Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.

Laziness

Code recycling is one thing, but not understanding what that code does when you put it into a production app or not following best practices is another. As Android gains popularity as a platform to develop for, we're going to lose quality as the new folks jumping onto the band wagon don't care how their apps work or look beyond the end goal. This mentality is already popping up with Android Wear developers who cram as much information as they can on the screen and claim that design guidelines are "just recommendations."

Re:Laziness

[AuMatar]

Design guidelines are just recommendations. Frequently bad ones. A developer should design the best UI he can, not follow what Google says regardless of whether it fits. And most developer guidelines, Google and Apple both, are crap.

The problem is that the whole app movement has brought in a whole slew of crappy developers who's idea of coding is to search stack overflow or git for stuff to copy paste. They don't read it, don't understand how to use it right, and expect it to magically work. Worse half of the people writing that code fall into the same category, so its the blind reading the blind. If you pick a library off of github and assume it will work, you deserve what you get. Unfortunately your users don't.

These people have been around for a while (they used to be "web developers" and program by copy pasting big chunks of javascript). The problem is that on a phone they can do more damage. In a world where the number of quality programmers is fixed and far less than the demand for programmers, how do you fix it? Making it easier to program actually hurts, you end up with those crappy coders trying to do even more. Maybe its time to raise the barriers to entry for a while.

Re:Laziness

[dgatwood]

Code recycling is one thing, but not understanding what that code does when you put it into a production app or not following best practices is another. As Android gains popularity as a platform to develop for, we're going to lose quality as the new folks jumping onto the band wagon don't care how their apps work or look beyond the end goal. This mentality is already popping up with Android Wear developers who cram as much information as they can on the screen and claim that design guidelines are "just recommendations."

The exact same thing happens on every other platform, though perhaps to varying degrees. I refer to it as the Stack Overflow effect. One developer who doesn't know the right way to do something posts a question. Then, a developer who also doesn't know the right way to do it posts how he or she did it. Then ten thousand developers who don't know the right way to do it copy the code without understanding what it does or why it's the wrong way to do it. By the time somebody notices it, signs up for the site, builds up enough reputation points to point out the serious flaw in the code, and actually gets a correction, those developers have moved on, and the bad code is in shipping apps. Those developers, of course, think that they've found the answer, so there's no reason for them to ever revisit the page in question, thus ensuring that the flaw never gets fixed.

Case in point, there's a scary big number of posts from people telling developers how to turn off SSL chain validation so that they can use self-signed certs, and a scary small number of posts reminding developers that they'd better not even think about shipping it without removing that code, and bordering on zero posts explaining how to replace the SSL chain validation with a proper check so that their app will actually be moderately secure with that self-signed cert even if it does ship. The result is that those ten thousand developers end up (statistically) finding the wrong way far more often than the right way.

Of course, it's not entirely fair to blame this problem solely on sites like Stack Overflow for limiting people's ability to comment on other people's answers unless they have a certain amount of reputation (a policy that is, IMO, dangerous as h***), and for treating everybody's upvotes and downvotes equally regardless of the reputation of the voter. A fair amount of blame has to be placed on the companies that create the technology itself. As I told one of my former coworkers, "The advantage of making it easier to write software is that more people write software. The disadvantage of making it easier to write software is that... more people write software." Ease of programming is a two-edged sword, and particularly when you're forced to run other people's software without any sort of actual code review, you'd like it to have been as hard as possible for the developer to write that software, to ensure that only people with a certain level of competence will even make the attempt—sort of a "You must be this tall to ride the ride" bar.

To put it another way, complying with or not complying with design guidelines are the least of app developers' problems. I'd be happy if all the developers just learned not to point the gun at other people's feet and pull the trigger without at least making sure it's not loaded, but for some reason, everybody seems to be hell-bent on removing the safeties that would confuse them in their attempts to do so. Some degree of opaqueness and some lack of documentation have historically been safety checks against complete idiots writing software. Yes, I'm wearing my UNIX curmudgeon hat when I say that, but you have to admit that the easier programming has become, the lower the average quality of code has seemed to be. I know correlation is not causation, but the only plausible alternative is that everyone is trying to make programming easier because the average developer is getting dumber and can't handle the hard stuff, which while p

Re:Laziness

[Lennie]

It's the price that is driving this, when an app is free or just 1 dollar, this gives a lot of reasons to not spend a lot of time on it.

