Slashdot Mirror
Uber's Android App Caught Reporting Data Back Without Permission
Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.
How about Google does something about it? Like remove the app and takes Uber to court? I'm sure they can find a few terms in the app developer contract that they have violated.
If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.
Tangentially, does anyone know of a procedure on Android which enables you to spoof your personal data and activity (at least as far as apps are concerned)?
Example: your name is Dorothy and you're in Kansas clicking your red ruby slippers together, but all apps see you as Toto, living down in Africa, blessing the rains.
After reading the actual article, this seems unlikely. The app wouldn't have access to SMS information for example, unless it was given permission to do so by the end user. I really hate articles with no technical information to back them up.
If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.
Nobody knows about permissions. People just press "Accept".
Because some idiot decided to strip the security out of Linux to make Android. No Android app is safe, auto updates of a safe app can make it unsafe with no notice to the user. They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.
the shit is a privacy and malware nightmare.
This article is just fabricated by big money to protect there transportation rackets
or you know its true
either way i don't care since it doesnt affect me
Privacy backlash as Twitter starts to snoop on EVERY app users have on their phone
I just went to the google play store page for Uber, and checked the permissions the app requires. It includes:
Read your Contacts, take pictures, status and identity, modify system settings, read google service configuration, and a host of others.
So, based on this (admittedly limited) information, it doesn't seem to be bypassing google security so much as utilizing the proper channels to claim superior access to the user's phone.
And in this, it is not alone. The majority of apps on the play store require all these permissions, and google will not give users explicit control over these permissions for two reasons:
1) Users will break their own apps and then google will take the heat for it (you KNOW this will happen, a LOT)
2) Vendors will hate the sandbox that users put them in, and google will take the heat for that (and lose a lot of free apps that represent a competitive advantage for google).
I am not saying this is right, but this is a natural response to the incentives google faces.
what the fuck are you talking about?
Summary: I found a function called InAuthManager.getInstance().sendSMSLog(this.val$transID) so it must be sending all my SMS messages to their servers.
The reality is that it is probably sending a log of SMS activity that were initiated through the Uber application.
Android isn't "allowing" the app to do anything, it acts like every other Android app. The .manifest defines what capabilities it has, when you install an app it tells you exactly what it's capable of doing.
You're absolutely right, no app should be able to access your "call logs or other personal data" unless you give "explicit permission." The problem is that, seeing as how you obviously ignored the stated permissions in the first place, it's no surprise that you obviously ignored the licensing for most of these apps, a great number of which require you to hand over all that information just for the privilege of using it.
So yes, you're right. No app should be able to take your personal information without your consent. That isn't what's happening. The problem is that you're giving them your consent by using the software, you're just too lazy and ignorant to bother actually reading the legal terms, to take the five seconds or so it takes to scan the list of capabilities and permissions the app supposedly "requires" to run.
You hand the stuff over to them, you have nobody to blame but yourself. You certainly can't blame Android for "allowing" it because it doesn't "allow" it unless you EXPLICITLY ALLOW IT YOURSELF. The Uber app isn't a virus, it doesn't install itself through some unpatched exploit. It straight up tells you what it can do and asks you if you want to install it. Unlike the iPhone it even tells you EXACTLY what the app CAN do, so you should know full well what it COULD do long before you installed it. You choose to ignore that information? You get what you deserve. Truth hurts, I know, but blaming Android for your own, personal failings and naievety makes you look really fucking stupid.
It was an eyeopener to see some apps that were misbehaving or just outright being illegal. My flashlight app now only controls the LED on the rear, and cannot see any of my private details - and they earned themselves a 1-star review..
- This sig deliberately left blank. Nothing to see, move along.
This revelation will change nothing, even if they're fined, since Uber has already decided to flout regulations and ignore fines for doing so. And they'll simply ignore any ramifications that come from this.
Nobody knows about permissions. People just press "Accept".
The why does the summary say otherwise? According to the summary, the app is accessing data which it explicitly doesn't have permission to do.
OK, so I want to use their taxi service, but their app demands permissions it obviously doesn't need. Android gives me an option of installing it or not installing it.
Now what do you suggest I do?
Android's permission model is completely broken. It's the Windows of the modern world.
The original post doesn't actually look at the traffic with Uber's servers, only at some suggestive method names from decompilation. He indicates that his next post will be a good one though, so everyone is drawing the obvious conclusion.
As an aside, this is probably a good time to mention that you could upgrade your phone to something like CyanogenMod, and then disallow Uber from using most of the permissions that it requests. If they are sending any of that info from my phone, then it'll look like I have an empty call log, empty sms log, etc.
