More Than 25% of Android Apps Know Too Much About You

CowboyRobot writes "A pair of reports by Juniper and Bit9 confirm the suspicion that many apps are spying on users. '26 percent of Android apps in Google Play can access personal data, such as contacts and email, and 42 percent, GPS location data... 31 percent of the apps access phone calls or phone numbers, and 9 percent employ permissions that could cost the user money, such as incurring premium SMS text message charges... nearly 7 percent of free apps can access address books, 2.6 percent, can send text messages without the user knowing, 6.4 percent can make calls, and 5.5 percent have access to the device's camera.' The main issue seems to be with poor development practices. Only in a minority of cases is there malicious intent. The Juniper report and the Bit9 report are both available online."

If only!

[Joehonkie]

If only there were some way for me to tell which permissions an app will use when I install it!

Re:If only!

If only there were some way to know what permissions the app really needed to do its job!

If only you didn't have to slog through 15 different flashlight apps before you find one that doesn't want access to your address book!

Re:If only!

[rvw]

If only there were some way for me to tell which permissions an app will use when I install it!

I've created one Hello World app, just to see how it works. I've followed directions, didn't do anything to snoop around. The result is that it needs Phone ID somehow. I suspect that many app programmers do nothing to snoop around, but automatically request more permissions than actually needed, probably because the programming IDE does this automatically.

Re:If only!

[h4rr4r]

You don't. Torch, Done.

What Google should do is let me search for apps by permissions. I also wish they would let me never see a freemium app again. I have zero interest in them.

Re:If only!

Disagree. It's a problem with humanity. Android does a good job of warning you that your flashlight app will send your contact list to the universe.

Re:If only!

[h4rr4r]

Actually a lot of decent apps have a why in the description of the app.

If it does not seem like it should need it and they fail to explain it don't install it.

Still better than on the PC, where any application can read any of your files.

Re:If only!

[berj]

On iOS I can choose *after* installation to allow or disallow certain activities.

So.. for example.. I can allow an application access to my calendar but not to my contacts or photos.

If a GPS application wants access to my contacts and location I can let it.. but if it asks for access to my photos and bluetooth sharing I can disallow it.

It's quite nice, actually.

Android is a "take it or leave it" system. Which I suppose is great for the app developers.. but not so much for users.

Re:If only!

[TheGratefulNet]

permissions are vague. I can't know what the hell they plan to do!

what I'd want is a watcher that gives pop-ups or some notification and STOPS THE APP until I let it thru. very very fine grained permit/deny and also a lot of all info that is captured and sent.

until the apps are more transparent (they are anything but, now!) I refuse to run most android 'store' apps or anything else.

the whole market is fucked up; the protection model is bullshit and there's no audit ability for users to feel confident that this or that app is not doing funny shit behind the owner's back.

the permissions model is quite stupid by design. another google design failure, designed by engineers and not designed FOR users who are non-tech and simply want to know what the app is DOING.

there also isn't a standard default firewall on unrooted android. again, I have no trust in android when I have to go around it and root it just to have a firewall and user filters or ACL's.

the whole model needs a serious rewrite. not saying the apple model is any better, but android is quite immature in how it DOES NOT protect the user or give them any real info to go on. the only thing you have now is 'trust us' and, well, I just don't!

vista annoyed users with the popups but I do think that some level of that is needed, here. WHEN an app tries to do things that fit some trigger, show me! show me what and when and where. keep logs of it. let me query the logs and study how good or bad this app is. let me run it in 'hobble mode' so that it, by default, does not get access to anything. let me trust it over time and relax restrictions as it gets my trust.

the whole model is all wrong. sorry, but it seems no one was thinking of the users, here. and users are getting screwed by not having true visibility into the (often) evils that 'flashlight apps' do.

Re:If only!

[h4rr4r]

There are aftermarket ROMs that do that. CM is one.

There are tools that actually do one better, they let you give apps fake data. Let that stupid game have a GPS, one that shows you out in the Atlantic.

Re:If only!

[berj]

On iOS I can choose *after* installation to allow or disallow certain activities.

So.. for example.. I can allow an application access to my calendar but not to my contacts or photos.

How do you know that, by the time you disable the permission, the app hasn't already uploaded your info to their servers?

because (sensibly) by default apps have no such permission. I get asked if I want to allow the action the very first time.

Android is a "take it or leave it" system. Which I suppose is great for the app developers.. but not so much for users.

Except, with Android, I can root my phone and do whatever the heck I want with it.

