Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fifth of Android Apps Expose Private Data

CmdrTaco posted more than 4 years ago | from the that's-why-i-only-use-lynx dept.

Cellphones 286

WrongSizeGlass writes "CNET is reporting that a fifth of Android apps expose private data. The Android market threat report details the security issues uncovered. Dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mail and text messages, phone call information, and device location. 5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."

cancel ×

286 comments

Sorry! There are no comments related to the filter you selected.

Exposing private data (5, Funny)

flaming error (1041742) | more than 4 years ago | (#32665148)

I tend to expose private data after a fifth of scotch.

Re:Exposing private data (3, Funny)

Pojut (1027544) | more than 4 years ago | (#32665210)

I exposed your mom's private data last night...but it was too corrupted to be worth anything.

Zing!

Re:Exposing private data (5, Funny)

flaming error (1041742) | more than 4 years ago | (#32665668)

I hope you're joking. She's been dead for 12 years.

Re:Exposing private data (4, Funny)

Pojut (1027544) | more than 4 years ago | (#32665688)

That simultaneously makes my joke even funnier and makes me an even bigger dickhead.

No offense intended :/

Re:Exposing private data (5, Funny)

flaming error (1041742) | more than 4 years ago | (#32665756)

No offense taken. You're not a dickhead, just a guy cracking jokes. Like me. (My mom's not dead, and she approved my comeback. She's here in the basement doing laundry now).

Re:Exposing private data (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32665734)

Worms and maggots have eaten her through.
Just one more hole for us to screw.

Yoho Yoho Yoho.

Operative words (2, Insightful)

Pojut (1027544) | more than 4 years ago | (#32665170)

5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything

Emphasis mine. I'm not saying it's right that this could occur, but I operate under the assumption that anything I do online or with my phone is not private.

I think it's rather foolish to assume otherwise.

Re:Operative words (2, Insightful)

Mordok-DestroyerOfWo (1000167) | more than 4 years ago | (#32665250)

How is this any different from what apps on an iPhone can do? Last time I checked many of them had access to address book, text messages, etc. Sounds like FUD to me.

Re:Operative words (4, Informative)

Kristoph (242780) | more than 4 years ago | (#32665814)

IPhone apps do not have access to email or text messages or the data in any other app except through a very well defined API that requires user confirmation in virtually all instances of data sharing.

In many cases there is no way to access the content of another app (email for example).

It it also not possible for an app to make a call without user confirmation and it is not possible to send a text message at all.

Now this is, in fact, sort of a pain because I'd really like to build an app that sends or receives text messages but it does make for improved data security.

Re:Operative words (4, Informative)

mweather (1089505) | more than 4 years ago | (#32666098)

IPhone apps do not have access to email or text messages or the data in any other app except through a very well defined API that requires user confirmation in virtually all instances of data sharing.

As does Android. Th

Re:Operative words (1)

soupd (1099379) | more than 4 years ago | (#32666054)

How is this any different from what apps on an iPhone can do? Last time I checked many of them had access to address book, text messages, etc. Sounds like FUD to me.

Then you've never checked. A lot of developers have complained about the inability of apps to access to user data, except in a few circumstances. This is by design. Indeed in iOS it's only recently been possible for apps to put appointments into the calendar, they still can't peruse and data mine it.

Summary is wrong and trolling (5, Informative)

recoiledsnake (879048) | more than 4 years ago | (#32665300)

From the summary:

5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."

Err, the mobile user was explicitly informed of this BEFORE the software is install. Don't believe me? Check this screenshot http://www.taosoftware.co.jp/en/android/wakeupcallmaker/img/wakeupcallmaker_install.png [taosoftware.co.jp]

I guess someone has an axe to grind against Android (hint, hint) just because there were stories earlier about the iPhone revealing the exact location of the users to applications and ads.

Nothing against Android... (5, Informative)

msauve (701917) | more than 4 years ago | (#32665812)

...in particular. They're just selling anti-malware software for smartphones. [smobilesystems.com] They'll be glad to sell you protection for your RIM, WinMo, or Symbian phone, too. They're also glad to point out the danger you're in with those phones, too - lacking their product.

Re:Operative words (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32665388)

What they are saying is that 2400 apps can make phone calls without the user, and 960 can send out text messages - so its likely a couple in there are malware designed to deprive you of your money.

And then they go on to say "Dozens of apps were found to have the same type of access to sensitive information as known spyware does". My My, DOZENS you say? But not hundreds, to suggest more than 100 of the 48 thousand apps available.

Now, how did they get this information I wonder? Is it because some of the Apps are open source? If its open source, is it really a threat?

Re:Operative words (3, Insightful)

jeffmeden (135043) | more than 4 years ago | (#32665522)

If its open source, is it really a threat?

Have you read the source to all the open source apps you use? If your answer is no, then the answer to your question is yes.

Re:Operative words (1)

somersault (912633) | more than 4 years ago | (#32665602)

It also doesn't say anything about whether the apps it mentions are actually malware rather than apps who's whole purpose revolves around being able to access your phone book and send texts etc.