Well, the problem is apps ask for every damned permission just in case, and give little explanations as to why. That whole permission which says "this can cost you money" ... WTF does that mean? In what context?
And the other thing is Google won't give the ability to have discrete permissions on apps, or come back later and revoke some. I frequently get annoyed because I can't think of a single reason why an app actually needs a given permission.
Now, if the app can access this stuff even if it has no permission -- then, yes, this is indicative of the fact that security in Android is crap to begin with.
I've said for a while, what I really want is the ability to go into an an app, and selectively turn off individual permissions. And the ability to click something which says "revert permissions to requested".
It's my damned device, I want control over it.
But, am I really surprised that every app is likely accessing far more than it should because greedy corporations feel entitled to it? No, sadly, not at all.
I have no interest in Uber. But hearing this, I have even less -- because they're either shady, or incompetent. Neither of which is good.
Lost at C:>. Found at C.
Uber is not a storage site. It is an alternative to taxis.
You either accept all permissions, without explanation, or you can't install the app. Android needs to give people the ability to deny individual permissions, without having to root your phone and install Cyanogenmod or the like.
and tweaked the punctuation a bit, from "Don't Be Evil" to "Don't, Be Evil!"
BTW, am I the first one to notice that Uber is an anagram of "Rube"?
You look beautiful! Incidentally, my favorite artist is Picasso.
Of those that notice this piece of news, nobody will care enough to uninstall the app.
The people that do care are already using something like CyanogenMod's privacy guard, or XPosed XPrivacy module.
Uber is not a storage site. It is an alternative to taxis.
Yeah, but Taxis only gives you 10GB of storage for free, whereas Uber gives you 25GB.
Your options are:
1) Uninstall it, get on with your life.
2) Decide this is so important you don't care about your privacy
3) Root your device and install something which gives you granular control.
From what I've been able to ascertain, rooting my first gen Nexus 7 is hit and miss, and I've not yet decided to take that step.
Me, I've mostly decided I need fewer apps, run my tablet in airplane mode most of the time, and would rather use a web browser than most apps.
As you said, Android's permission model is completely broken. Which means I've mostly decided I don't trust what it's telling me.
Lost at C:>. Found at C.
We sure are lucky, pay-phones weren't able to legally block the introduction and use of cell-phones. From what I hear, we weren't quite as lucky with horse-drawn carriages being obsoleted by autos — but sanity prevailed.
Now the traditional — licensed — taxis are being obsoleted by Uber and the likes and that is a good thing, even if the taxi industry and the rent-seeking city halls don't like it.
All, that cabbie-licenses told you, was that the local town considers the driver (if it is even the same man!) and his car to be compliant with its requirements. Well, Uber does the same sort of vouching for you, the consumer. And they are able to provide that guarantee faster and at (much) lower cost. Sure, there are cases of Uber-drivers going bad, but it happens to taxis too.
In Soviet Washington the swamp drains you.
They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.
Or they (google) made android such that it was more easy to spy/track people. User-friendliness has nothing to do with tracking. Why do games need access to call logs, need to launched at android startup, need access to your contact list? None. Yet, 90% of the top-downloaded games in the play store need access to your private data. Google is evil since they allow this without doing anything about it.
Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.
Then don't install the app.
Problem solved.
Sheesh. I swear people are like 2 year old kids: "but i WAAAAAAANTT it! I want it NOOOOWWW!"
Cyanogenmod does give users permission control, and the One Plus One phone that comes as standard with it, is selling very very well. Outselling Googles own Nexus.
Google tested fine privacy controls, similar to Apples, they had an app, it was there but not shown on the control panel, then it was removed in the next version. Saying it might break apps, yet Apple provide it and companies live with it.
Nobody reads those EULA, and it can't be considered as permission to give away privacy. What about the apps on my tablet that it came with, that I never installed? never accepted their EULAs? I just find they are there and give themselves permission? I never even got the chance to read their EULA. (Stuff like SilentLogging, and DMALawMo, CarrierIQ a lot of spyware is still pre-loaded on these phones).
You make excuses for Google, but they recently removed ad-blocking and anti tracking software. What is there excuse then?
https://gigaom.com/2014/09/09/google-yanks-privacy-app-disconnect-less-than-24-hours-after-allowing-back-into-play-store/
It's just business. They make billions learning all about you, and privacy is the counter to that so they act against your interests in regard to privacy.
Your apologist excuses for them, are nothing but excuses.
The hubris of Uber will be its undoing. They are quickly and loudly showing their true colors. One could only hope that enough drivers wise up to the Uber mafia and organize a labor stoppage to teach them a lesson in free market economics.
Don't install it.
You'll be okay. There are other ways to get a taxi. I promise.