And what about those of us that don't want to bother with such things? I don't build my own computers. I don't jailbreak my iDevices.. I don't tinker with my car.. I don't mod my fridge. If I have to immediately start hacking my device in order to get the security I want then it's not really much good to me.

Re:If only!

[Syphonius]

Then you may have done it wrong (or whatever example you followed was wrong). The default IDE (Eclipse with the ADK plugin) does not generate permissions into the manifest. They all go in manually. If your Hello, World required extra permissions then they were most likely added by accident or you are using some uncommon IDE/plugin.

Re:If only!

[Minderbinder106]

CM was one. CM7 had this feature but it was taken out for CM9/CM10. It's too bad, it was a great feature.

Re:If only!

[Jeng]

Here is vague.

full Internet access: Allows the app to create network sockets.

The main question I have is Why does it need internet access? And that is not answered.

Re:If only!

[Voyager529]

LBE Privacy Guard. Still free, and still allows denial of permissions to apps on a rooted phone.

Privacy apps - LBE

[rvw]

I've installed LBE Privacy control and it blocks unnecessary permissions for many apps. Why does a keyboard need internet access? The only thing I'm concerned about... What does LBE know, and what does it share?

What we need is name and shame

[e065c8515d206cb0e190]

We need a website listing apps and what persmissions they require vs use.

Developers will start paying attention when their apps are publicly shamed.

Lets Mention Apple

[tuppe666]

Lets have a little balance

http://www.huffingtonpost.com/2012/02/15/iphone-privacy-app-path-facebook-twitter-apple_n_1279497.html?ref=mostpopular

Facebook, Twitter, Foursquare, Instagram all send email addresses and phone numbers to their local servers.

The whole thing blew up and ended up with US congressmen sending letters to Tim Cook. This was feburary this year

"This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts."

Butterfield and Waxman then quote parts of Apple’s iOS developer website which states that Apple provides a comprehensive collection of tools and frameworks for storing, accessing and sharing data. It is then questioned whether Apple requires apps to request user permission before transmitting data about a user."

Re:Lets Mention Apple

[Bogtha]

Lets have a little balance

Facebook, Twitter, Foursquare, Instagram all send email addresses and phone numbers to their local servers.

All of these companies have both official iOS apps and official Android apps, and the ones I've used on Android have definitely accessed my contacts. In fact, Facebook made headlines by fucking up the email addresses in the address books of Android users recently.

But yes, let's have a little balance by directing the blame for the actions of these particular companies solely at Apple.

Yeah

[errandum]

That study is irrelevant. Most of those apps don't know that because they need to, but because they are free and the averts do.

Do the same study on payed apps. For example, GPS location access is not present on any of the games I bought so far.

I just got an android and it's plain scary.

[Jartan]

The way things are setup on stock android is a nightmare. The supposed "Walled Garden" doesn't even exist. Android doesn't have malware/viruses because "legit" apps can walk right in and do whatever they want. Want to steal all your users contacts and use them for spam? There's a built-in API for that.

I was trying to download a widget for screen brightness and 99% of the free ones wanted internet access permissions. It was just absolutely atrocious.

The only redeeming feature is how easy it is to root and fix.

I'm going to start carrying 2 phones

[TheGratefulNet]

one that is the smartphone (portable computer) and that will not have sms, cell service, address book, etc. rooted and firewalled and monitored.

2nd phone would be a dumb phone that has no networking at all in it, simply just to send and receive voice calls.

until there is a hard boundary (enforced, like a true barrier) between the soft apps and things that can cost you money (dialing out, stealing your contact list or local data), it just does not seem worth it to bundle all your stuff into one box.

sure, its convenient but the trust model is not good enough.

more and more, I just leave the smartphone home and use it as a wifi only device. at least I know that no sms BS is coming thru and no outgoing calls or wan connects could ever happen that would be costly or info-leaking.

seriously, I'm demotivated to invest more of my personal info on a box that I have less and less control over.

DroidWall

[brouiller]

I root all of my Android devices and install the DroidWall app. It allows me to block network access to any app regardless of whether you give them permissions when installing. It's allowed me to download and use many apps that I would otherwise not have used because they wanted network access. It even lets you decide if you want to block the app on WiFi, cell data, or both.

Re:Know too much?

[Applekid]

If you've stayed at a hotel, odds are good someone's seen you nude.

In that case, I'm glad I'm ugly as sin, and hope I've blinded them. :)