Well, the summary doesn't at least. You didn't think I was going to RTFA, did you?

Re:Operative words (3, Informative)

sarysa (1089739) | more than 4 years ago | (#32665610)

They got the figures by mining information from each app via the Android Market, or through one of the many aggregator sites like this one. [androlib.com] Permissions are publicly listed, so that's how they came to their figures.

But yeah, it's incredibly misleading. The user is warned on install and at the bottom of the application's description in the Market.

Re:Operative words (1)

DJRumpy (1345787) | more than 4 years ago | (#32665906)

How specific is the warning? Does it state that the app may be able to dial without the users permission, or send text messages without their permission, or is it a more generic "may access private data" type prompt?

It's amazing to me that Android users are so willing to trust total strangers in defense of their chosen platform. Such information, if published about Microsoft or Apple would have everyone lighting their torches, open source or not. I guarantee you that the vast bulk of app users do not scan every line of code in these apps for malware. Regular users wouldn't even know how.

Re:Operative words (5, Informative)

SighKoPath (956085) | more than 4 years ago | (#32666134)

As an example, here is the warning text from the most recent update to the Google Maps application:

This application has access to the following:
  • Your personal information: read contact data, write contact data
  • Services that cost you money: directly call phone numbers
  • Your location: coarse (network-based) location, fine (GPS) location
  • Network communication: full Internet access
  • Your accounts: Google Maps, manage the accounts list, use the authentication credentials of an account
  • Storage: modify/delete SD card contents
  • Phone calls: read phone state and identity
  • Hardware controls: record audio
  • System tools: prevent phone from sleeping, retrieve running applications

These are all displayed to the user in big orange warning text, with an OK/Cancel button below 'em. Every application in the market does this sort of thing, so the user knows exactly what every app is able to do. The article looks like FUD to me.

Re:Operative words (4, Insightful)

MikeBabcock (65886) | more than 4 years ago | (#32665844)

This PDF was the most useless crap slashvertisement I've seen in a while. They're trying to sell us their anti-spyware package for Android, by citing stats that are meaningless.

I have Handcent SMS installed. Of course it wants permission to send and receive SMS messages.
I have a remote bricking package installed so I can disable my phone remotely if lost or stolen, so it has those permissions legitimately too.

The key is verifying that the permissions a package requests seem reasonable upon installation.

For example, if your new kids fingerpaint program requires full internet access, contact list access and sms access, you might have spyware on your hands.

What do you expect? (0)

Anonymous Coward | more than 4 years ago | (#32665176)

There's a lot of spyware out there for real computers, too. That's what happens when people can install whatever they want to.

Notifications (5, Interesting)

TyFoN (12980) | more than 4 years ago | (#32665178)

And you are notified when installing in red letters exactly what the application has access to.
News flash: 100% of your pc applications have access to your file system!

Re:Notifications (0)

Anonymous Coward | more than 4 years ago | (#32665244)

Mod parent up: The only people who should be surprised by this are people who don't bother thinking about what the bold red letters mean.

Re:Notifications (3, Funny)

Pharmboy (216950) | more than 4 years ago | (#32665332)

Not me, I want applications that can't read or write to files, OS API, video subsystem, ports or RAM. Programs that are properly designed to this are always safe. Every program that *doesn't* will always have some risk, no matter how well you code it. ;)

Re:Notifications (0, Redundant)

daveime (1253762) | more than 4 years ago | (#32665568)

Unfortunately, any application locked down that hard wouldn't even be able to ask you for permission.

Re:Notifications (5, Funny)

Kufat (563166) | more than 4 years ago | (#32665704)

A joke is trying to whoosh over your head.

Cancel or allow?

Re:Notifications (1, Funny)

Anonymous Coward | more than 4 years ago | (#32665722)

ha ha ha hahahahahahahaha

hahaha!!!

haha, well done.

Re:Notifications (1)

jbezorg (1263978) | more than 4 years ago | (#32666066)

What bugs me the most is that every programmer fails at these basic principals in safe programming. Even more importantly, these basic principals port to every known programming language.

Demonstration below ( enclosed in quotes ):

""

Re:Notifications (1, Funny)

Anonymous Coward | more than 4 years ago | (#32665306)

And you are notified when installing in red letters exactly what the application has access to.
News flash: 100% of your pc applications have access to your file system!

You need to be more sensational in this day and age. Let me give it a shot

100% of web-connected Android phones can download Child Pornography!

"AnonCWD is reporting that 100% of Android phones expose the user to child pornography. The Android web browser threat report details the security issues uncovered. Dozens of webpages were found to have the same type of access to child porngraphy as normal computers do, including access to CP films, drawings, and soundbytes."

That's how you get the pageviews!

Re:Notifications (1)

Itninja (937614) | more than 4 years ago | (#32665506)

Indeed. One cannot install the app without seeing that screen. Does the iPhone make the same disclosures?

Re:Notifications (5, Insightful)

somersault (912633) | more than 4 years ago | (#32665646)

100% of your pc applications have access to your file system!

