Separating Fact From Hype On Mobile Malware

← Back to Stories (view on slashdot.org)

Separating Fact From Hype On Mobile Malware

Posted by Soulskill on Monday November 21, 2011 @11:33AM from the viruses-in-your-pocket dept.

wiredmikey writes with this quote from an article about determining whether the recent doom-and-gloom reports about malware on mobile devices are justified: "As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull's eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype."

46 comments

Min score:

Reason:

Sort:

Allow users to set permissions? by Anonymous Coward · 2011-11-21 11:45 · Score: 5, Interesting

Other than CM, where one can set permissions of apps, the only real way to limit app permissions is with use of DroidWall.
This way, if a game wants the whole world for perms, it might get the ability to call home for high scores, but that is it.
1. Re:Allow users to set permissions? by alostpacket · 2011-11-21 12:08 · Score: 4, Informative
  
  There are a couple apps out there that do this (most needing root). They essentially re-write the manifest to not ask for the permission -- sometimes by decompiling/recompiling. This crashes a lot of apps as devs dont expect to need to check for a SecurityException. The other problem with this level of granularity comes user confusion. The more granularity, the more confused a user can get. It also breaks the "agreement" between the dev/publisher and the user, much like ad-blocking in web browsers does. This is unfortunate because it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control. Honestly, I'm not sure there is an easy answer/fix to this. Open markets mean a bit of chaos is likely to emerge -- that's a good thing. But the only way to combat the unscrupulous is through educating users and having the community diligent in it's policing and reporting.
  The worst offenders though are the carrier bloatware apps (IMHO).
  Full disclosure: I have myself written a security guide for Android (CC license), and have an app for sale that provides information for novice users as well as permission search (to see what apps are using what permissions). I say this because obviously my work will bias my thoughts on the matter.
  The link in case anyone is interested: http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/
  Please note the guide is intened for novice users, which is unlikely to apply to most of the Slashdot crowd :)
  
  --
  PocketPermissions Android Permission Guide
2. Re:Allow users to set permissions? by DJRumpy · 2011-11-21 13:49 · Score: 3, Interesting
  
  What I find ironic is that the blogger under the "separate fact from hype" talks only about viruses, which as far as I know are pretty much non-existent in the mobile market, he ignores the fact that most of these stories are about malware ranging from various 'texting' apps that run up bills, those that dial 900 numbers, those that steal info ranging from contacts to key loggers, etc. None of these are viruses, but dangerous regardless.
  Also while I don't doubt the explosion of 'malware', I also take it with a grain of salt that the numbers might be so small now that any increases will make a trend look huge, at least initially. That doesn't mean that the Android market doesn't have a problem. I think people tend to be more lax on smartphones than they are on computers since they are relatively new. A little caution and more proactive action from Google would be a smart move.
  Just sayin'...
3. Re:Allow users to set permissions? by mjwx · 2011-11-21 14:08 · Score: 3, Insightful
  
  it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control.
  This.
  
  Permission creep is the real problem, not malware. Actual malware (viruses, worms, spambots et al) are not prolific enough to cause real concern and I dont see them becoming big enough. It's the subtle data miners, a wallpaper or "free" game that requests "read/write contacts" and "full access to the internet" that are the real issue for end users. This is also not Android specific, IOS is just as vulnerable, even more so as Apple has pretty much given them permission to do so and do not check to see if programs do this. It's pretty much reached the point where personal data is worth more then most botnets.
  
  As alostpacket said, we cant really fault the users for this, controls need to be more fine grained and personal data needs to be better firewalled.
  
