Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

Posted by timothy on from the little-of-this-little-of-that dept.

New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.

3 of 150 comments (clear)

  1. Let's see the list of spyware by Animats · · Score: 4, Interesting

    Let's see this list of spyware. Will Google kick them out of the Android store? Will the FBI prosecute the developers for "exceeding authorized access" under the Computer Fraud and Abuse Act? If not, why not?

  2. Re: What alternative could be built? by EmperorArthur · · Score: 4, Interesting

    Internal memory and internal SD card are two separate things in Android. Internal SD card is simply a part of the internal NAND that the OS treats like a normal SD card. Many phones don't support external SD cards but have moderate amounts of storage, so they compromise.

    I'm not sure I follow.

    Many phones don't support external SD cards, but officially their apis still need to support external storage with internal SD memory anyway, otherwise they won't pass the Compatibility Test Suite.

    The problem is that the internal SD card and external SD card are treated differently.

    Android apps by default work off the internal SD card. It's actually a separate partition that's mounted at the same place as old phones used for external SD cards. You can't change the default to use an external card. You can't recover space from that internal partition.*

    Here's the kicker. Now external SD cards are mounted somewhere else. (/mnt/extSD) The thing is that many apps don't work with the external SD card. Especially after the latest android release. With android KitKat apps with the, misnamed, external storage permission can read and write anywhere on the internal card. The problem is that now they can read anywhere on the external card, but can only write to a directory on it which is something like "/mnt/extSD/data/app.name" There are a few exceptions for system apps like the camera, but regular apps have to use this weird naming scheme.

    It's actually a good security feature, but the fact they don't apply it to the internal SD card just seems to be Google deliberately moving people away from phones with an external SD card. Not cool.

    *Without rooting, and knowing exactly what you're doing at least. No way a non expert is doing this.

    --
    So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
  3. Re:Games are underspecified by sumdumass · · Score: 4, Interesting

    I can think of a third. I had no idea fdoid existed until reading these posts. Outside of rooting my phone ans removing a bunch of garbage, i never really looked for more than a few apps and i wont update those due to expanded permisions i find too intrusive.

    That being said, now that i know, i will likely use it when i change phones again in about 2 weeks.