Dozens of apps were found to have the same type of access to sensitive information as known spyware does

Dozens of children were found to have access to the same types of kitchen utensils that murderers use!

First Post! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32665182)

Cock sucking faggots!

- Sent from my Android -

Re:First Post! (3, Funny)

Chrisq (894406) | more than 4 years ago | (#32665264)

Cock sucking faggots! - Sent from my Android -

It would have been funny if you has said "Sent from your Android"

well well (0, Troll)

smitty97 (995791) | more than 4 years ago | (#32665186)

Suddenly the walled garden approach where apps go through an approval process doesn't seem so bad.

If only there was some phone manufacturer that did this..

Re:well well (5, Informative)

cduffy (652) | more than 4 years ago | (#32665248)

Err --

Android applications have flags indicating what they are and aren't allowed to do, and are cryptographically signed with those flags. What this study (presumably) did is just check which apps have which flags set.

Thing is, when you-the-user install an app, you're told exactly which flags it has set, and given the opportunity to confirm or deny. In short -- if you're installing a lighter-flame gadget which says it's allowed to read your address book and connect to the Internet, and you click "OK", you deserve exactly what you get.

(Also -- misbehaving developers can, and sometimes do, have their signing keys revoked).

Re:well well (0)

Anonymous Coward | more than 4 years ago | (#32665398)

Presumably?

From the "report":

As a result, SMobile has incorporated patent pending technology to use application permissions and other identifying attributes to determine what an application can do and subsequently, identify Spyware and other malicious applications..

Read the pdf [smobilesystems.com] ; it's quite entertaining. Apparently listing a certain set of permission flags as "OMG spywarez!!1!" is now a "patent pending method".

Re:well well (1)

Pojut (1027544) | more than 4 years ago | (#32665500)

So they are trying to patent software.

Yeah. Here's to hoping when the Supreme Court FINALLY releases a decision on Bilski v Kappos, that "pending" status is changed to "no way in hell" status.

Re:well well (0)

Anonymous Coward | more than 4 years ago | (#32665632)

If you refuse to install Android apps based on their unneeded permissions, you haven't installed anything besides Google's own apps. Ditto problem on Microsoft Windows. Applications used to assume admin privs. Now they embed a manifest flag requiring unneeded admin privs. Android apps do the same thing, minus sudo, because the phone needs to be rooted for sudo (or they would ask for it also).

Besides, this is worthless protection for any non-geek. Believe me, they click 'install' without even reading the warnings. I see them do it. My own father went one step further: he read it once, realized it was bogus, and now completely ignores the warnings.

Re:well well (1)

MikeBabcock (65886) | more than 4 years ago | (#32665920)

Most of the apps I have on Android (and I have a LOT installed) have very few or no permissions they don't need.

The one permission that crops up randomly is coarse GPS positioning, for the ability to embed location targeted ads to support their free app.

Re:well well (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32665252)

Yes, by God lets not have users decide whether or not we can install an app that accesses our own data.

Corporations know far more about what's appropriate for my data than I ever could...

Re:well well (1)

D'Sphitz (699604) | more than 4 years ago | (#32665268)

Wrong.

Re:well well (2, Interesting)

Petron (1771156) | more than 4 years ago | (#32665294)

It still looks bad.

As stated over and over here, you get warned in *BOLD RED LETTERS* "this app will want access to..." before you install. according to the article's posting, iPhone doesn't warn you.

there has been quite a few apps I declined to install because... why does a little game want access to my call history? [Cancel Install]

Re:well well (1)

TSRX (1129939) | more than 4 years ago | (#32665310)

Yeah I'm sure that walled-garden approach will filter out applications that expose your private data, like Facebook.

Oh. Wait...

Re:well well (0)

Anonymous Coward | more than 4 years ago | (#32665636)

Oh, no need to go to Facebook for an example of how the walled garden doesn't protect your data.

Nothing will protect you from a company that will misuse the data you give them. [consumerist.com] (And despite their claims, iDrive has not stopped this practice.)

Oh...and your walled garden does not warn you about what the apps might be accessing like Android does. You just have to trust Apple to protect you instead of being allowed to use your own judgment.

Re:well well (2, Insightful)

betterunixthanunix (980855) | more than 4 years ago | (#32665426)

"Suddenly the walled garden approach where apps go through an approval process doesn't seem so bad."

Yes, it does seem so bad. If it were just a question of certain apps being "approved," but users still having the option to install whatever they wanted, you might have a point (e.g. the repositories model for Linux distros). What Apple does is to say, "No, you cannot install that program, even if you want to, just because we said so! HAHAHAHA! No political cartoon apps for you!"

Re:well well (1)

Skuld-Chan (302449) | more than 4 years ago | (#32665438)

The "Android Marketplace" does a couple things automatically that solve this - without a walled garden approach. 1) when you install an app via the marketplace it TELLS YOU what the app has access too 2) User rating will inform users whether the app is worthless and 3) there is a report malware feature in the marketplace to inform Google to investigate the app. In other words - often the market can determine what stays and what doesn't.