My mom has an android tablet and whenever we check what an app (mostly games) asks for, it's astounding. Why is a game asking for contacts, call logs (ok, in her case not a problem), and other info? some info like geolocation is fine (at the limit), but Google really should do a big cleanup.
Say what you will about iOS, but being more restrictive about what an app can fetch is not a bad thing.
I've got better things to do tonight than die.
Turn off your sarcasm filter.
Google didn't create Android, they backed it and later bought it. The original developers thought users were too dumb to use Linux, so they dumbed it down by stripping the security out of it to make it user friendly.
Terrible. Who woulda thunk it?
As part of the app approval process developers should be required to explain why they want certain sensitive permissions, such as access to contacts, messages etc. Google should then deny approval of apps that overreach in terms of permission requests.
If the app does not have permission to access these personal data, then why is Android giving it access? The solution to privacy is not trust, but robust security. No app should be able to access my call logs or other personal data unless I give explicit permission.
Don't worry, just call it Snowdenware and it's all good. Information wants to be free! And when it isn't free, it's free for someone to take and use. Edward showed the way.
....This is the one reason I am sticking to iOS for the foreseable future.
And no, it does not break apps when you deny them access. The way it work is like this: says you donwload and install super uber crap chat app X. You tap the button to send your friend a picture. It asks for permission to access your pictures, you say yes, then it asks for permission to access your mic. You say no. Well the thing proceeds to accessing your pictures, not caring you denied it access to your mic.
Of course if later you try to send a voice message, then it will fail since you blocked access to the mic. You can always go back and change it. And while you are at it decide to block access to your pictures, no problem.
Does this mean you are more "safe" from the prying eyes of corporations? No. Apple spies on it's users as much as Google does. I do however, feel a little better knowing I did not give away my private life to a corporation just to get access to a flashlight app.
But in the grand scheme of things, it does not really matter since they all share and sell the information gathered to a 3rd party that has built profiles on all of us.
does this really surprise anyone?
Incorrect analysis by the original blog. Please see this nextweb article which clarifies
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/
Uber wants "Uber über alles!"
Google has deliberately made it impossible to install an Android app and then subsequently block it from phoning home. This is possible under every other operating system that runs on a Linux kernel, but they've not provided this user choice on Android.
We are given only two choices, either install an app and kiss your privacy goodbye, or don't install the app at all.
Google are extremely hostile to user privacy, and this is just one more example of it.
Nextweb clears up why the blog might be misleading
http://thenextweb.com/apps/2014/11/27/ubers-app-malware-despite-may-read/
When you install an app on Android you're displayed a list of permissions that the app is asking for. If the user agrees and installs the app then you would consider that permission. I'm sure most users do not expect an app of this nature to do accessing this kind of data, but they should be more aware of what permissions they're allowing when they install the app (or update when new permissions are requested). I'm not condoning this kind of behaviour but just pointing out that that this post is incorrect in it's explanation.
But you need to "Root" your phone.
See: http://repo.xposed.info/ for info on installing the Xposed framework which basically places a hook into the main event loop of Android where Xposed modules like XPrivacy can watch, block or "lie" to most of the rest of the Apps running within Android.
XPrivacy is available here:
http://repo.xposed.info/module...
And BTW, iPhone Apps are not any better about this stuff like phoning home and spying on you unless they are rooted and modified. It is just that the greater openness of Android platform ersus iOS makes it easier to spot. But that also means that there are more and better countermeasures.
If you want to be shocked take your phone place it in WiFi only mode and then use network packet sniffer on all the data flying by like tcpdump or wireshark while using apps on it. You will then realize that you the purchaser of the device does not "truly own" that device as it is delivered.
You can also replace the stock Android OS with Cyanogenmod:
http://www.cyanogenmod.org/
to gain better control of your device.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
So yes, you're right. No app should be able to take your personal information without your consent. That isn't what's happening. The problem is that you're giving them your consent by using the software, you're just too lazy and ignorant to bother actually reading the legal terms, to take the five seconds or so it takes to scan the list of capabilities and permissions the app supposedly "requires" to run.
The text from TFA is as follows: "and your SMS and MMS logs, which it explicitly doesn't have permission to do."
What permission in the list of permissions asserted in the manifest grants SMS and MMS log access? Does it access your google account and download data from a backup? How is it doing it? Name the permission which enables this activity.
You hand the stuff over to them, you have nobody to blame but yourself. You certainly can't blame Android for "allowing" it because it doesn't "allow" it unless you EXPLICITLY ALLOW IT YOURSELF.
I'm not down with blaming the victim when a platform has been intentionally engineered to fuck over users.
The Uber app isn't a virus, it doesn't install itself through some unpatched exploit.
