Slashdot Mirror

← Back to Stories (view on slashdot.org)

8% of Android Apps Are Leaking Private Information

Posted by samzenpus on from the sieve-phone dept.

kai_hiwatari writes "Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th. The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages."

33 of 159 comments (clear)

  1. Compared to... by mederbil · · Score: 4, Insightful

    ...100% of your Facebook apps! Nothing to worry about here, folks.

    1. Re:Compared to... by TubeSteak · · Score: 3, Interesting

      Compared to 100% of your Facebook apps! Nothing to worry about here, folks.

      Data leakage is one thing, unwanted text messages (premium SMS services are big money) is another story entirely.

      --
      [Fuck Beta]
      o0t!
  2. Poor security/subterfuge/sloppy coding by justsomecomputerguy · · Score: 5, Funny

    Vendor: "I'm shocked, SHOCKED to find information being leaked here!" Waiter: "Here's your mined data sir..." Vendor: "Thank you"

    1. Re:Poor security/subterfuge/sloppy coding by narkosys · · Score: 2

      +1 Casablanca reference.

      --
      seems to have misplaced his .sig
  3. Permissions by Anonymous Coward · · Score: 5, Insightful

    I think a finer control over permissions for applications is required. Some applications ask for something like "ability to make calls", so that feature X works. If you don't care about feature X you should be allowed to deny such permission.

    Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".

    1. Re:Permissions by Anonymous Coward · · Score: 2, Interesting

      Better yet, how about doing the intelligent thing and providing a UNIQUE identifier per APPLICATION. Not using the IMEI, but instead generate a UUID for each application to use as its unique id. Use a hash of some hardware value (like the IMEI) and the applications signature ( I assume apps have their own UUIDs in Android for identifying applications uniquely ).

      Then they can uniquely identify a specific device has a specific app installed, they also won't be able to tell (if implemented properly) by using that information which applications you also have installed. Vender A sells me 3 apps, and it gets 3 unique IDs back for my device from all of them, meaning I no longer have to worry about sharing of that information resulting in a profile of me.

      Pretty much every reason you come up with for wanting to uniquely ID a phone revolves around targeted marketing, so lets just end that ...

      Oh wait ... Android ... Google ... hrm, yea, they aren't going to go for that one are they?

    2. Re:Permissions by Nirvelli · · Score: 3, Interesting

      This functionality is available in CyanogenMod ROMs already.
      http://slashdot.org/story/11/05/25/1221225/Cyanogenmod-Puts-Users-in-Control-of-Permissions

    3. Re:Permissions by elashish14 · · Score: 5, Informative

      I remember someone had a /. sig with a link to a feature request for Android that users could simply choose which permissions they want to allow an app to have at installation. I think this was the link: http://code.google.com/p/android/issues/detail?id=3778. It seems to have a lot of support, but apparently we need more!

      I also found this one too: http://androinica.com/2011/05/cyanogenmod-nightlies-secures-android/. I didn't read the link in much depth, but apparently it can do just what you describe if you root and install Cyanogenmod

      --
      I have left slashdot and am now on Soylent News. FUCK YOU DICE.
  4. Margin of error by tepples · · Score: 3, Informative

    Assume that the 11,000 app sample is representative of a category of apps on Android Market, and 8 percent of apps in the sample have detectable spyware. In that case, it's far more likely than not that the prevalence of spyware across all apps in that category is at least 5 percent. So do you dislike statistical methods in general, or do you dislike the claim that the sample is representative?

  5. iPhone apps are just as bad... by Anonymous Coward · · Score: 4, Interesting

    If you use the firewall program that you can download with Cydia, you will find that a majority of iPhone apps connect to ad sites, statistic sites, behavioral targeting sites, and many domains that have zero to do what what the app does. The end user has zero control of what an app can do, and any app can happily slurp your contacts and anything available to it and hand it over to whatever site it feels like, and only people who have JB-ed their phone would know.

    Android, it is more obvious because you don't have to jailbreak it to see the programs phoning home.

    For example, take some of the photo editing apps on the iPhone. If you look at them, they appear to just uplaod your photo to a website and do the core editing via that as opposed to the application doing much. So, that private photo you decide to use a 99 cent app to make humorous? It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

    For the tl;dr crowd, iPhone apps are just as nasty, but they hide it better, being impossible to trace unless one jailbreaks their device.