  Nice guide BTW.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
4. Re:Allow users to set permissions? by Anonymous Coward · 2011-11-22 02:01 · Score: 0
  
  Only problem is that app developers are getting wise to things like CyanogenMod's permissions controls and will now purposefully crash the app if they don't get what they want.
  With a lot of apps in previous versions you could block the reading of the phone ID (actually CM just fakes it) but now with the current versions if you fake the phone ID they will force close.
  The only way I can see around this is for CM to give even more control to the user. I want to be able to put in my own fake information and I want to be able to fake anything not just the ID (ie. fake Internet access, fake filesystem, etc; anything!).
5. Re:Allow users to set permissions? by Miamicanes · 2011-11-22 05:02 · Score: 2
  
  The problem is that Android's permissions, like most of the API, does a good job of offering general-purpose ways to do things, but does a piss poor job of bundling things into neatly-packaged convenience methods that make it easy to just Do The Right Thing.
  Nobody (at Google) has ever really sat down and said, "How can we provide a system-level library that can support the needs of a service like AdMob (without being specific to AdMob itself), then create a specific set of permissions that grant exactly what's needed and nothing more to achieve the specific task of serving location-targeted ads to anonymous users who can be tracked in the aggregate.
  It has to be system-level, and have specific requirements for hardcoding things like the adserver's base URL and app id in the manifest, because otherwise a cloaked malware app could use it to leak information to the outside world without being obvious about it. For example:
  * The app can request a new ad, but Android introduces a random delay whose maximum value increases as the number of refresh requests does. This is necessary to make time-based attacks (where you modulate leaked information into the request rate itself, treating the request rate like a form of morse code) more difficult. You can't eliminate them completely, but you can make it very hard to convey more than a few bits per minute.
  * The location comes straight from Android's location services (GPS, network, or both) and gets automatically rounded down to the desired level of accuracy (say, quarter-degree, tenth-degree, or hundredth-degree). This prevents apps from trying to encode data into the lower bits of the location.
  * The URL of the web service that gets queried for the image and click-target URL is hardcoded into the manifest, with the ability to specify multiple in either failover or round-robin style.
  * The user ID passed to that web service is handled directly by Android, and the app never gets to touch it. It's randomly generated by Android, and comes in two flavors that are specified by the permissions itself: global to a physical phone, but not associated with a specific identity (ie, if you buy a new phone, your ID changes; it's not associated with your Google ID), or anonymously associated with a specific user and a specific application. In other words, if you're logged on to your phone and tablet with the same Google ID, you'd have the same anonymized ad id when requesting ads in the same app on both devices, but different apps would have different IDs. Any attempt to correlate the two, or to correlate ad ids with real-world identities, would be forbidden by EULA with staggeringly huge liquidated damages payable to both Google and the end user.
  The format of the image URL is problematic, because there's a very fine line between flexibility and giving malware the opportunity to leak user information via the URL itself. On one hand, you need an address space large enough to accommodate different images for different advertisers and campaigns, but you don't want to give too many extra bits to tempt companies into trying to encode extra information about the user himself into them. I'd propose something like the following:
  Baseurl: rigidly specified in the manifest, with provisions to specify multiple for failover and loadbalancing purposes.
  Density: automatically substituted in by Android based upon LDPI/MDPI/HDPI/XDPI
  Width: alternative to Density, equal to number of horizontal pixels in current orientation. Mainly, for people like me who hate the way Android deals with 540x960 qHD (I despise scaling and prefer to serve images at native resolution), and the coming trainwreck differentiating between 720x1280 on a 4.5" screen and 1280x800 on a 10" screen.
  App ID: hardcoded in manifest
  Target-intent and Notification-intent: ooh. These are rough. On one hand, you need flexibility to deliver clicks to the appropriate destination... but too much, and it's another information-leakage nightmare. My current hunch is that you'd
6. Re:Allow users to set permissions? by alostpacket · 2011-11-22 05:12 · Score: 1
  
  Thanks - it's in need of an update (the screenshots anyways) but am working on a tablet version :)
  
  --
  PocketPermissions Android Permission Guide
FUD? by AHTuttle · 2011-11-21 11:53 · Score: 5, Insightful

While I have no doubt Android is a increasing target, why do I get the sense this is hype from Android competitors and anti-virus software makers? Just don't install any strange apps without research and think about where your browsing and I don't anticipate problems. At least I've had none in the year or so I've been on Android phones.
1. Re:FUD? by cheeks5965 · 2011-11-21 11:59 · Score: 5, Insightful
  
  Mom: "honey, how should I avoid viruses on my new phone?" Me: "first, be sure to research your apps before you download them." Mom: "what? where do I do that? didnt Sprint already do that?" Me: "then, don't browse to web pages that might contain malware" Mom: "how should I know what sites are ok and what are not?" Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."
  