If facts asserted by TFA are correct it is spyware.
You get what you deserve. Truth hurts, I know, but blaming Android for your own, personal failings and naievety makes you look really fucking stupid.
Would love to know which permission explicitly grants SMS access.
... and it wants to be the Facebook of transportation. "We're collecting all this data to help us make your user experience better. Don't like it - use someone else. Oh wait - we actively sabotage the competition 'cuz we got $1.5 billion thrown at us by crazy investors."
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
If this is your default answer, you're going to have a bad time.
The problem is with the permissions model of Android. "allow access to make phone calls" also means can see all metadata.
That's a big WTF right there.
There are two types of people in the world: Those who crave closure
He said make not create.
It's all on Google for continuing this clusterfuck for a decade or so.
Because Android. No, seriously, because Android. It's got terrible security. There are phone OSes out there that properly let you select each individual permission for native apps to the point where you can deny access to phone logs but permit access to your instant messages. They even run the Android apps, although because Android sucks, they can only tell you the permissions the app wants and let you choose whether you'd like to run the app or not, rather than individually selecting what the app would have access to if it ran.
Too bad everyone here figures that the OS which does this is incredibly insecure for some reason and that the CEO is basically begging for mercy. Sucks to watch slashdotters be morons over and over again, and to watch them prop up such a shit OS successfully. :(
It's a real phone alright. It's even connected to the wall a lot of the times, after it hilariously runs out of battery.
Welcome to the world where capital rules. Dont say communism is better, its the world where crazy old alcoholics rule.
Hands up who is surprised by this? Anyone?
I'm sure a little careful digging in their TOS/EULA and you'll see that you already agreed to give all your secrets to them.
Seven puppies were harmed during the making of this post.
Contacts: For splitting fares with friends, inviting friends to use Uber
Phone: To call your Uber driver or for them to call you
Camera/Microphone: Uber has a function that lets you take a photo of your credit card for scanning
Wi-Fi Connection: Checks if you have internet and attempts to use the WiFi name to help determine your location
Device ID and Call Information: Allows access to your phone number and a unique ID for your device
Identity: Allows Android users to sign in and pay with one tap (using the Google Sign-In and Google Wallet services)
Photos/Media/Files: Uber says this is to “save data and cache mapping vectors.”
http://thenextweb.com/apps/201...
CyanogenMod and many other ROMs let you control this stuff. I have never found an app that broke due to the CyanogenMod privacy manager. I can't see how it would break because all it does is mock dummy responses for all of these things.
Google do not care, 99.9999+% of the people using the applications do not care. Those that do simply do not use these applications.
Probably because android has all-or-nothing, non-granular permissions where you have to grant the app access to everything it requests, or else it's 'no app for you!'
If the app wants to access to your contacts, accounts, phone history, photos, camera, messaging, mail, you give it access or you don't get to install it.
It's a stupid, dumb, and poorly thought out implementation and google should (?) know better.
I just deleted my uber app and will use left going forward
No Android app is safe, auto updates of a safe app can make it unsafe with no notice to the user.
Patently not true. If an app needs new permissions in an update it must be explicily accepted by the user.
Google didn't create Android, they backed it and later bought it. The original developers thought users were too dumb to use Linux, so they dumbed it down by stripping the security out of it to make it user friendly.
I don't really understand how this is 'true'. Linux security doesn't isolate process disk data from each other, anybody can read any part of the disk under the same user, which in practice is all apps a user use because they all run under the user's account. Android has a far *better* security model in this respect because it puts different applications in different users, so they can't get at each other. Also, permissions for system information is far more granular in Android than plain Linux, in Linux you just look at /proc whereas Android has to actually get types of permissions for sensitive data.
Good apps become malware upon update without any notice. It's been in the news and here iirc.
Google is evil since they allow this without doing anything about it.
Not sure why uber is being singled out, because many, many apps do the same exact invasion of privacy.
Not really. Google actively wants this crap because they are an advertising company, and their entire business model depends on destroying all privacy everywhere (except for the privacy of their proprietary database of your private information). If they put in real security for privacy settings for other people's apps, then Google can't track you either.
It's my damned device, I want control over it.
That sinking feeling when the Google and Apple we all praise (fractions add up to a whole even if individually we meet in fanboy flamewars here), follow the new normal: we are the PRODUCT, not the consumer. Why accommodate US if it won't make them more cash? This is what happens when the slippery rope can't even be invoked because the system is designed from step 1 so all of us rope-walkers start at the bottom end of the rope, trying to climb up.