This is just more FUD against Android - all platforms have this exact same issue - even Apple (more than once I've read about an app that was approved and everything collecting data against Apple's own TOS - good example of this is that company that told us all about iPhone OS 4 metrics they collected from Apple's own development phones).

Re:well well (1)

Dishevel (1105119) | more than 4 years ago | (#32665638)

It dose seem bad. You are just too used to having someone else take care of you. Stand up for yourself.Take responsibility and enjoy freedom

RE: Fifth of Android Apps Expose Private Data (5, Insightful)

D'Sphitz (699604) | more than 4 years ago | (#32665190)

My Evo tells me before I install an app what it will be able to do, I assume it works the same for all Android phones. It's hard to get worked up over an app that can access personal data, when you were told in big red letters that this app can access personal data, and you clicked ok anyway.

Re: Fifth of Android Apps Expose Private Data (1)

webdog314 (960286) | more than 4 years ago | (#32665788)

Granted, the average Android user is a step above the average Facebook user, BUT, that's pretty much exactly what Facebook apps do and the majority of users click right on through. While we might wish that the general public understood the most basic tenets of information security, they don't, and the Android marketplace is, after all, for (predominantly) the general public (or at least the business side of it, which is only slightly better when it comes to IS).

Re: Fifth of Android Apps Expose Private Data (1)

Issarlk (1429361) | more than 4 years ago | (#32666044)

Then obviously, for the greater good of all, we should forbid every Android App from reading the adress book, or GPS data, or sim data. This would result in a new concept, I will name it the DumbPhone. It would be perfectly safe for the average Joe as the only app able to run on it would be fart generators and minesweeper. We don't let anybody play with dangerous explosives, or drugs because they might harm themselves or other people ; why should we let anybody use dangerous Smartphones ?

Re: Fifth of Android Apps Expose Private Data (1)

Chees0rz (1194661) | more than 4 years ago | (#32665978)

I find myself becoming desensitized to these warnings... Especially if I am updating, rather than installing for the first time. I used to make sure the "features/warnings" matched up with my expectations of the App; now, I either don't care, or it's a case of- "I don't think it means what you think it means"

The fault is on me. But it's an easy habit to slip into.

Most misleading article ever (5, Insightful)

Fnkmaster (89084) | more than 4 years ago | (#32665196)

A fifth of applications rely on *permissions* that you, the user, must explicitly grant when you install them, that *allow* them to access private information.

That does not mean they do access that information, or put it to any sort of untoward use. Android practically screams at you when you install applications that need a bunch of permissions. Generally, sure, you ignore that if it just says "Read/write SD card" for example. But if something suspiciously asks for lots and lots of permissions, you might say to yourself "gee, this looks a little funny".

If 10,000 other people have installed it and everybody rates it 5-stars and there are no issues mentioned with it on the web, you can probably guess that it's not doing anything nasty with your information.

But the fact that Android extremely explicitly warns you about these permissions means that the only issue in my mind is there should be a more intense distinction in the UI between permissions like "Read/write to SD card" that lots of apps need, and "Access my contacts" or "Send text messages" which only a smaller number of apps need.

Otherwise, this is basically a hatchet job.

Re:Most misleading article ever (0)

Anonymous Coward | more than 4 years ago | (#32665316)

Yeah, "hatchet job" would be a good way to describe this. They didn't even look at what the apps are supposed to do! For example, Handcent will need permissions to send and receive text messages, because, duh, it's a text messaging app. Social networking programs are going to need access to your contact info, and so forth.

Re:Most misleading article ever (0)

Anonymous Coward | more than 4 years ago | (#32665334)

No, it's not misleading. Do you understand what expose means? It doesn't mean to harvest that data, it means to make vulnerable in possibility.

What I've found is that Android's permissions system is all but useless. Even simple apps like a text editor request full phone privileges 9/10 times. The only permission that works is for superuser, because that informs the user as it's happening.

Re:Most misleading article ever (0)

Anonymous Coward | more than 4 years ago | (#32665622)

s/all but/nothing but/

Re:Most misleading article ever (2, Insightful)

DikSeaCup (767041) | more than 4 years ago | (#32665384)

If 10,000 other people have installed it and everybody rates it 5-stars and there are no issues mentioned with it on the web, you can probably guess that it's not doing anything nasty with your information.

The way my mind works - when I read this, I couldn't help but think: "What, if any, kind of permissions warning do you get if the app is capable of going on to the market as you and rating itself 5 stars in your name?"

Disclaimer for the humor impaired: Mind you this is more of a joke than a suggestion of something that's at all likely.

Re:Most misleading article ever (2, Informative)

jeffmeden (135043) | more than 4 years ago | (#32665888)

If 10,000 other people have installed it and everybody rates it 5-stars and there are no issues mentioned with it on the web, you can probably guess that it's not doing anything nasty with your information.

The way my mind works - when I read this, I couldn't help but think: "What, if any, kind of permissions warning do you get if the app is capable of going on to the market as you and rating itself 5 stars in your name?"