Re:Laziness

[Lennie]

Crappy developers usually means: uneducated developers.

They can get simple things done without understanding the whole system. That deliver something that sort of works. This makes them cheap labor.

Why do we need cheap labor, because of competition and a race to the bottom driven by consumer buying decisions.

In a talk by Gabe Newell from Valve said that a free game got you 10x more users and 3x more profit (they for example get some money from people selling items inside the game). Not that they use cheap labor, they actually do the exact opposite. But it is just to illustrate how price is important.

So free like the above is a profitable model, free and ad-supported might actually not be as profitable. I don't know how much money companies get for selling personal information. I assume it is more than the ads.

So how do you solve that.

I see a few possible ways:
- education
- create good open source libraries that prevent most of the bad things and cheap developers want to use.

Now comes the kicker:

Do you think HTML5-apps without any permissions by default on phones would be a better model ? :-)
That would be a model similar to Javascript-code running in the browser on the desktop where the user is asked to allow access to the camera when needed.

Actually, I do, but then again I actually do use a FirefoxOS phone to see what it is like.

A lot of the time the hardware is bit underpowered so it can be sold in countries that currently still have a large number of feature phones or people not willing/able to pay for more expensive hardware.

But still pretty impressive what they can get out of that cheaper hardware.

Re:Not surprised

Not surprised that android apps are full of holes. The whole android concept was designed to treat people like commodities in a way never before possible. The whole Ecosystem is *engineered* to have holes.

Posted from my iPhone

What alternative could be built?

[tepples]

How would an ecosystem be designed not to have these sorts of holes but also not to restrict what the owner of a device can use it for?

Re:What alternative could be built?

[EmperorArthur]

How would an ecosystem be designed not to have these sorts of holes but also not to restrict what the owner of a device can use it for?

Just look at the Xprivacy extension for rooted android phones. Even iPhones let you disable app permissions. What has Google done about the issue? They reduced permissions into groups so users couldn't even know exactly what their apps have access to any more. Oh, and block apps from writing to most of the external SD card, but they can do whatever they want to the internal one. Guess Google doesn't like privacy or SD cards.

Re:What alternative could be built?

Fine grained permissions. Try denying an app access to your contacts in Android. Good luck.

Re:What alternative could be built?

[stephanruby]

Oh, and block apps from writing to most of the external SD card, but they can do whatever they want to the internal one. Guess Google doesn't like privacy or SD cards.

That's just incorrect. For the internal memory, an app can't overwrite another app's private data, it can't even read it without special interfaces (assuming a non-rooted device). An external SD card on the other hand is deemed insecure by definition since it can easily be pulled out and placed into another device. So an external SD card was chosen as an easy way to store, share, and manage media files between different applications.

Re:What alternative could be built?

[djupedal]

How would an ecosystem be designed not to have these sorts of holes but also not to restrict what the owner of a device can use it for?

What..._and_ make money? Will you settle for 2 out of 3? But first, define 'restrict' and don't point to other platforms, thanks.

Re:What alternative could be built?

[Zaelath]

Mmmm, Android moved "unacceptable" into "not unusual" at the same time and said a lot more apps "require no special permissions", despite needing Device ID, GPS, and storage access. You know. For a torch app.

Re: What alternative could be built?

[EmperorArthur]

Internal memory and internal SD card are two separate things in Android. Internal SD card is simply a part of the internal NAND that the OS treats like a normal SD card. Many phones don't support external SD cards but have moderate amounts of storage, so they compromise.

I'm not sure I follow.

Many phones don't support external SD cards, but officially their apis still need to support external storage with internal SD memory anyway, otherwise they won't pass the Compatibility Test Suite.

The problem is that the internal SD card and external SD card are treated differently.

Android apps by default work off the internal SD card. It's actually a separate partition that's mounted at the same place as old phones used for external SD cards. You can't change the default to use an external card. You can't recover space from that internal partition.*

Here's the kicker. Now external SD cards are mounted somewhere else. (/mnt/extSD) The thing is that many apps don't work with the external SD card. Especially after the latest android release. With android KitKat apps with the, misnamed, external storage permission can read and write anywhere on the internal card. The problem is that now they can read anywhere on the external card, but can only write to a directory on it which is something like "/mnt/extSD/data/app.name" There are a few exceptions for system apps like the camera, but regular apps have to use this weird naming scheme.