To us who come from Linux's rpm mirrors or open-repositories world, App stores are control freak traps. Amazon Kindle's, Windows 8's, MacOS's... it can be IMPOSSIBLE to just get a direct download link to an installers from them. This takes our self-management and multi-device control away, even for FREE apps. That should be a dead giveaway that something is fishy. These control games happen even if you sign in, and you need root to just retrieve an APK file from google's filesystem for easy reinstall. When you DO NOT want to be forced on a new device to get that one new version, or the app has been *pulled* (flappybird), you're only safe if you hoarded the old one. And we have no good choice.
It's a bit like the political systems, where all parties give you the same end result, but you still want to perpetuate the feeling of personal choice and keep voting for one, because abstinence is shunned and / or feels dumb.
On my old Android phone (2.2), if you move apps to an SD card and try to migrate to a bigger card without some serious hoops, the apps just disappear from your dashboard. No idea if this got fixed in 4.x, but it's one more reason I am not jumping to buy a replacement phone just yet. Google's track record for fixing policy "bugs" is not good. And I don't trust technical John Smith EndUsers out there to put pressure to fix those policies, because their mentality is akin to "buy more X" or "go somewhere else"
They are over-charging scumbags with dodgy drivers, why would you want to use them? Don't support them until they sort their act out.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Every AT&T android phone comes with this preinstalled.
Have a look what Citrix Worx asks for (certifier of your phone, so you can look at your work email). Device & app history
retrieve running apps
read sensitive log data
Mobile data settings
change/intercept network settings and traffic
Location
precise location (GPS and network-based)
Photos / Media / Files
modify or delete the contents of your USB storage
test access to protected storage
Camera / Microphone
record audio
Wi-Fi connection information
view Wi-Fi connections
Device ID & call information
read phone status and identity
Other
press keys and control buttons
read frame buffer
close other apps
update component usage statistics
force-stop other apps
modify secure system settings
view network connections
connect and disconnect from Wi-Fi
full network access
run at startup
read battery statistics
control vibration
close other apps
set wallpaper
install shortcuts
uninstall shortcuts
modify system settings
pair with Bluetooth devices
draw over other apps
If only there were a technology which enabled permissions to somehow be enforced by the operating-system itself...
I didn't. But, then, Uber leaching all the contact information of someone I know still is fucking me over. Oops.
Congratulations on your myopic vision of problems. I presume your solution to the problem of contract killers is to just not hire one.
Nice ad hominem/strawman there. There's nothing about wanting something that wasn't offered or instant gratification. What is being discussed is potentially abusive permissions as a norm that most apps don't abuse but enough do.
Whether this ends up just being that people stop using the Uber app and similar apps that are caught being abusive or it starts moving towards a technology method to aid people who want to opt out of this abuse or to an opt in approach that really should be the norm (my opinion, of course), the whole point only appears precisely because of "people ... like 2 year old kids" who call out Uber on the point. If it were merely that people who noticed stopped using the app without telling others, I doubt you or most people would even think to not install Uber based on its insane permission requests.
But, then, "Problem solved"! So, why are you here, again, bitching about other people?
Because some idiot decided to strip the security out of Linux to make Android. No Android app is safe, auto updates of a safe app can make it unsafe with no notice to the user. They took the safest OS there is and made a Frankenstein POS out of it to make it user friendly.
Android is *NOT* Linux based, it is merely Linux hosted. Android is its own OS, its own environment. As such Android is perfectly free to have less or *more* security than Linux. There was no stripping security out, there was only how much security to build into this new and independent environment.
There is a way for apps to jump through some hoops and access Linux (NDK) but only about 25% of apps (last I read) do this. For the vast majority of Android Apps and Android Developers they are just like Android users. They don't see or use Linux at all. If Android were to be updated to host on BSD these users and developers would not know or care. Of the remain 25%, many of their apps would still compile and run. Many use standard *nix calls, nothing Linux specific like most FOSS software.
If only there were a technology which enabled permissions to somehow be enforced by the operating-system itself...
Well, blackberry did that 10 years ago.
Unfortunately, no one seems to care about real phone security.
Apparently you are not familiar with SELinux.
The real "Libtards" are the Libertarians!
The problem with being able to allow/deny individual permissions is the app developers now have 2^n configurations to test, instead of just one. Which is either going to lead to a much higher testing cost, or apps which are buggier when run with less than full requested permissions.
I just deleted my uber app and will use left going forward
Uber will keep your information in their system ntil you specifically request for your info to be deleted. The only way to do this (that I found) is by digging into their website for the correct email address.
Just check - every thread about "nextweb" and its analysis that this blog is incorrect is modded 0 points.
This thread is modded 0 points.
Your note is modded 0 points.
Apparently "sharing the real facts" and "debunking the hysteria" is modded down.