    1. Re:iPhone apps are just as bad... by Microlith · · Score: 2

      It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

      You'd have to look at the EULA (do they even present an EULA?) to see what rights they grab for themselves. Even then, you still own the copyright on the image. I doubt an EULA that stated "by using our service you transfer copyright of all images uploaded to us" would be considered conscionable.

    2. Re:iPhone apps are just as bad... by Lehk228 · · Score: 2

      It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

      I suggest you refrain from participating when you have no fucking clue what you are talking about

      --
      Snowden and Manning are heroes.
    3. Re:iPhone apps are just as bad... by bonch · · Score: 5, Insightful

      This study looked at 10,000 Android apps. Your claim is that iPhone apps are "just as bad," which implies that you also studied 10,000 iPhone apps and that 800 were found to be leaking private data. Could you provide the link to your study, or is all you have an anonymously posted anecdote about running Cydia on your single phone without any examples given of the apps you're describing?

  6. That's obvious by gr8_phk · · Score: 4, Insightful

    When simple one-player games and such say they require full internet access I think "that may be for ads". When they require access to contacts, SD card, etc... That usually means don't install it. Unfortunately most of the apps I've looked at require full internet access AND access to contacts and don't get installed as a result.

    1. Re:That's obvious by Zebedeu · · Score: 2

      I agree that devs should be more open about why they are asking for permissions, particularly the more dangerous ones, such as access to the contacts, phone, or SMS.

      Some apps now feature those explanations on the market description, presumably because users were asking for it. I encourage you to contact the developer every time you decide not to install an app due to the permissions. At least give him a chance to explain himself so that others can benefit from it.

      As for access to the SD card, this is usually to keep data backups, save games, or other files which are either too big to be shipped with the app, or which you'd like to survive a device reset.
      I agree that it's too general a permission. There should be a permission where the app would only be allowed to access a specific folder in the SD card.

  7. The hashed phone number by tepples · · Score: 2

    Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity".

    The IMEI doesn't ensure the user's identity, just that of the handset. Pull out the SIM and put it in another handset (assuming AT&T, the only U.S. nationwide provider for which this actually works and which isn't an acquisition target), and the subscriber's identity follows the SIM (hence the name Subscriber Identity Module).

    They still have access to the phone number, why not fine-grain it

    Yeah, why not? To ensure the user's identity, perhaps the OS should make available the hashed phone number: the application can make sure the subscriber hasn't changed but not use it to make voice calls or send text messages.

    1. Re:The hashed phone number by nzac · · Score: 2

      Don’t know how large phone numbers get in your country but rainbow tabling phone numbers seems rather trivial for anyone with a reasonable amount money. They can can probably guess the first part which leaves only about 10 digits (7 where I live) of combinations to try and if they are given away in sequence way less. Anyone know how long that would take with a modern GPU.

      You would probably have to make the method standard so you could not use unknown salt either.

  8. Re:Block their 'net access by Anonymous Coward · · Score: 3, Insightful

    as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ....I know, I know.. but doing infosec configs on phone is still a more arcane deal than computers, plus I really don't want to have to root my android phone, to be able to trust it in the first place.

    Perhaps if app permissions weren't 'set it and forget it', if the OS allowed us to go back and revoke perms directly from the GUI.

  9. Requires rooting by tepples · · Score: 4, Insightful

    LBE Privacy guard, Droid wall, or just a ADB terminal and iptables

    Which requires 1. phones to have a security vulnerability that allows rooting, 2. users to know how to root a phone, 3. users to somehow learn that they should install a firewall on their phones, and 4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).

  10. Have we learned nothing... by Trufagus · · Score: 5, Insightful

    Wow! CTO of company that makes money selling security software for Android says that Android has security problems!

    If you think you can get honest and objective info about this problem from the CTO of a company that is in the business of selling solutions to the problem, then you should not be allowed to use the Internet.

    I'm not saying that there isn't a problem - I'm just saying that this is so obviously the wrong source that it is no better then an advertisement.

    1. Re:Have we learned nothing... by godrik · · Score: 3, Interesting

      Well, I do believe them without any problem. Half the application I tried to install on my phone ask for ridiculously high permissions. I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?