  --
  -- Flame me and I will happily flame you back. Bring it!
2. Re:FUD? by Dishevel · 2011-11-21 12:04 · Score: 2, Informative
  
  How about this.
  Websites. Go only to the big spots. No little iffy websites.
  Apps. Do not be one of the first 50k to download.
  Those two things and most people will be really safe.
  For a mom who does not know anything about tech get her a Jitterbug or if she needs to feel important an iPhone.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
3. Re:FUD? by Meshach · 2011-11-21 12:04 · Score: 2
  
  While I have no doubt Android is a increasing target, why do I get the sense this is hype from Android competitors and anti-virus software makers? Just don't install any strange apps without research and think about where your browsing and I don't anticipate problems. At least I've had none in the year or so I've been on Android phones.
  You could say the same thing for the Internet: don't download random stuff, research it and ensure it is safe. Hell that could apply to almost any activity like going to a restaurant: make sure that the kitchen is clean and that they buy safe ingredients.
  
  The problem is that no one actually does either of those checks.
  
  --
  "Maybe this world is another planet's hell"
  Aldous Huxley
4. Re:FUD? by Hentes · 2011-11-21 12:09 · Score: 1
  
  think about where your browsing
  Or just use a secure browser.
5. Re:FUD? by InspectorGadget1964 · 2011-11-21 12:13 · Score: 1
  
  I agree, however you need to keep in mind that most users think that computers equal windows. They have not been educated enough to understand the consequences of their actions (Nor the lack of them). The makers of virus detection software take advantage of this ignorance to spread their marketing FUD. Our first job is education, the rest will follow.
6. Re:FUD? by tlhIngan · 2011-11-21 12:24 · Score: 3, Interesting
  
  You could say the same thing for the Internet: don't download random stuff, research it and ensure it is safe. Hell that could apply to almost any activity like going to a restaurant: make sure that the kitchen is clean and that they buy safe ingredients.
  The problem is that no one actually does either of those checks.
  Well, it's called Dancing Pigs. A user is confronted with a scary looking permissions list with "install" and "cancel". User wants to play this kewl game they were shown. User taps Install. It'll happen often enough to matter.
  And it also applies if said app costs money and they can get it for free - people will pirate apps. And just like on the desktop world - pirated apps can contain all sorts of wrappers that install malware.
  I suppose the only interesting thing about Android is why malware uathors haven't bothered taking paid apps, adding their own crap to it, and then releasing it "for free" to show up on searches as a full version of app for free. (I've seen ebooks that did this - they take some Harry Potter epub and package it with a reader (pirated?) and release it as one app.
  Then again - should the user be expected to do these checks? Does your mechanic/plumber/doctor/nurse/etc. go and say "I cannot fix your $FOO for you today - I need to research to make sure the new software we're transitioning to is safe"? No, they just install it. Heck, they normally have "IT" take care of that stuff for them. Or their neighbour's kid.
  I suppose it's why people are going for "app stores" and "appliances" rather than full-fledged PCs. Computers literally have gotten to the point where it really is a scary place out there and anyone who doesn't do it as a full time occupation is easily overwhelmed into thinking that next click would steal all their banking information and the identities. (Or worse yet, ignorance and clicking somewhere that really does do it).
  Anyone's who's had to clean out their relative's PC over the holidays (hey US Thanksgiving...) can attest to that...
7. Re:FUD? by cheeks5965 · 2011-11-21 12:32 · Score: 1
  
  All she wants is something with 12 button keys. she uses maybe 200 minutes a month. android is overkill because the sleazy cell phone salesmen push it on people who don't need it / want it. People end up spending $100 a month instead of $20 a month, and use the same functionality.
  