Discussions about how Google/Android are bad, permissions aren't granular, uber is bad, uber has a German name so they must be worse still, etc... those are modded 4-5.
Happy thanksgiving.
Mods - go meta-mod your "peers". They are out of control.
E
E
Sorry but they don't have a Taxi service. Taxi's are licenced and regulated by municipal authorities which means among other things that rates are regulated and such niceties as insurance is sorted out. Your literally rolling the dice with Uber.
Yes. But if the app won't install without it, it won't install without it. It is really your choice. You are not entitled to use a service where you aren't a real customer.
In most other environments, VMs took care of this crosstalk. Many people won't download anything except to the dedicated copy of VM, it's pretty much 1:1 - VM and app, and this effectively takes care of malware, stealing data, tracking (revert to snapshot), etc.
I didn't take hard look at Android platform, so I wonder if there are hard obstacles to running VM layer that would isolate apps and enable multiple personalities.
Welcome to the world where capital rules. Don't say communism is better, its the world where crazy old alcoholics rule.
One thing about old-style Soviet communism - old alcoholics become dead alcoholics a lot quicker. Or they're "retired".
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
You know what, eff uber. They can keep my data. They're not getting any more of my money.
When you suck Google's frothy cock, THEY KNOW IT.
That's their business.
The fuck are you thinking? Why in the name of Natalie Portman's grits would Google ever try to stop Uber from collecting data unawares?
Good thing you don't use a computer where the kernel doesn't randomly delete your personal data or post it online. I mean, you're not entitled to use a piece of software "where you aren't a real customer [who can be fucked over at will without recourse or basis for complaint]". Because obviously giving software permission to hypothetically do something is tantamount to asking for it and certainly if software does do such things, well, you knew all along it was possible and have no reason to complain.
Easy, start screaming at Google to pull it's bloody finger out and make a much needed modification to permission to differentiate between unlimited permissions and user confirmed permissions every time a request is made, plus the opportunity to change this on the fly. Add in logs for access, that the user can readily confirm in order to change permissions if they don't like them. Send them emails, blog nasty things about them and stop installing apps until changes are made.
Chaos - everything, everywhere, everywhen
This app just popped up on my wife's phone, wanting to update itself. I had no idea what it is, so Googled it... "SuperSU is a Superuser management tool for rooted devices". "SuperSU Brings Better SuperUser Root Permission Management to Android" I still don't have a clue as what I would actually do with such an app. Everything I read about it just leaves me more confused. I have two questions - what is it doing on my wife's phone, that I recently did a factory reset on, and 2.) Would this app somehow allow one to control permissions of apps after installation? http://www.addictivetips.com/m... https://plus.google.com/+Chain...
Poor app developers might actually have to spend time testing their apps.
My heart bleeds for them.
I'm a good cook. I'm a fantastic eater. - Steven Brust
Apparently you are not aware that it's almost never used to provide the degree of isolation Android uses by default.
I wonder if not providing fake info was a concession to bring CyanogenMod in line with the Android CDD so that it can ship alongside Google Play Store on the OnePlus One phone.
If an app needs new permissions in an update it must be explicily accepted by the user.
Recent changes to Google Play Store's permission display mean that a new permission will be automatically accepted so long as the new permission is in the same group as a permission that an app already has. Predictably, Slashdot users female dogged and moaned about it.
Android is *NOT* Linux based, it is merely Linux hosted. Android is its own OS, its own environment.
And now you know why Richard Stallman was right about calling the familiar desktop and server operating system "GNU/Linux". Android has a completely different userland on top of the same Linux kernel that underlies GNU/Linux.
It'd be nice if apps had a base set of privs then expanded sets that could be allowed on install or later by request to the system/user.
That's already possible in current Android. Offer one app in Google Play Store that needs a small set of permissions, then offer other apps in Google Play Store that act as content providers for the main app. For example, there might be a "Swype" keyboard app that needs only the input method permission, a "Swype auf Deutsch" app that adds a German dictionary, a "Swype Local" app that adds nearby businesses to the dictionary (which requires the location permission), and a "Swype Knows Your Name" app that adds your contacts to the dictionary (which requires the read contacts permission). If they're all digitally signed by the same publisher (such as Nuance), they can share data structures intimately as if they were one app.
Also it'd be nice if the privileges were a lot more restricted, like "Use Ad Service to show you ads" instead of "Use Internet"
The example you give is not possible unless you want all ad-supported apps in Google Play Store to move to a single monopoly ad provider. If you whitelist communication with one hostname, that host could act as a proxy to access any other host.
iOS 8 also introduces replacement keyboards. If the OS forbids apps from enumerating contacts, how does the user go about adding contacts' names to the keyboard's spell check dictionary?
