Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many More Android Apps Leaking User Data

Posted by CmdrTaco on from the because-they-can dept.

eldavojohn writes "After developing and using TaintDroid, several universities found that of 30 popular free Android apps, half were sharing GPS data and phone numbers with advertisers and remote servers. A few months ago, one app was sending phone numbers to a remote server in China but today the situation looks a lot more pervasive. In their paper (PDF), the researchers blasted Google saying 'Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data.' Google's response: 'Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"

7 of 299 comments (clear)

  1. But how? by Drakkenmensch · · Score: 5, Insightful

    "We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"

    How exactly is one supposed to do this? What is the process for building trust vis-a-vis apps when the only protection you receive from your service provider is "don't walk into dark alleys you don't trust"?

  2. What Android needs... by Nadaka · · Score: 4, Insightful

    Not only the ability to display what permissions an app requests, but the ability to deny the use of those features on a per feature basis for each app.

    For instance, an app may request internet access (cellular radio or wifi), the user should be able to choose to limit that to just wifi or even turn off connectivity for that app all together.

  3. Applications I trust? by sotweed · · Score: 5, Insightful

    It is hard enough to know if I should trust my child, and I raised him. He doesn't
    tell me much. App developers tell me less, and some of them are devious. This is not
    a good security model. And Google knows better.

  4. Google's response == fluff by inviolet · · Score: 4, Insightful

    "Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust." -- Google

    What a bunch of fluff. The relevant developers don't care about "best practices" or any other voluntary standard. And how the f*** are users supposed to establish trust in certain apps? The platform does not significantly monitor an application's ongoing behavior, nor is anyone performing serious code-reviews or blackbox testing. Google COULD HAVE set up profiling tests similar to those run in TFA, but didn't.

    For ONCE would a company please admit that they reduced privacy in order to provide the dumbed-down usability needed to capture market share and attract developers?

    --
    FATMOUSE + YOU = FATMOUSE
  5. Re:15 of the 30... by wgaryhas · · Score: 4, Insightful

    Being able to know where you are and when isn't personal information?

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." - H.L. Mencken
  6. Re:This is why OSS is so important by Specter · · Score: 5, Insightful

    ^ this.

    This is the value of the App Store that geeks/developers consistently underrate. Apple's walled garden provides a barrier to entry that helps to reduce the risk of ending up with a fart app that's also downloading your private banking information to China.

    Google's free-for-all Marketplace is a real risk to Android's long term success because it sets up Android phones to become the must-see destination for viruses, mal-ware, and other shady operations. How long do you think it's going to be before having an Android anti-virus application is a practical requirement? What the uber-geek sees as the positive benefits of the Android eco-system (freedom and unlimited choices) are in fact NEGATIVE attributes to most of the rest of the mobile phone consuming populace. It's sorta like Android is the Linux of mobile phones...oh wait.

    I enjoyed the EVO vs. iPhone YouTube video as much as anyone but more than a funny rip on Apple, it's also a perfect demonstration of how a lot of the technical community doesn't get it. Android's popular because the iPhone is hard to get and it's a pretty respectable facsimile of an iPhone, not because it has more WIFIs and GBs than Apple. When rogue apps start to make Android painful to use and own expect consumers to start looking for The Next Big Thing (tm).

  7. Core features of apps == "leaks"? by d_engberg · · Score: 5, Insightful

    The headline doesn't really match the contents of the paper as far as I can tell.
    For example, "Evernote" is listed in the paper for:
    1) Taking pictures with the camera
    2) Recording audio with the microphone
    3) Determining your location
    And for transmitting this data to its servers.

    These functions are, however, exactly what the application is designed for. You take notes (including snapshot notes and voice notes) and upload them to your account. When you launch the app, there are big buttons for "take a snapshot note" , "take an audio note", etc. Geo-tagging via the location APIs can be disabled from the Settings page, but this is another core advertised feature of the product.

    So this is a bit like making it into Slashdot by discovering that a mail client transmits text that you type (and your email address!) to a mysterious "SMTP" server.
    Headline: "Researchers discover nefarious 'e-mail' application leaking your data ... on the INTERNET!"