Disclaimer for the humor impaired: Mind you this is more of a joke than a suggestion of something that's at all likely.

His argument was laughable. You make the exact point that's needed; there is nothing to stop 10,000 genuinely happy, completely ignorant users from "loving" an app that makes fart noises while it secretly gathers contact lists or does other nefarious things completely behind the scenes. The users won't know there's a problem until it's too late; their private data will be in the wild. Then, all the 1-scores or "report app" dings that the app gets won't get their data back.

Assuming that a gaggle of non-experts can give you a good assessment of the security of the app is ludicrous. Maybe, if there were a "score by developers" rating where other registered devs that have looked at the code and given it a brief audit for security purposes, it would put my mind at ease a *little*.

Re:Most misleading article ever (0)

Anonymous Coward | more than 4 years ago | (#32665536)

That does not mean they do access that information

If they're not accessing that information, then why do they ask you to grant that permission? Surely the app makers know that their app will look less suspicious if they ask for fewer permissions? So I think it's fair to assume that they access the information.

Re:Most misleading article ever (1)

Dishevel (1105119) | more than 4 years ago | (#32665740)

Don't start telling people to use their own common sense! You FOOL! You are going to ruin it. Ok people. Listen up. I will run for office and will fight the evil Android Corp and make them lock everything down for you. I will pass laws to force them to protect you from yourselves. I will create a new government bureaucracy to approve every app. It will also create a new OS that can be protected from the user doing things that might be bad for them. I shall staff it with pros from Apple. You will love me for it.

Re:Most misleading article ever (1)

rednip (186217) | more than 4 years ago | (#32665752)

Most computer viruses rely on someone to install it, it doesn't mean that they aren't something to worry about. Also, while I'd have more confidence applications which are already popular, wide distribution is no sure indicator of 'clean code' (free from virus and stable).

Re:Most misleading article ever (1)

MikeBabcock (65886) | more than 4 years ago | (#32665934)

If they wanted to be informative, they would've actually dumped the system logs on the phone and checked what the apps really are doing with the permissions they're given. This isn't at all hidden from the user if they know where to look, unlike say a good worm infecting a Windows PC.

I've got your malware right here (1, Funny)

Jeremy Erwin (2054) | more than 4 years ago | (#32665214)

Which apps require the BRICK permission, and do any of those conceal their intent from the user?

Re:I've got your malware right here (0)

Anonymous Coward | more than 4 years ago | (#32665480)

For anyone who thinks the parent is joking:

android.Manifest.permission.BRICK [android.com] - Required to be able to disable the device (very dangerous!).

I've always wondered exactly what classes and methods that permission enables...

(posting AC because the parent was worth modding Funny to other Android devs)

Re:I've got your malware right here (1)

djdanlib (732853) | more than 4 years ago | (#32665986)

Good one!

What happens when some not-so-savvy user gets an app, and the developer's info about the app says "Ignore the warning, that's a bug we're fixing in the next version"... hmmmm

Re:I've got your malware right here (1)

MikeBabcock (65886) | more than 4 years ago | (#32665962)

Remote bricking is very useful if you want to disable a phone if its lost or stolen.

You could also have a deadman's switch app that bricks the phone if its not activated with a password every so often (useful if the phone's thief knows enough to shield it from SMS messages).

Needs to be clarified (4, Insightful)

AdmiralXyz (1378985) | more than 4 years ago | (#32665216)

Whenever you install an application on Android, you're given a list of permissions the application wants to have in order to run, including accessing your data and making phone calls. You have to explicitly agree to this list before the app is installed. Is CNET saying that a fifth of Android apps can get your data, despite those permissions not appearing in the list? Because if they're not, this is a pointless "Well, duh" story: the user was told what the application is doing. If they just breeze through and click "OK" when that's clearly inappropriate (i.e., a tip calculator really shouldn't be requesting access to your call log), that's their damn problem.

Smobile systems has developed technology... (0)

Anonymous Coward | more than 4 years ago | (#32665258)

THIS IS AN SMOBILE AD!

Re:Smobile systems has developed technology... (0)

Anonymous Coward | more than 4 years ago | (#32665442)

SMobile Security Shield, $29.99 seems like a fair price to protect yourself from the problem SMobile made up ;)

HAVE THE ABILITY TO EXPOSE!=EXPOSE (1, Insightful)

schon (31600) | more than 4 years ago | (#32665262)

1. So because something has the ability to do something, that means that it DOES do it?

Logic. Submitter fails it.

2. When installing apps that have the ability to expose private data, the OS explicitly tells you beforehand and asks if you're sure.

While unscientific, everybody I know with an Android phone takes these warnings seriously. Yes, you still have the dancing bunnies problem, but in my experience most people don't expect a phone to work like a desktop, and the security awareness is higher as a result.

Congratulations on a flamebait article though.

Re:HAVE THE ABILITY TO EXPOSE!=EXPOSE (0)

Anonymous Coward | more than 4 years ago | (#32665766)

Congratulations, you have redefined the meaning of the word 'expose.'

expose
-verb
1. to lay open to danger, attack, harm, etc.: to expose soldiers to gunfire; to expose one's character to attack.