Please don't use left going forward, it's really confusing for the drivers behind you.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
For the old farts who knew the world prior to it being online 24/7, the solution is an easy one.
Get rid of the damn phone.
Get a basic phone you can pull the battery out of if you must have one to travel with, but drop the surveillance device. . . erm . . smartphone.
Until the folks who create them can get the permissions models right and truly give the end user the ability to lock them down, don't use them.
I have an old Iphone 4. It's served its purpose pretty well but every time we turn around now you hear nothing but how App X is doing something it shouldn't be. How App y is accessing and transmitting everything it can learn about you.
Want to see something fun ? Fire up a sniffer setup to watch all the wireless traffic on your network, then boot your phone and not just how many sites your phone talks with. Then note how the majority of that traffic is encrypted so you'll have quite the hard time figuring out just what is being sent out.
I've been kicking around the idea of upgrading my phone but recently, I've been tossing around the idea of just getting rid of the smartphone thing com
thieves. Gordon Gecko style thieves.
Today I learned that the internet just found out that mobile app permissions are terrible. All the platforms suck, iOS, Android, and Windows. All of them have too many too-wide permission groups.
.. Is this not a fault with the permission and security model of Android i.e. Google rather than Uber??
I do not use Uber, but based on everything I have heard on this company's business practices, treatment of it's drivers, threats made to journalist, and now learning that the app is scraping every bit of data possible from people's phones I have to ask "Why are you using this app? Is it really that much better than calling a cab?"
Yes yes very sarcastic of you... You're comparing a specialised Linux niche with what is available on all Android devices that exist. I'm looking at default Android against default Linux.
The trouble is Android's permission model is crap. If an app has a feature that requires a permission the app may need at any point in the future, it has to be approved by the user at install time, and the app cannot control how the permissions are described or even explain to the user why it needs that permission. And lots of innocuous permissions are bundled up together non-granularly with scary dangerous (or dangerous-sounding) ones, so the app only needs EraseBunnyDrawing permissions but to get that it has to request KillFamily permissions, which doesn't actually mean kill *your* family, it means kill a process family, but all the user sees is "Permission to kill family members without warning" and OH GOD WHY DOES AN APP ABOUT DRAWING FLUFFY BUNNIES REQUIRE MY FAMILY TO DIE?! THIS APP SUCKS!!!!!!1111!!!!!oneoneonetyone1!!!
And then the story hits TechCrunch, where it's summarized so that it sounds like there have been actual deaths of family members, and then the mainstream press and the Today show start calling the app developer asking "Why are you a horrible person whose app killed little Stacey's favorite uncle?? :( :( :("
And all because Google can't get security UI right.
-- Old Man Kensey
So, they did strip the security?
Just a little reminder: a program on your linux system can read everything the user can read. Android apps need to ask for permissions (of course, they ask for a lot, but they still need to ask).
The problem is on the other hand, that most apps are spyware, as we called it when people still used PCs. And nobody cares anymore. On the PC we did not install programs, which did more than they should. on the mobile phone it's just normal.
Good thing you don't use a computer where the kernel doesn't randomly delete your personal data or post it online. I mean, you're not entitled to use a piece of software "where you aren't a real customer [who can be fucked over at will without recourse or basis for complaint]". Because obviously giving software permission to hypothetically do something is tantamount to asking for it and certainly if software does do such things, well, you knew all along it was possible and have no reason to complain.
If you have gotten said computer for free or heavily subsidized because of such a scheme, and it is impossible to start using it without explicitly agreeing to such a scheme, then yes that is the product you have chosen.
Its about time for the cops to do their job. A pretty clear case of breaking and entering and theft of personal information that the law says Uber is not entitled to take unilaterally. A federal investigation of potential civil rights violations may also be in order, once it is determined exactly what Uber was doing with all this surreptitiously collected data.
Shame that's not the scenario being discussed nor how it works. The computer isn't free or heavily subsidized. The OS (Android) is, though. Yet you don't explicitly agree to a scheme involving the risk of random data loss or information leakage. Meanwhile, in Windows land where you actually pay for the OS there's an EULA that one does explicitly have to agree to and specifically does indemnify them against data loss--although information leaks are another thing, even there.
So, false analogy is false. And arguing that a program being free or subsidized and having the implicit ability to fuck you over because of explicit permissions without explicit warnings--and honestly, I don't consider an EULA an explicit warning even though it might legally count as one*--is obviously bullshit because clearly it being a paid product wouldn't change anything so long as one implicitly or explicitly agreed to being potentially fucked over, at least according to your fundamental logic. I mean, what part of having to pay for something guarantees that a product can't be intentionally malicious?