It's actually a good security feature, but the fact they don't apply it to the internal SD card just seems to be Google deliberately moving people away from phones with an external SD card. Not cool.

*Without rooting, and knowing exactly what you're doing at least. No way a non expert is doing this.

Re:What alternative could be built?

[johanw]

" Oh, and block apps from writing to most of the external SD card"

SDFix to the rescue. Requires root but if you're running XPrivacy you already have that. It saved my Sygic installation after I upgraded to 4.4.

Re: What alternative could be built?

[johanw]

"Android apps by default work off the internal SD card. It's actually a separate partition that's mounted at the same place as old phones used for external SD cards. You can't change the default to use an external card."

Depends on the phone. I have a cheapass Android phone with only 4GB of internal memory, but it let me choose (out of the box, no root-only tricks here) wether I want the internal memory or the physical microsd card mounted as /sdcard0 or /sdcard1. The phone switches them if you like (and that is very reccommended with this little internal memory).

Re: What alternative could be built?

[swillden]

The internal "SD Card" is formatted with a Unix-style file system that provides access controls to keep apps from being able to access one anothers' data. External SD Cards are formatted with FAT32, because that's what the whole world expects. Unfortunately, FAT has no concept of ownership or permissions, so the path-based restriction is necessary to ensure that apps can't muck with each others' data.

Re:Not surprised

Not surprised that iPhone apps are full of holes. The whole Apple concept was designed to treat people like commodities in a way never before possible. The whole Ecosystem is *engineered* to have holes.

Posted from my Android phone

All software is full of bugs

[Tony+Isaac]

It doesn't matter if it is Windows, Mac, iOS, Android, or Linux, all software is full of bugs.

For that matter, all of everything constructed by human beings...is full of defects, or potential defects, or security vulnerabilities. Your house, for example. You have a lock on your front door, but it takes a thief just a few seconds to kick the door in. Or your car...a thief can break into it in seconds, even if you have electronic theft protection. I'd call those "security vulnerabilities."

It's the nature of all human creations, software or hardware, electronic or mechanical.

So what do we do? We improve security until it becomes "just secure enough" that we can live with the risks, and move on.

Re:All software is full of bugs

[Greyfox]

But we don't do that. We never do that. As developers, we hide our head in the sand until we absolutely can no longer ignore then problem, and then we say "Whoops! My bad!" As consumers we assume that professionally published software should be reasonably free of bugs or exploitable code. And people start being held accountable by law for their shitty software, the status quo will never change.

I was demonstrating to a shitty software developer the other day how all his input sanitizing routines were in the javascript front end to his web application and anyone bypassing the javascript could essentially have their way with the back-end database, and he told me "Oh you're making a back-end API call, no one will ever do that!" No one except the guy who's hacking your fucking system, jackass. People like that make me want to sign on as Linus' personal dick-puncher. Whenever someone writes some shitty software that pisses Linus off, I will find that person and I will PUNCH THEM IN THE DICK. Because I swear to god, that's what it's going to take. Congress is going to have to WRITE A LAW allowing me to HUNT PEOPLE DOWN and PUNCH THEM IN THE DICK over the SHITTY SOFTWARE they write. And when that day comes, with God as my witness, I will PITCH A TENT outside MICROSOFT HEADQUARTERS, and that will be the LAST TENT EVER PITCHED at MICROSOFT HEADQUARTERS!

Re:All software is full of bugs

[Greyfox]

My programming skills are debatable but I tested in the top 10th percentile for dick-punching. Here... let me show you...

Re:All software is full of bugs

[WaffleMonster]

For that matter, all of everything constructed by human beings...is full of defects, or potential defects, or security vulnerabilities. Your house, for example. You have a lock on your front door, but it takes a thief just a few seconds to kick the door in. Or your car...a thief can break into it in seconds, even if you have electronic theft protection. I'd call those "security vulnerabilities."

So what do we do? We improve security until it becomes "just secure enough" that we can live with the risks, and move on.

