Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Data Stealing App Downloaded By Millions

CmdrTaco posted more than 4 years ago | from the nobody-is-safe dept.

Cellphones 335

wisebabo writes "A wallpaper utility (that presents purloined copyrighted material) 'quietly collects personal information such as SIM card numbers, text messages, subscriber identification, and voicemail passwords. The data is then sent to www.imnet.us, a site that hails from Shenzen, China.'"

Sorry! There are no comments related to the filter you selected.

Thats it! (3, Funny)

socz (1057222) | more than 4 years ago | (#33070346)

I'm going back to winmo where it's "Safe!"

Re:Thats it! (1)

Skatox (1109939) | more than 4 years ago | (#33070494)

LOL!!!

Re:Thats it! (1)

stanlyb (1839382) | more than 4 years ago | (#33070982)

Noooo, not LOL, but ROFL ROFLS ROFL.

Re:Thats it! (0)

Pojut (1027544) | more than 4 years ago | (#33070784)

It's sad because it's true :(

Re:Thats it! (1)

arkane1234 (457605) | more than 4 years ago | (#33070812)

It's sad because it's true :(

No, it's not true. It's only that no one looks out for those things on winmobile.
With as many free apps that change your wallpaper, etc, for winmo you can believe it's rife with it the same.
It's amazing that anyone would think it doesn't happen...

I'm confused... (4, Insightful)

mcgrew (92797) | more than 4 years ago | (#33070376)

A wallpaper APP? Why would you need an app? It can't just display a jpg as wallpaper?

Re:I'm confused... (1)

jsnipy (913480) | more than 4 years ago | (#33070400)

it can

Re:I'm confused... (1)

allusionist (983106) | more than 4 years ago | (#33070454)

Of course it can, but less tech-savvy phone owners won't realize this. They're the targets.

Re:I'm confused... (3, Informative)

socz (1057222) | more than 4 years ago | (#33070464)

This is what confuses me:

The wallpaper app asks for permission to access your “phone calls,” but that isn’t necessarily a clear warning.

When I started learning android, one of the first programs I made was literally just text and a color background right... and it still asked for permission for calls! I was like hrm, maybe I got a tampered with version of the SDK? But that is why I'm just like *shrugs it off* when I see wall paper apps request phone call access. Now, I don't download wall paper apps lol but, I can see why those who did shrugged it off as well. This is probably something that google needs to explain better, or I need to learn better, or things need to be changed.

Re:I'm confused... (1)

YouWantFriesWithThat (1123591) | more than 4 years ago | (#33070734)

honestly, i think that you did something wrong with your test app. there are tons of highly intricate apps that do not request permission to make calls. now, if your app wanted to go to the background when a call came and relaunch when the call is over that's something different. however, that permission is "read phone state" which does not sound the same at all.

Re:I'm confused... (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#33070816)

This is probably something that google needs to explain better, or I need to learn better, or things need to be changed.

I think Option 2. Blackberry does something similar - an app can't ever do anything you don't explicitly give permissions for. When in doubt, *always* choose "Deny"; and don't check "don't ask again" since if it turns out that the app legitimately needed the permission, it will make it easier to correct later.

Re:I'm confused... (0)

Anonymous Coward | more than 4 years ago | (#33070866)

You made a mistake creating the project. Very likely that you selected device feature when setting up the initial project.

Re:I'm confused... (4, Informative)

brainboyz (114458) | more than 4 years ago | (#33071072)

Your manifest file is wrong. You request a list of permissions that your app is then allowed to use, but requesting them does not mean you used it. You probably have PROCESS_OUTGOING_CALLS or CALL_PHONE listed unnecessarily.

Re:I'm confused... (2, Insightful)

Vintermann (400722) | more than 4 years ago | (#33070522)

Never mind that, why would you need a wallpaper app that requests permission to make phone calls?

Really, there's no helping some people.