Maybe you should look into reading a book before critiquing a person's writing. You remind me of the retards on Slashdot who assume stealing is synonymous with theft.

Re:HAVE THE ABILITY TO EXPOSE!=EXPOSE (1)

jeffmeden (135043) | more than 4 years ago | (#32666010)

Too much faith in Cnet, he is guilty of.

It was the Cnet article that made the leap from the report, which stated "x number of apps have the ability to access information in a way that could be harmful to keeping it private", all the way to "20 percent of android apps expose your private information". Actually, both of these things are true since they never really said to what the information was exposed to (in this case, it's simply the internals of a third party app).

Seems like you fail at over-reaching. Smobile started it, Cnet ran with it, Slashdot wound it up into a flame-filled frenzy, and you slam dunked it with "1. So because something has the ability to do something, that means that it DOES do it?" which no one ever specifically said was the case (they said it was possible).

I knew what I was getting into. (0)

Anonymous Coward | more than 4 years ago | (#32665288)

In fairness all the apps they list have to ask for permission to preform any of the activities they mention during the install phase. So its not like people could accidentally install one of these, probably just a third party who wants to spy on the user for whatever reason. Additionally even though the permissions they are talking about can be used for nefarious purposes, 99% or the apps that request them do so for good reason (one of the apps in the paper preforms functions similar to apples find my phone service), and I suspect that they still count those apps in the 20% of insecure apps count.

I guess it comes down to a choice between security and openness, I personally prefer the freedom to do whatever I want with my devices. It falls on me not to allow people I don't trust access to my phone, or indeed any of my stuff. Admittedly a lot of those apps won't function on the iPhone but at the same time they lose a lot of useful functionality. There are also instances where Apples tight grip on the app store will benefit the customer (such as if any malware ever shows up on it) and times when it will put them at a disadvantage, so chose your poison.

One feature that probably should be added to Android is if an app requests certain security features (perhaps any of the orange ones) then the user would have to authenticate to install that app. At least then you would avoid people installing this specific type of spyware behind your back.

Submission: iFlameWar, Episode n (0)

Anonymous Coward | more than 4 years ago | (#32665392)

Why hello, WrongSizeGlass of the 'gives iPads to web designer's family' fame. Whilst the submission may be interesting, I cannot avoid querying your motives. But putting that aside, I'm not that convinced with the white paper either.

Smobile systems, the authors of said whitepaper, sell security software for mobile devices [smobilesystems.com] . They therefore have the clearest possible vested interest in producing documents that overstate whatever they can in order to trigger alarmist histrionics. All they seem to have done here is an 'automated analysis' checking out which apps have permissions that could allow them to perform certain actions. They haven't apparently chosen to take the useful step of checking what proportion of apps actually do, meaning that what they've done is the equivalent of saying:

"2.1 million Americans work in payroll or accounting. This means that up to 1.5% of all Americans could be involved in corporate accounting fraud! Concerned? Buy our Anti-Fraud(TM) corporate services!"

Virtually meaningless.

A decent review from the Register: http://www.theregister.co.uk/2010/06/23/android_security/ [theregister.co.uk]

Re:Submission: iFlameWar, Episode n (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32665764)

Dear AC,
I submitted this story because I found it interesting, not because I agreed with its conclusions nor those of the 'threat report'. I also attempted to submit the 'iOS/Safari gives away your location' story yesterday but I had the same source/URL as someone who had already submitted it so it was rejected. Keep in mind I only passed along the link and copy & pasted content from the CNet story. If you think someone is being biased you should point an anonymous finger at CNet or the folks at smobilesystems. You should have submitted your decent review [theregister.co.uk] as a submission rather than just dropping it in a post.

Are all security vulnerabilities being exploited? Of course not. That's true for Android, Linux, Apple and even Microsoft. Had they changed the name from 'Android' to 'Apple' you would have been standing on your anonymous soapbox deriding Apple for it. Yes, Android alerts users and requires their approval when these apps are installed just like Apple alerts users and requires their approval before any location data is provided to an app. Does it mean that either or both platforms are insecure because they can provide this type of information when the user blindly agrees? Yes and no. If the app uses it for the wrong purpose then yes. Can and 'do' are completely separate things. The same holds true for Windows when it asks if it's OK for an app to run, etc.

I've submitted plenty of stories (my favorites were 20 Worst Superheroes [slashdot.org] and Tactical-Nuclear-Penguin-Beer [slashdot.org] , about half of which have been accepted. That doesn't mean I endorse them, it only means I thought others might find them interesting too.

Though I did give an iPad to my web design's kids for 'half Christmas' it doesn't make me biased. My posts are usually opinionated but fair, usually pro Linux, pro or anti Apple (depending on the subject) and usually (but not always) anti Microsoft. Though I'm sure you already know that if you're following my posts enough to quote from them.