  --
  -- Flame me and I will happily flame you back. Bring it!
8. Re:FUD? by QuasiSteve · 2011-11-21 13:39 · Score: 1
  
  The Dancing Pigs thing is very true.
  Wat bothers me about the Android Market though is that some apps request access to some feature of the phone... but there's no explanation why.
  Now usually that to me means I'll go look for an alternative first, look for an explanation from the developer second.
  But it would be nice if the Android Market required these explanations per requested feature.
  The down side of course is that people can lie or just not tell the whole truth, without careful review - which means it would instill a false sense of security with some people.
  One possibility is to use an alternative market place that only hosts open source software (there's several).. but the in turn often miss the more shiny apps.
  Ah if only there were a magic bullet.
9. Re:FUD? by mariasama16 · 2011-11-21 13:59 · Score: 1
  
  I'd love it if the Market stopped pushing the permissions in everyone's faces for every update of an app (even if the permissions didn't change) and allow the notes of WHAT changed to be visible on that screen. But, I feel like I'm in the minority on that one.
10. Re:FUD? by Hentes · 2011-11-21 14:13 · Score: 1
  
  No software can protect against stupidity. If the user gives sensitive permissions to a malware that's not the OS's fault. The real question is if a malware can get permissions without the user, or circumvent the system somehow.
11. Re:FUD? by ozmanjusri · 2011-11-21 14:53 · Score: 3, Informative
  
  Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."
  
  I'm afraid you'll have to find other excuses for your Oedipal crises. The news stories are mostly FUD.
  Modern smartphones are much more secure than old ones, and much more resistant than Windows, though you wouldn't know it given the hype in the news. Did anyone notice how there were no hard numbers of malware sources or infections, just the alarming percentage increase? Even the white paper it's based on has no details. The closest it gets to the truth is here:
  
  Symbian and Microsoft Windows Mobile platforms are the oldest and most researched mobile platforms, and devices running those mobile operating systems have been the targets of the most prolific and effective malware known to affect mobile devices. These platforms have been targeted by a range of malicious applications that run the full spectrum of known malware categories, including SMS trojans that send SMS messages to premium rate numbers unbeknownst to users, background calling applications that charge the victim for exorbitant long distance calls, keylogging applications, and self-propagating code that infects devices and spreads to additional devices listed in the address book. The Juniper Networks Global Threat Center also sees polymorphic malware, which changes its characteristics during propagation to avoid detection, on the Symbian and Microsoft Windows Mobile platforms.
  http://www.juniper.net/us/en/local/pdf/whitepapers/2000415-en.pdf
  
  --
  "I've got more toys than Teruhisa Kitahara."
12. Re:FUD? by 10101001+10101001 · 2011-11-21 15:03 · Score: 1
  
  Well, it's called Dancing Pigs. A user is confronted with a scary looking permissions list with "install" and "cancel". User wants to play this kewl game they were shown. User taps Install. It'll happen often enough to matter.
  I think the fundamental issue is the binary choice of "install" or "cancel". Adding on a granulated permission system doesn't in itself solve the problem because all that happens is that developers push users to give them greater and greater permissions, even when it's not really necessary to complete a task. I'd say a partial solution is to offer not only sandboxing of every app but to provide simulated permissions. The latter of which is very hard to do right in some circumstances (for example, if an app wants to phone home) but in the general sense most apps can and should be reasonably lied to because quite honestly few apps really need all permissions all the time yet there are many that will certainly just break if outright blocked from those permissions.
  So, the issue then becomes allowing a user to choosing when, how long, and how to give which permissions to an app. Or, more precisely, to provide an API to give a few trusted apps those permissions and let some smart security people develop a framework for the user to do what they really want. That's more or less what NoScript is all about, although it's rather kludgy at times as it expects a lot out of the user. But, I can certainly see people--and especially mobile phone carriers--paying a few companies to provide that sort of review and construction. Certainly, I think that's the only way to reasonably get enough coverage, as while I'd trust an open/free review/construction community to cover a lot of the popular, big, etc apps, I'm pretty sure it'd take money to convince someone to go through the mind numbing working of reviewing, processing, and bypassing every last app that tries to be overly clever. I just sort of wonder if the above violates the DMCA some how.
  