This is a job for Droidwall (2, Informative)

mlts (1038732) | more than 4 years ago | (#33070378)

This is a very good reason to run Droidwall. However, the bad news is that Android apps are going to a model where they ping one of Google's servers to check if they are licensed for that user. Of course, Droidwall can be updated to allow any apps to connect to that server farm's IP address range even if they are disallowed from anywhere else, but that may take some programming.

Droidwall also requires root access.

Re:This is a job for Droidwall (2, Insightful)

jsnipy (913480) | more than 4 years ago | (#33070428)

this is a job for common sense. Whenever you install an app it shows you what it is requesting accessing to. If you see a 'wallpaper of the day' app wants access every aspect of your phone, you might reconsider installing it.

Re:This is a job for Droidwall (2, Insightful)

Anonymous Coward | more than 4 years ago | (#33070538)

Common sense is the worst possible defense for the average user. If you want Android phones to have a tiny amount of market share among technically skilled users, that's fine. If you want a large number of Android phones available to, used by and recommended by the average user then showing such warnings is near completely useless.

Dancing bunnies, man. Dancing bunnies.

Re:This is a job for Droidwall (1)

jsnipy (913480) | more than 4 years ago | (#33070632)

You make a valid point. Maybe then, filter out market apps that require explicit combination's of permissions

Re:This is a job for Droidwall (4, Insightful)

abigor (540274) | more than 4 years ago | (#33070688)

You mean they'd have to wait for approval by the App Store? An interesting proposal!

Re:This is a job for Droidwall (1)

Lifyre (960576) | more than 4 years ago | (#33070892)

Not at all. An effective application filter based upon the explicit premissions that each app asks for is easy, fast, and automated. Hell it would be nice if the Android App store allowed you to filter programs to begin with...

Re:This is a job for Droidwall (1)

causality (777677) | more than 4 years ago | (#33070922)

Common sense is the worst possible defense for the average user.

Any defense is the worst possible if you refuse to use it.

Not SMS history or voicemail passwords (3, Informative)

mdm-adph (1030332) | more than 4 years ago | (#33070380)

According to this [http://phandroid.com/2010/07/29/another-app-stealing-data/ [phandroid.com] ].

"Your voicemail's password is also not transmitted unless you included the password in your phone's voicemail number field."

WHAT app? (5, Informative)

geminidomino (614729) | more than 4 years ago | (#33070382)

What was the NAME of this evil app? Neither TFS nor TFA bother to tell us that. We got the Dev Name which is almost as good, but geez.

Why would you need it (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33070450)

Do you really need to know the name of the app in order to avoid it? I think that you should know well enough to avoid wallpaper apps! Those (and screensavers) were something like number 1 way for viruses to spread on computers in the late 90s or so. The same people who fell for those then can now afford expensive phones and fall again for the same scam.

Re:Why would you need it (2, Insightful)

geminidomino (614729) | more than 4 years ago | (#33070500)

No, you don't need the name in order to avoid it, but it might be useful, I dunno, to see if one already HAS it.

Just sayin'.

Re:Why would you need it (2, Funny)

Anonymous Coward | more than 4 years ago | (#33070654)

"Nobody has it in use. Once they discovered it, millions of Google security researchers downloaded it
to run sandboxed or on AVDs." - Google Spokesperson

Re:Why would you need it (1, Insightful)

BitZtream (692029) | more than 4 years ago | (#33070728)

... The name of the app is the second most important factual peice of information that should have been gathered. Second only after the fact that it does it.

Yes, it would be useful to know what it is called. Some non-geeks who bought into the whole 'the droid is better than the iphone' bullshit who don't realize its better for geeks, not idiots may download and install the app.

Some of those people I may know, and if I simply knew the name I could tell them not to do it.

Instead, I have to say 'the droid is known to have data stealing apps and no I can't tell you which ones suck ass, just get yourself an iPhone so apple can protect you, its far easier on all of us'

What the fuck is wrong with you?

Re:Why would you need it (2, Funny)

AltairDusk (1757788) | more than 4 years ago | (#33071028)

Instead, I have to say 'the droid is known to have data stealing apps and no I can't tell you which ones suck ass, just get yourself an iPhone so apple can protect you, its far easier on all of us'

What the fuck is wrong with you?