No, being free or very cheap can potentially indemnify a person/organization against some forms of redress for neglect or accident, but nothing indemnifies or guarantees against malicious activity per se except written/verbal contracts or law and hence provides protection against redress. Nothing about implicit ability to act malicious indemnifies against unexpected explicit acts of malicious activities--look no further than larceny and conversion. Contracts have limited ability to indemnify against malicious activities and fall into the scope of "meeting of the minds"*. In short, no.
*There tends to be a real failing of "meeting of the minds" in most EULAs, so beyond the point that forcing a contract on a person post purchase/acquisition may generally void said contract (as logically it amounts to people being to at will foisted contracts on you that you have to explicitly reject, be it on the street in leaflets or whatever), there's the real point that one may avoid the EULA and still run the software (which so long as there's no DRM shouldn't be a DMCA violation) and limiting technical people to avoid foisted contracts seems legally dubious... That courts have argued that a "full refund on rejecting an EULA" somehow validates an EULA seems as preposterous as the leaflet example. I imagine it only a matter of time, for cases like this, to really make judges reconsider how much they will allow implicit authority to override clear intent of which most people mashing to accept an EULA hardly applies any more than people mashing to allow an app to install where permission to act is almost universally a useless measure of expect real worst case explicit act.
Most of these permissions are for facilities that may not be available, let alone permitted, under real-world conditions. GPS might not be available where you are, the contacts database might not be available, network access apart from port 80 might be unavailable.
This isn't the same as screen size of hardware chipsets, this is runtime allocation of OS resources -- you always have to check to make sure that the OS can give you them, and then handle failures gracefully.
Don't blame me, I voted for Baltar.
I arrived in Guadalara, and "Poof!" there was an email from Uber announcing they now have service in Guadalajara. I'm going to uninstall their app now.
I guess the perspectives are different. Some people consider the extreme user data tracking and ad targeting that Google does for "malicious", others see it as the deal that pays for being able to use free Google services.
Except the catch is that extreme user data tracking without notification IS malicious and can't reasonably see it as a deal when it's not clearly given implicitly--you hand the data over to the company to engage in a search or usage of the service--or explicitly--there's clear notice that the app will track all sorts of data "including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware". There's simply nothing about Uber that necessitates any of that information to fundamentally function and if Uber wants the information because it perhaps can allow them to do a better job or target ads or whatever, there should in fact be a "deal" where the user is made aware and in more than the "grant you all possible permissions" since clearly not *EVERY* app that has those permissions does the same thing.
In the end, the fault is not that Uber is attempting to extract this information or benefit from it. It's that users weren't notified and certainly a part of the reason why is precisely because there are those who would have preemptively avoided Uber if they had known. The rest? Well, then your argument would actually fly and this article would be non-news.
I was alluding to the fact that Android is based on GNU/Linux, and Linux has permissions built into the core. Fair point though.
Aside: apparently there's not much GNU code in Android. Interesting.
Except the catch is that extreme user data tracking without notification IS malicious and can't reasonably see it as a deal when it's not clearly given implicitly--you hand the data over to the company to engage in a search or usage of the service--or explicitly--there's clear notice that the app will track all sorts of data "including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware". There's simply nothing about Uber that necessitates any of that information to fundamentally function and if Uber wants the information because it perhaps can allow them to do a better job or target ads or whatever, there should in fact be a "deal" where the user is made aware and in more than the "grant you all possible permissions" since clearly not *EVERY* app that has those permissions does the same thing.
In the end, the fault is not that Uber is attempting to extract this information or benefit from it. It's that users weren't notified and certainly a part of the reason why is precisely because there are those who would have preemptively avoided Uber if they had known. The rest? Well, then your argument would actually fly and this article would be non-news.
If you agree that Google services (email, search, etc) then are malicious, then we agree on this definition. Because the amount and detail and cross-correlation of data between multiple sources and means that they track on their users absolutely don't have the informed consent on part of the user that you describe.
UBER is VERY CLEARLY REPEATEDLY applying RACKETEERING CRIMINAL BEHAVIOUR to induce surreptitiously user to use their service.
THEY should be target of FEDERAL RACKETEERING INVESTIGATION a nth the list of FELONIES and FEDERAL CRIMS just KEEPS ON PILING UP....
It doesn't like knowing my phone is rooted - but then slap on Root Cloak, and it happily rolls over and lets me tickle it's underside.
I think this might be my main annoyance - ridiculously intrusive, and yet pretty dumb.
Google Play has majority market share on smartphones now. If Google flexes this market power to play kingmaker in the mobile advertising market, I can think of at least one competition regulator that might step in.