  --
  Eurohacker European paranoia, gun rights, and h
13. Re:FUD? by Anonymous Coward · 2011-11-21 18:37 · Score: 0
  
  It's her own fault for not knowing / expressing / sticking to what she wants, not the cell phone salesmen. With Google, there really isn't any excuse to see what's out there anymore.
14. Re:FUD? by cheeks5965 · 2011-11-21 18:43 · Score: 2
  
  What does thT even mean with google etc. because google is the mother brain and we are all lucky to piss in its shadow? Also way to hide under ac.
  
  --
  -- Flame me and I will happily flame you back. Bring it!
15. Re:FUD? by xorsyst · 2011-11-22 00:43 · Score: 1
  
  I use a lot less than 200 minutes a month (about 15 last month), and I love my android phone.
  
  --
  Get free bitcoins: http://freebitco.in
16. Re:FUD? by doti · 2011-11-22 02:12 · Score: 1
  
  the new version is doing exactly that for some time now
  
  --
  factor 966971: 966971
17. Re:FUD? by Rexdude · 2011-11-22 06:28 · Score: 1
  
  Even Symbian stopped having any significant malware after they introduced S60 3rd edition in late 2005, which refused to install unsigned apps by default.
  
  --
  "..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
Why the emphasis on percentages? by DeadCatX2 · 2011-11-21 11:55 · Score: 4, Interesting

500% this, 37% that...
One of the first tricks they teach you in "how to lie with numbers" is to use percentages to inflate otherwise small numbers.
If they want to pimp a percentage, I would love to ask them...what percentage of the Android market share is infected? Somehow I think they wouldn't want to share that number, because all the 0's to the right of the decimal point may call into question exactly how much that very same company's products and services are needed.

--
:(){ :|:& };:
1. Re:Why the emphasis on percentages? by Sebastopol · 2011-11-21 12:33 · Score: 1
  
  It is very important to also write an article rebutting the claims with its own set of misleading statistics, especially if the data does not support your particular ideology.
  
  --
  https://www.accountkiller.com/removal-requested
2. Re:Why the emphasis on percentages? by Digicrat · 2011-11-21 13:20 · Score: 1
  
  "Oh, people can come up with statistics to prove anything. 14% of people know that" - the Immortal words of Homer Simpson
500%? Man, that's nothing... by QuasiSteve · 2011-11-21 11:58 · Score: 5, Funny

500%? Man, that's nothing... why, at the beginning of the year Apple still claimed zero malware in the App Store, then this happened:
http://apple.slashdot.org/story/11/11/07/2029219/charlie-miller-circumvents-code-signing-for-ios-apps
Briefly, malware in the Apple App Store increased by one divided by zer-OH SHI
Amount is irrelevant by gweihir · 2011-11-21 12:02 · Score: 2, Insightful

It really does not matter whether there is a lot of malware. There always is and will be malware that incompetent users have to do stupid things to install. There always will be a lot of incompetent users. What matters is the level of sophistication of the malware. As this is generally not mentioned, my take is that basically these companies want to sell you something and select the numbers that support the illusion that you need what they sell. Then, if you are an incompetent user, you may actually need what they sell.
On the other hand, quality levels of AV software is really, really bad these days. I recently evaluated several scanners, and ran into things like automatic deletion of suspect files (a borderline criminal approach), deletion without the possibility to object, massive negative impact on disk performance, etc. As I had exactly one piece of spyware in the last 10 years and zero viruses, I am now back to running without AV software, except for MS security essentials with real-time stuff switched off.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Which Android are we speaking of? by Hentes · 2011-11-21 12:06 · Score: 1

The most recent one or the ones actually (sometimes imperfectly) implemented?
1. Re:Which Android are we speaking of? by Anonymous Coward · 2011-11-21 12:47 · Score: 0
  
  The ones downloading pirated apk's and apps from shady chinese app stores.
Most security *is* theater by Anonymous Coward · 2011-11-21 12:14 · Score: 5, Insightful

I say this as an Infosec professional. If you remove all the hype/FUD and look at actual exploit/breach rates, the entire industry would change and shrink drastically. But they don't. So we have what we have - lots of snake oil and irrelevant/useless tools pushed to solve imaginary problems. Honestly, I am ashamed of myself but the money's too good :-)
1. Re:Most security *is* theater by Anonymous Coward · 2011-11-22 03:53 · Score: 0
  
  If you say most security is theater as an infosec professional I pity your clients.
I 3 twilight by cheeks5965 · 2011-11-21 13:08 · Score: 1, Funny

from TFS:

As twilight approaches for 2011
Twilight isn't approaching, it's already here! Jacob is so sexy! I went on opening night. Who else saw it?