      I would love the operating system to allow you to report fake information to some application. The application want access to your contact list? sure give it an empty list. It wants to know your GPS location. Sure, give a fixed user-defined location (in the middle of the ocean if possible).

    2. Re:Have we learned nothing... by Elbereth · · Score: 2

      Maybe the Tetris game has a social aspect, where high scores are collected and posted on the internet, along with a geographical tag, like "New York, USA". It could be that the high scores are even customized for your location, so that you can compete against all the other New Yorkers playing that game. Some people would think that was the greatest thing in the entire world, I'm sure. For the more cynical among us, it's difficult to believe that social gaming is anything more than a big scam, but not everyone cares so much about their privacy. One man's privacy invasion is another man's social game, I guess.

    3. Re:Have we learned nothing... by Solandri · · Score: 2

      I just installed DroidWall, which is a basic firewall for Android. You need to be rooted, and the UI isn't the greatest. But it lets you control which apps have permission to access the Internet (and you can choose WiFi and 3G/4G permissions separately if you so desire). What good is having my GPS location and contact list if you're unable to report it back home (Mr. Anderson)!

    4. Re:Have we learned nothing... by kregg · · Score: 2

      All applications with ads ask for those permissions. They don't want to advertise something you can't buy in your own country.

      If you don't want that then buy an application with no ads - simple.

  11. Re:Block their 'net access by 0123456 · · Score: 2

    as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ...

    That's why I have a dumb phone that just makes phone calls and sends text messages and laugh whenever people talk about their phone being infected with malware.

  12. ...and... by msauve · · Score: 3, Insightful

    what exactly is an "unauthorized server?" Given that Android enforces constraints (permissions) when you install an app, are they claiming that there are apps which can get Internet access without explicitly being granted permissions by the user when installed?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:...and... by dudpixel · · Score: 2, Interesting

      maybe it is misleading. Maybe it technically is authorized by your definition.

      However, note that ALL apps with ads need internet access, and yet the internet access gives them access to the whole internet, not just the ad server.

      This always concerns me when its simple apps that really dont need internet access other than to display ads. How would I know what the app is doing?

      I'm normally against the walled garden approach but Google's complete hands-off thing is really starting to get serious. Its almost like they dont care about their own platform? Like they've disowned the market and they're only interested in the Google search box.

      I dont think this approach will work for Google in the long term. Why do people spend more on the App Store? Maybe its because they trust it more...

      --
      This seemed like a reasonable sig at the time.
    2. Re:...and... by msauve · · Score: 2

      How does any of that differ from apps on a PC, which all have unlimited Internet access? Is there some reason a phone is more sensitive? I've got more personal/confidential info on my PC than I do on my phone.

      Without knowing exactly what is being sent to these "unauthorized servers," this is just a red herring.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  13. Re:The Apple solution by mjwx · · Score: 2

    The other part of the solution is to run a closed market, and be picky about what apps you allow. If the developers of security software have nothing to sell on your platform, they won't go blabbing about the security holes to try to sell their product.

    Yeah, because a vulnerability in the inbuilt PDF reader will never be exploited...

    So lets all stick our heads in the wondrous sand of a walled garden and pretend that security holes dont exist because we aren't allowing security experts to say anything.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  14. Re:The Apple solution by JAlexoi · · Score: 2

    And you're better off with remote PDF security bugs that can result in total takeover of you device. And it will all be hushed up to maintain the mantra that "Macs don't get malware and viruses"...

  15. HTTP tunnel by tepples · · Score: 2

    Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.

    And run an open HTTP tunnel on someapplicationpage.com. You see, a device can't always enforce a privacy policy.

  16. You can protect yourself better by aaaurgh · · Score: 2

    I use the LBE Security app which allows me to more closely control what I want an app to have access to, it's a bit like a permissions based firewall - you can block specific permissions on each app. It does result in the odd FC if you tighten it down too far on everything but it's usually possible to find a workable combination. e.g. permit an app to access the phone id. (which it expects to always have access to and which causes it to FC if not) but then block it's access to the network (which cannot always be expected to be available)... so what if it knows the id. if it cannot report it.

    --

    Go permanent? In your dreams and my worst nightmares.
  17. Re:The Apple solution by coinreturn · · Score: 2

    Actually, Apple specifically points out in their review process that apps that ask for location data without an obvious legit reason are rejected.