Who cares about the security of an untrusted and untrustworthy app in the first place?

What difference does it make if it was written by the most competent team of programmers in the world if while operating as designed still treats the end user with contempt?

Re:All software is full of bugs

[gringer]

For that matter, all of everything constructed by human beings

You might not be terribly surprised to know that our genes (and the genomes of pretty much everything) are also full of bugs. We have a whole raft of deleterious genetic variants in our DNA that are just waiting for the perfect time to activate and say "hey, you know that life thing? I can make it worse." On top of that, we have a few viral genomes in our DNA (possibly some that are still active), and rely on bacteria and mitochondria to provide us with energy required to live.

In other words, defective objects are the rule, not the exception.

p.s. hmm... I've only just realised how much I miss that handy login form that SoylentNews has to deal with accidental AC posts.

Re:All software is full of bugs

[jmv]

Software on Internet-connected devices is a bit different from your examples though. No matter how insecure cars are, it would be really hard for me to steal a million cars in one night, let alone without being caught. Yet, it's common to see millions of computers/phones being hacked in a very short period of time. And the risk to the person responsible is much lower.

Re:All software is full of bugs

[Solandri]

I was demonstrating to a shitty software developer the other day how all his input sanitizing routines were in the javascript front end to his web application and anyone bypassing the javascript could essentially have their way with the back-end database, and he told me "Oh you're making a back-end API call, no one will ever do that!" No one except the guy who's hacking your fucking system, jackass.

That actually happened in one of the online games I used to play. The game company decided to run a promotion where you filled out a short survey on their web site, and as a reward you'd be mailed a small prize in the game. Someone sifted through the code for the website, and found it was just telling the game server's database to mail the prize's item number to the player's account. He tried changing the item number and it worked. Soon he had dozens of the rarest, most valuable item in the game in his mailbox and was selling them for the RL equivalent of thousands of dollars.

Anyhow, this is why I've always scoffed at the title "Software Engineer". Real engineers sign off on their work, and can be held personally liable if their design turns out to be flawed and leads to damage, injury, or death. In some engineering professions (e.g. civil engineering), a notable failure can lead to losing one's professional accreditation, turning that expensive engineering degree into a worthless piece of paper. The software industry needs to decide if it wants to continue down this "anyone can write a program" wild west route, or if it wants to become a real profession with real standards and real consequences for failing to adhere to those standards. Just like anyone can write code, anyone can build and wire their own house, treat themselves for an injury, or represent themselves in court. But if you want to sell your services for doing these things you have to be licensed, and you are personally liable for any harm that comes from your work not being up to professional standards.

Code Academies

[Fnord666]

This is the sort of thing that you can expect when you put developers through a whirlwind coding course. They learn to use library after library without understanding the ramifications of their use. Need an ad network? Slap in a library. Need geolocation? Slap in a library. What you end up with are flashlight applications that want permission to read the low level system log. Then again, that's coding in the instant gratification world that we live and develop in today.

Re:Code Academies

[thegarbz]

I wonder what the opposite would look like.

Just imagine a world where you had no libraries and had to manually code everything. What would that world look like? No developers? No consistency for end users? Do you think security would be better when developers are forced to write more code?

Somehow I don't think the libraries are necessarily the problem.

Let's see the list of spyware

[Animats]

Let's see this list of spyware. Will Google kick them out of the Android store? Will the FBI prosecute the developers for "exceeding authorized access" under the Computer Fraud and Abuse Act? If not, why not?

Re:Not surprised

I'm really surprised that mine is the first comment to mention F-Droid.
Why does anyone install an app on Android that didn't come from F-Droid?

Games are underspecified

[tepples]

Why does anyone install an app on Android that didn't come from F-Droid?

I can think of two reasons. One is that someone might be using a hand me down Android device from the first year that AT&T sold Android phones, and these devices support only Google Play Store, not Unknown sources. But though I have a cousin whom this affects, I imagine few others are still on a Galaxy S 1 Captivate. A more common reason to use non-free Android apps is that free software has shown itself to be poor at producing compelling original video games. Free software works when there's a clear spec, which is true of libraries and productivity apps. But apart from maybe roguelikes, games are less specified up front unless it's a clone of an existing game, such as Aisleriot, Frozen Bubble, or StepMania. A non-free game's developer can afford to put more time into creating both the spec and the implementation.