--
-- Flame me and I will happily flame you back. Bring it!
Re:500%? Man, that's nothing... by Anonymous Coward · 2011-11-21 13:30 · Score: 1, Insightful

Who needs malware in the App Store when browsing to the right website can hack your phone?
This cheeses me to no end... by idbeholda · 2011-11-21 16:07 · Score: 1

Not because I have a security system set up, but because I contacted them three years ago about incorporating actual security into their operating system using a format that is only limited by internet, and to an extent, by hardware latency. What I was told was, "We only accept ideas from Fortune 500 companies". Fuck that. Seriously. I'm willing to bet money that they use the same (or extremely similar) format I have.

I'm not talking a few hundred megabytes of malware definitions, I'm talking around 20GB+ worth of raw information, not including a heuristics database that has a detection rate of 99.986%. Entire scantimes (ignoring the average 30 second wait time for file mapping) is about 15 minutes via dialup. Mark me as a troll all you'd like, my proof is in the goddamn pudding: http://www.tot-ltd.org/
security vendors have set their gaze on the rise o by tchall · 2011-11-21 16:19 · Score: 2

"security vendors" are concerned about the "rise of malware" on the Android platform...

Hmmmm... know anyone that's found a "malware" application lately... at least one that didn't specify permissions up front?

I suspect that the only malware out there MIGHT be some Trojans that users installed and fat, dumb, and ignorantly gave permission for the program to OWN their device...

I haven't even found a real "virus" on a PC for years, only Trojans using some crude social engineering designed to appeal to the cheap (and ignorant) using the lowest common denominator...

I'd rather they called me when their computer ran "slow" instead of downloading the first piece of crap that promises to "fix" their PC... but the time it takes to track down a "send money" Trojan PLUS the time spent cleaning up their system so it will function as good as new is ALL billable time...
Absolutely no malware on Windows, either by jmcbain · 2011-11-21 18:02 · Score: 2

While I have no doubt Windows is a increasing target, why do I get the sense this is hype from Windows competitors and anti-virus software makers? Just don't install any strange apps without research and think about where you're browsing, and I don't anticipate problems. At least I've had none in the year or so I've been on Windows.
"to separate fact from hype" by Anonymous Coward · 2011-11-21 19:42 · Score: 1

This article doesn't "separate fact from hype" - it's just a highly partisan rant against AV companies, containing no substantiating evidence in support of either position.
Wrong by JockTroll · 2011-11-21 21:53 · Score: 0

"As twilight approaches for 2011"
It's already breaking dawn for 2012, you emo sparkly bloodsucking loserboy nerd. Go and eclipse yourself before the new moon.

--
Geeks are so full of shit that "beating the crap out of them" takes a whole new meaning.
All hype, even on Windows malware by rodrigoandrade · 2011-11-21 23:33 · Score: 1

Seriously this is getting old. All this spyware, malware apocalypse shit is just FUD spread by "research" backed by companies that have an interest in selling AV software.
Now the same will happen to Android, as it becomes more popular. Wake up people!!
Background apps by phorm · 2011-11-22 04:50 · Score: 2

The biggest bane of my existence is apps that start up and run in the background, much like the gazillion things that start up with windows in the "run" subsection of the registry and pepper you with tray icons or background apps.
Games, media players, etc DO NOT need to start up with my damn phone and background. I've uninstalled plenty of apps just for doing so (when they don't have an option to select that disabled autostart).
Re:500%? Man, that's nothing... by Kartu · 2011-11-22 09:20 · Score: 1

Where did they claim zero malware by the way?