Look to the source (3, Insightful)

TheBogBrushZone (975846) | more than 4 years ago | (#32665416)

This report is hardly independent. If you ignore the CNET reporter looking for controversial pulp to post on a blog you'll find that this report comes from smobilesystems, a little-known mobile security company who conveniently have a new piece of Android security software to sell that will stop all these non-existent rogue spyware apps. You can argue all you want that users install these apps with full knowledge and consent. They know that it's BS; they just want to use FUD to convince the unwary and paranoid that their software (which if it actually does anything, probably just checks the installed apps against a package name blacklist) will keep them safe from an imaginary raging torrent of malware on the Android platform.

user granted it (1)

farble1670 (803356) | more than 4 years ago | (#32665424)

if the apps have access to sensitive information, it's because the app requested the information and the user granted it. every android app must declare the set of permissions it requires, and that list is presented to the user *before* they install the app.

also, as other posters have pointed out, the fact that an app has access to sensitive data does not mean it exposed the data.

SHOCK! (0)

Anonymous Coward | more than 4 years ago | (#32665428)

"SMobile Systems concluded in its Android market threat report. "

    "SMS Spy was labeled and is detected by SMobile’s Security Shield as spyware."

SMobile sells a $30 andriod app and releases a FUD whitepaper. ...

PROFIT!

So it's the perfect platform... (1)

shikaisi (1816846) | more than 4 years ago | (#32665444)

... for Chatroulette?

bogus interpretation (1, Informative)

Anonymous Coward | more than 4 years ago | (#32665450)

The CNET interpretation of the study is bogus. It counts every app requesting full call permissions as potential spyware phoning home, and every app requesting full address book access as potential data-collecting trojan. Following this reasoning, every Windows program -- which can do pretty much anything with the Data on your PC data -- dangerous piece of potential malware.

Android apps may request permissions only in bundles. Just because an app requests, say, full address book access for updating some address data, doesn't mean it spys on your contacts. It doesn't even mean it actually uses the granted API calls at all.

Re:bogus interpretation (2, Interesting)

ZenDragon (1205104) | more than 4 years ago | (#32665706)

While I am not going to spread the FUD and agree with wholly with the statements of vulnerability, I would have to ask why ANY app would need "Full Call Permissions" in the first place? Furthermore, why would android allow that at all? Theres no reason why any of these apps need some of the access that they are requesting. For example; why does Dictionary.com request "Phone Calls" access? Im not one to cry foul without proof, but I do believe there does need to be some oversight in the Android market to prevent apps from requesting unnecessary access.

Apple FUD (2, Insightful)

mpapet (761907) | more than 4 years ago | (#32665524)

The story is a PR plant by one of Apple's minions. They are taking a big negative with the iPhone, (no access to some phone functions) and turning it into a win for Apple.

To be fair, Apple's minion doesn't hire the story out and then attempt to sell it to the media. A few weeks ago Jobs claimed the Droid was a porn magnet or something like that... This is just more of the same ideological offensive.

The way this works is Apple's PR people go around making the case for their product, in those discussions are carefully constructed factoids like "their apps *can* do Bad Things (TM) with your private data!" Then some enterprising writer fills in the rest of the FUD perfectly willing to blow-up the half-truth in exchange for a closer seat in the Jobs Reality Distortion Field.

Re:Apple FUD (0)

Anonymous Coward | more than 4 years ago | (#32665968)

Now you've done it. The black helicopters are coming for you, man!

It's just information folks (0)

Anonymous Coward | more than 4 years ago | (#32665560)

I think the point of the article was to inform the audience that caution should be exercised when installing apps from the android market. Almost the same as caution should be exercised when installing software off of the internet onto a PC. Just because an app notifies you that it's spyware doesn't mean that it's not a good idea to inform users to watch out. People have gotten so used to just clicking through dialog boxes without reading and this article might be a good way to get people to slow down and really watch out for the crap they install on their android devices.

Funny, I haven't seen many articles like this for apps on the iTunes/iPhone app store. Just sayin...

I wanted to install an app... (3, Insightful)

Rhaban (987410) | more than 4 years ago | (#32665574)

I wanted to install an app that managed sms, and it asked for permission to access my messages!

It goes without saying that I immediately canceled the installation.

A misleading slashadvertisement (5, Insightful)

Random2 (1412773) | more than 4 years ago | (#32665614)

If you actually RTFAs' source, you'll see that this smobile systems company is using these statistics to try and sell a dependency checker.

Also, I saw no mention that these 'leaks' are derived from sources other than what the user allowed.

In short, Not news.

This is the problem with lamescream media (1)

bteed (1832400) | more than 4 years ago | (#32665644)

The whitepaper that they referenced is really pretty objective, it makes all the same points that commenters are making here (despite trying to sell you their brilliant new malware detector). A reporter reads it, uses a line or two from it, and makes a scary story. I have to give them credit for linking it the original source, though, sometimes you have to go digging through Google to find out how much they're really telling you.

