn't pretend that it does. Google does at least seem to have a better layer of security prompting the users precisely what an app does however at least.
Don't let your Android fanboi viewpoint interfere with the fact that there's just as much wrong with Android's approach as there is with Apple's. Please continue.
See subject line above. Put known bad sites/servers/domains into your hosts file on a mobile phone OS and you're all set (android phones also have a lot more RAM on them to store even relatively larger hosts files into memory on to protect you than most phones out there do like IPhones and Symbian OS based stuff etc./et al)
on an android phone, in a terminal window and as the root user one can issue this command: "netstat -a" this will display all the connection your phone is making out. cut and paste the domain names or IP addresses from "netstat -a" terminal window into a text editor now open /etc/hosts file with a text editor and place the following lines in your hosts file:
# 127.0.0.1 localhost must be first line
127.0.0.1 localhost
127.0.0.1 Facebook.com
make each entry on a separate line, the slashdot forum reformatted my line breaks
###continue and add all the domain names and remote IP's from your 'netstat -a"
This will block communication to facebook (example)
I've seen people block over 15,000 URL's this way
Slashdot reference:
http://slashdot.org/submission/1346470/HOSTS-file-blocks-500-social-networking-sites
Wow. Very intelligent reply.
Just FYI - I don't even have an android phone. So shover your own fanboism up your arse. Some of us may actually not belong to either of the camps.
Isn't that a bit of a tautology?
More importantly, just how are you supposed to know what you can trust or not? If an app zips your private info off to a server somewhere, you'd never know it. Even if you sniff the packets, it could still be encrypted or stenographized.
Google should give the user finer control and log what private info has been requested by what app.
Ruby Neural Evolution of Augmenting Topologies
What if a rogue app turns on the microphone or camera on command from some central server unbeknownst to you? The app could easedrop and spy on you. Is is my hope no app stoops that low, but you never know!
Ruby Neural Evolution of Augmenting Topologies
It won't support SIM cards. "Droid" is a marketing brand for Verizon's flagship line of Android OS-based phones.
Verizon uses CDMA2000/EVDO, and does not use USIMs, therefore no SIM cards.