Slashdot Mirror

← Back to Stories (view on slashdot.org)

8% of Android Apps Are Leaking Private Information

Posted by samzenpus on from the sieve-phone dept.

kai_hiwatari writes "Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th. The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages."

15 of 159 comments (clear)

  1. Compared to... by mederbil · · Score: 4, Insightful

    ...100% of your Facebook apps! Nothing to worry about here, folks.

    1. Re:Compared to... by TubeSteak · · Score: 3, Interesting

      Compared to 100% of your Facebook apps! Nothing to worry about here, folks.

      Data leakage is one thing, unwanted text messages (premium SMS services are big money) is another story entirely.

      --
      [Fuck Beta]
      o0t!
  2. Poor security/subterfuge/sloppy coding by justsomecomputerguy · · Score: 5, Funny

    Vendor: "I'm shocked, SHOCKED to find information being leaked here!" Waiter: "Here's your mined data sir..." Vendor: "Thank you"

  3. Permissions by Anonymous Coward · · Score: 5, Insightful

    I think a finer control over permissions for applications is required. Some applications ask for something like "ability to make calls", so that feature X works. If you don't care about feature X you should be allowed to deny such permission.

    Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".

    1. Re:Permissions by Nirvelli · · Score: 3, Interesting

      This functionality is available in CyanogenMod ROMs already.
      http://slashdot.org/story/11/05/25/1221225/Cyanogenmod-Puts-Users-in-Control-of-Permissions

    2. Re:Permissions by elashish14 · · Score: 5, Informative

      I remember someone had a /. sig with a link to a feature request for Android that users could simply choose which permissions they want to allow an app to have at installation. I think this was the link: http://code.google.com/p/android/issues/detail?id=3778. It seems to have a lot of support, but apparently we need more!

      I also found this one too: http://androinica.com/2011/05/cyanogenmod-nightlies-secures-android/. I didn't read the link in much depth, but apparently it can do just what you describe if you root and install Cyanogenmod

      --
      I have left slashdot and am now on Soylent News. FUCK YOU DICE.
  4. Margin of error by tepples · · Score: 3, Informative

    Assume that the 11,000 app sample is representative of a category of apps on Android Market, and 8 percent of apps in the sample have detectable spyware. In that case, it's far more likely than not that the prevalence of spyware across all apps in that category is at least 5 percent. So do you dislike statistical methods in general, or do you dislike the claim that the sample is representative?

  5. iPhone apps are just as bad... by Anonymous Coward · · Score: 4, Interesting

    If you use the firewall program that you can download with Cydia, you will find that a majority of iPhone apps connect to ad sites, statistic sites, behavioral targeting sites, and many domains that have zero to do what what the app does. The end user has zero control of what an app can do, and any app can happily slurp your contacts and anything available to it and hand it over to whatever site it feels like, and only people who have JB-ed their phone would know.

    Android, it is more obvious because you don't have to jailbreak it to see the programs phoning home.

    For example, take some of the photo editing apps on the iPhone. If you look at them, they appear to just uplaod your photo to a website and do the core editing via that as opposed to the application doing much. So, that private photo you decide to use a 99 cent app to make humorous? It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

    For the tl;dr crowd, iPhone apps are just as nasty, but they hide it better, being impossible to trace unless one jailbreaks their device.

    1. Re:iPhone apps are just as bad... by bonch · · Score: 5, Insightful

      This study looked at 10,000 Android apps. Your claim is that iPhone apps are "just as bad," which implies that you also studied 10,000 iPhone apps and that 800 were found to be leaking private data. Could you provide the link to your study, or is all you have an anonymously posted anecdote about running Cydia on your single phone without any examples given of the apps you're describing?

  6. That's obvious by gr8_phk · · Score: 4, Insightful

    When simple one-player games and such say they require full internet access I think "that may be for ads". When they require access to contacts, SD card, etc... That usually means don't install it. Unfortunately most of the apps I've looked at require full internet access AND access to contacts and don't get installed as a result.

  7. Re:Block their 'net access by Anonymous Coward · · Score: 3, Insightful

    as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ....I know, I know.. but doing infosec configs on phone is still a more arcane deal than computers, plus I really don't want to have to root my android phone, to be able to trust it in the first place.

    Perhaps if app permissions weren't 'set it and forget it', if the OS allowed us to go back and revoke perms directly from the GUI.

  8. Requires rooting by tepples · · Score: 4, Insightful

    LBE Privacy guard, Droid wall, or just a ADB terminal and iptables

    Which requires 1. phones to have a security vulnerability that allows rooting, 2. users to know how to root a phone, 3. users to somehow learn that they should install a firewall on their phones, and 4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).

  9. Have we learned nothing... by Trufagus · · Score: 5, Insightful

    Wow! CTO of company that makes money selling security software for Android says that Android has security problems!

    If you think you can get honest and objective info about this problem from the CTO of a company that is in the business of selling solutions to the problem, then you should not be allowed to use the Internet.

    I'm not saying that there isn't a problem - I'm just saying that this is so obviously the wrong source that it is no better then an advertisement.

    1. Re:Have we learned nothing... by godrik · · Score: 3, Interesting

      Well, I do believe them without any problem. Half the application I tried to install on my phone ask for ridiculously high permissions. I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?

      I would love the operating system to allow you to report fake information to some application. The application want access to your contact list? sure give it an empty list. It wants to know your GPS location. Sure, give a fixed user-defined location (in the middle of the ocean if possible).

  10. ...and... by msauve · · Score: 3, Insightful

    what exactly is an "unauthorized server?" Given that Android enforces constraints (permissions) when you install an app, are they claiming that there are apps which can get Internet access without explicitly being granted permissions by the user when installed?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law