Sixth major app found to expose data as well (3, Funny)

noidentity (188756) | more than 4 years ago | (#32665680)

I was using my Android today, and I discovered that it was exposing a huge amount of private data. Basically, it was transmitting a digital copy of all sounds that it picked up from its microphone, to some remote party. I couldn't believe this. More amazingly, it was triggered very simply: just dial a phone number and hit Talk. Sometimes it even occurred when I hit Talk just after the phone beeped. Nothing more was necessary. I can't believe they let this slip through.

Re:Sixth major app found to expose data as well (1)

Dunega (901960) | more than 4 years ago | (#32665912)

Yes! We must put an end to the phone call application on all of these phones! They are a major source of privacy leaks!
Well done. :)

Re:Sixth major app found to expose data as well (1)

jeffmeden (135043) | more than 4 years ago | (#32666038)

This would have been funny if not for your epically bad subject line, which suggests that you thought the article was about *five* apps that expose data.

Re:Sixth major app found to expose data as well (1)

noidentity (188756) | more than 4 years ago | (#32666194)

Bah, I didn't read the article or much of the summary. I've never even had a cellphone.

Watch out (0)

Anonymous Coward | more than 4 years ago | (#32665728)

Watch out for apps that request more access than necessary for it's functions. If I need to install a News Reader app and while installing the Android OS tells me it requires access to my Call log, Ability to make calls and what not - I don't install the app.

And I find that only a few apps in the Market place ask for reasonable permissions. Most ask for way more than is strictly necessary. So be warned.

20% 100% (0, Troll)

yyxx (1812612) | more than 4 years ago | (#32665768)

First of all, 20% have the ability to access private data on Android. Now, 20% is less than 100%, which is what you effectively get on other smartphone platforms. On the iPhone, effectively 100% of apps have access to your private data.

Now, those 20% of applications don't "expose" private data, they have access to it. Most of them do because they need it. Some do because the programmer screwed up and asked for more than he needed; such apps tend to get punished in the ratings.

Android has a good architecture, security and otherwise: it's clear, simple, and actually alerts people to what their applications are doing. iPhone/iOS is primitive and obsolete in comparison.

Re:20% 100% (4, Insightful)

joh (27088) | more than 4 years ago | (#32666190)

First of all, 20% have the ability to access private data on Android. Now, 20% is less than 100%, which is what you effectively get on other smartphone platforms. On the iPhone, effectively 100% of apps have access to your private data.

I think you'd surprised to find that to most private data NO apps have ANY access on the iPhone... They're mostly limited to their own data and to the net and there are only very few APIs to access anything else. Android may be cautios and transparent, but iOS is paranoid.

In the long run I very much doubt that the "flagging and informing" of Android helps here. It's good for shifting the responsibility over to the user ("You clicked OK after all, you dumb fuck!"), nothing more. The difference between Google and Apple is that Google thinks this is enough and Apple doesn't. I have not made up my mind yet about who's right. But I know one thing: Half of the population is beyond average intelligence.

In other news... (1)

demonbug (309515) | more than 4 years ago | (#32665770)

80% of Android apps not working as designed.

FUD (4, Insightful)

gedw99 (1597337) | more than 4 years ago | (#32665870)

Fear, Uncertainty & doubt is all this article is doing
http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt [wikipedia.org] .

As many people have pointed out the security permissions model in android is very good.

you cant have fantastic apps without allowing them access to other data.
And so thats why the security permission authorization screens are there.

Its so dumb this article, because you cant have your cake and eat it too.

It pisses me off when journalists write a piece like this LL because it gets headlines.
Hey CNet, get a life and stop taking backhanders from Apple or Microsoft. Just a ridiculous article in the first place.

80% of people retweet hysterical headlines! (1)

rcnut (1840430) | more than 4 years ago | (#32665916)

Unfortunately it looks like this article has already set off a bit of a firestorm in twitterspace, and I doubt that many of those people actually read the report and understood it. That would take more time than is allowed to post 140 characters.

Android and IOS are dead, long live Blackberry OS (1)

kbdd (823155) | more than 4 years ago | (#32665918)

The more I read about Android and iApple OS, the more I like my Blackberry :)

Do you really want me to say those 4 words?? (0)

Anonymous Coward | more than 4 years ago | (#32666090)

I TOLD YOU SO!

This is why Mr. Jobs is so controlling over his iPhone. I'll never make the switch. I'm always gonna have an iPhone, just as long as Apple keeps making them. I feel safe.

95% of users are users... (1)

kbdd (823155) | more than 4 years ago | (#32666116)

Studies have shown that 99.5% of users click on OK boxes without reading the 15 pages of material that clicking OK makes them agree to. I conducted that study this morning while reading these posts, so it is well researched. This is clearly a problem, and I have no idea what the solution, in the larger sense, could be. Apple has the advantage in that their customer base is mostly composed of people who like to do what they are told and are not interested in finding the boundaries of what they can do and extend beyond those (another well researched study field of mine...), therefore Apple has been able to place significant constraints on what their users can do without too much backlash. By purposely limiting their available market to those, they have been very successful and are making a ton of money. That is not a strategy of world domination, in terms of market share, but it is financially rewarding. Not a bad strategy.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>