You imply that you're tech-savvy and then in the same post assume Apple will protect them? Sneaking code by Apple is completely impossible! Oh wait... [wired.com]

Re:WHAT app? (2, Informative)

blowdart (31458) | more than 4 years ago | (#33070484)

There are multiple wallpaper apps from that developer; 75 [doubletwist.com] in fact if the doubletwist search is to be believed.

Face off? (4, Funny)

notaspunkymonkey (984275) | more than 4 years ago | (#33070388)

God help anybody who used facebook and this app... there's every chance they will get home tonight and find an imposter in bed with their wife.

Re:Face off? (3, Funny)

jsnipy (913480) | more than 4 years ago | (#33070478)

the Chinese accent would be a tipoff :)

Re:Face off? (0)

Anonymous Coward | more than 4 years ago | (#33070730)

... and the significantly smaller penis

Wallpaper app, lol (1)

Pojut (1027544) | more than 4 years ago | (#33070392)

Reminds me of advertisements in magazines where you text a code to a phone number, and they send you a wallpaper and sign you up for a subscription. Nope, they won't be sending you any text spam. Not a single piece. ::wink wink nudge nudge shank shank::

Unfortunately (4, Insightful)

wraithguard01 (1159479) | more than 4 years ago | (#33070394)

This is one good reason to have a unified app service, where all the apps are first vetted before they are released. I think mozilla's addon collection is a good model to follow.

Re:Unfortunately (2, Informative)

Pojut (1027544) | more than 4 years ago | (#33070458)

Right. Because that's worked [independent.co.uk] so [thenextweb.com] well [cnn.com] . Keep in mind that these refer to apps that made it through the vetting process.

Re:Unfortunately (1)

arkane1234 (457605) | more than 4 years ago | (#33070888)

Pssst... you pointed out Apple apps.. Just thought I'd let you know before someone else notices and you can do something about it...
the GP was referring to Mozilla addon collection, not Apple which only looks at the coolness factor.

Re:Unfortunately (1, Troll)

c0d3g33k (102699) | more than 4 years ago | (#33070938)

Explain to me how a few outliers are significant compared to the number of malicious apps might have been created WITHOUT a vetting process. This says more about the vetting process and how poorly it was implemented than it does about the value of a vetting process that successfully filters a substantial number of undesirable apps.

Introduce a vetting process that is somewhat effective though not perfect and it will still be better than the wild west that is currently the Android Market.

I'm honestly surprised that it took so long for something like this to happen, and I attribute it to the honesty and integrity of most of the developers (or maybe their skill in remaining discreet). But there are no barriers in place that I can see to prevent an ambitious and unscrupulous developer from taking advantage of the gullible.

When it comes to the Android Market, Caveat emptor rules the day. Some might say that is how it should be, and to a large part I agree. But there is an implicit aura of trust that surrounds the market, since it is the only "official" avenue for getting apps. There is an option in the Android settings to allow apps from "unknown sources" that comes with an ominous warning about malicious apps if you choose to enable it. That strongly implies that the apps available via the Market are to be trusted. Despite this, I've never felt that Market apps were any more trustworthy than those from other sources, precisely because there is no evidence of any vetting or other quality control.

I would very much welcome a multi-layered market that included a vetted set of apps that could (mostly) be trusted alongside a layer or two that were more free to developers.

As it stands right now, I just don't install anything that looks suspicious. Everything else just gets ignored. So much for "we have more apps". That means nothing.

Parent didn't say "iPhone" or "Apple" (1)

weston (16146) | more than 4 years ago | (#33071056)

Right. Because that's worked so well. Keep in mind that these refer to apps that made it through the vetting process.

Knees jerking much? The parent mentioned Mozilla's add-ons, not Apple's App Store.

Also, you should note that the stories you're linking to are about the hacking of iTMS accounts for the abuse of a community rating system, rather than rogue spyware apps stealing personal data.