Re:Games are underspecified

[sumdumass]

I can think of a third. I had no idea fdoid existed until reading these posts. Outside of rooting my phone ans removing a bunch of garbage, i never really looked for more than a few apps and i wont update those due to expanded permisions i find too intrusive.

That being said, now that i know, i will likely use it when i change phones again in about 2 weeks.

Re:Not surprised

[NotInHere]

When I've had no android, I've thought that too. But as I've purchased an android phone, I was quite impressed about the efficient and tight rights separation system of android. Don't misunderstand me: I didn't "activate" the play store app, as I needed to couple it with a google account. If you could install the free apps without an account I'd have tried it, but that way google had lost a customer. The next thing I was annoyed of was the samsung bloat, and the possible lock-in the case I really started to like one of those apps. I solved these two problems when I've installed CM and F-Droid. Of course, I can't install the fanciest whatsapp and so on, but at least I know my phone is truly mine (except for the baseband part), and that lock-ins are very hard. I was fascinated when I found out that every installed app has its own UNIX user assigned.

The rights separation in android is far more better than anything on the linux desktop. In X, every application can keylog me. In android, that's not possible. On the linux desktop, every application has access to all my files, including my .ssh directory.. In android, fs access is far more developed and limited. In linux desktop, every app has access to the webcam. In android, you can see which app has access. Of course, android could do better, perhaps by adding a "revoke right" option and an "always ask" option (osmand for example has a nice recorder feature, but most time I use it I don't need it so why does it have the right *all time*, rather let android ask for that permission the few times I need it), but right now it does best.

The most annoying features of the android ecosystem radiate from GAPPS, but almost none from AOSP.

Ignorance is bliss

[WaffleMonster]

TFA is being much nicer than Google and many app vendors deserve.

The whole ecosystem system is engineered to reward bad behavior /w complete lack of usable access controls speaking for itself.

They need only do the minimum required to keep all hell from breaking loose and too many people bailing on the platform as a result.

Re:Not surprised

[stephanruby]

Why does anyone install an app on Android that didn't come from F-Droid?

Aside from the fact that I don't like any of the games F-Droid has to offer.

It's because...

Wait for it, wait for it...

...I don't really care. Believe it or not, but not everyone is as privacy conscious as you are.

Re:Not surprised

[brantondaveperson]

perhaps by adding a "revoke right" option and an "always ask" option

You mean, just like iOS? Actually, Apple may very well have a patent on that which might explain why Google hasn't yet adopted this obvious paradigm.

Re:Not surprised

[Cryacin]

All the app developers want this for Christmas:

http://www.shutterstock.com/pi...

Load of ignorant crap

[janoc]

The entire article is harping on 3rd-party ad network libraries stealing personal data and phoning tracking info home. As these are libraries and developers are re-using open source libraries, then it follows that "Open source is no free lunch" and is stealing your data. What a majestic leap in logic!

They conflate open source libraries with various ad-network code stealing personal data, basically trying to portrait open source code as being responsible for it. Never mind that the ad-network code is almost never open source.

Granted, OSS is certainly not bug-free, but the spyware has little to do with it.

What a load of ...

Today: Researchers Blame Recycling of Code

[Tanuki64]

Tomorrow: Researchers Blame "Not invented here" mentality.

Instead of using tested standard libs, developers constantly reinvent the wheel.

Re:Not surprised

[JustOK]

True. --Posted from YOUR phone.

Re:Not surprised

[Dutch+Gun]

How many reasons would you like? F-Droid has about a thousand apps to the Play store's 1.2 million. You have to install it through side channels. Relatively few in the mainstream have heard of it. None of the apps that people's friends or favorite websites are talking about are available on it. A quick peek at some of the new apps listed on the front page reveal these potential blockbusters:

* A guessing game: try to guess a number between 1 and 100 in under eight tries
* A ROT-13 encoder/decoder
* An ASCII/Hex/Ocal/Binary converter
* Swimming distance calculator
* TI graphing calculator emulator (no ROMs included)

It surprises you that people aren't flocking to this in droves? Look, nothing against F-Droid. It's cool that people are doing this, but let's keep our expectations grounded in reality.