I personally don't know whether Apple's approval process or Mozilla's add-on review process has a better or worse record or screening out such things, but if you're going to go all "linky! looky! Apple has apps with these problems too!" you should make sure that you're talking about the same thing as the article. Or the parent comment you're responding to.

Re:Unfortunately (1)

BitZtream (692029) | more than 4 years ago | (#33070746)

Yea, except nothing is vetted on mozilla's addon collection. No one checks them before they get put on. They can come off if something is found by someone else but there is no one paid to sit there and verify BEFORE it gets put up.

Re:Unfortunately (4, Insightful)

AndrewNeo (979708) | more than 4 years ago | (#33070980)

Excuse me? I somehow doubt you've ever submitted an addon to Mozilla before. I have, and a real person does indeed check your code.

From the Editor's Guide [mozilla.org] :

Every line of add-on code must be reviewed. The code validator can't detect all possible security or code quality issues, so we must always be in the lookout for bad code.

Re:Unfortunately (1)

jellomizer (103300) | more than 4 years ago | (#33070834)

Although the Geek In me hates the Apple iStore Model. However its strict app approval process really does help remove most of the bad stuff for the phone...

Re:Unfortunately (1)

dfranks (180507) | more than 4 years ago | (#33070964)

Probably makes more sense to have a logo program and the ability to filter for "logo/approved" apps in the Android store. Turning on the filter by default and explicitly prompting users to turn it off the first time (with a decent warning page with guideline for what permissions apps should be asking for) would protect/inform the masses. That way Google could approve apps (and charge a nominal fee), but users with a clue can turn off the approved apps filter and avoid the Apple appstore issues.

Agreed (0)

Anonymous Coward | more than 4 years ago | (#33071008)

This is also a good reason for companies like Apple, Microsoft and Intel to work towards integrating strong encryption in their own products to prevent the free development of applications for any computers, handheld or otherwise. In essence, all computers should be like iPhones and Xbox360's. Only by locking down the software and making sure no one can freely develop apps can we prevent the scourge of malicious applications! This is why I oppose all open source development, as well. When you use an "open" platform where there is no centralized authoritarian approval process, you are in essence, promoting malicious software. Linux is used by hackers, for example. This has to be stopped by whatever means are necessary.

News flash! (0, Troll)

moogied (1175879) | more than 4 years ago | (#33070398)

In other news... stupid people get tricked by stupid tricks, rain is wet, and dry erase markers smell amazing.

Re:News flash! (2, Insightful)

bonch (38532) | more than 4 years ago | (#33070490)

Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?

Re:News flash! (1)

Pojut (1027544) | more than 4 years ago | (#33070606)

Well, part of the news here is the comparison to Apple's heavily-controlled store model. Would this have happened on the iPhone? Would the app have even been approved?

Yes. Yes it [independent.co.uk] would [cnn.com] have [thenextweb.com] .

Re:News flash! (2, Informative)

abigor (540274) | more than 4 years ago | (#33070748)

None of those apps stole data from people's phones. Instead, they artificially voted one another up to generate sales, and users' iTunes accounts were hacked. That's obviously still a grievous security failure, but it's server-side, and has nothing to do with the app store's approval process.

Re:News flash! (1)

Pojut (1027544) | more than 4 years ago | (#33070842)

So these apps were removed for being scams, or because they were doing questionable things...but Apple shouldn't have caught on to this during the approval process?

That's...that's awesome. Nicely done. ::eye roll::

Re:News flash! (1)

abigor (540274) | more than 4 years ago | (#33071052)

The app store was gamed by a company or companies submitting thousands of near-identical and practically useless, though innocuous, apps that were voted up artificially. How would the app store approval process catch that, exactly? The apps themselves did not break any rules. It's more of a social engineering hack than anything else.

The iTunes server hack was a separate thing altogether - a security failure on Apple's part, but nothing to do with apps or approval.

Just to be clear, 95% of all apps submitted are approved by Apple. What they look for is simple:

1. Does it work as advertised?

2. Does it crash?

3. Does it present a privacy violation or objectionable content (porn, basically)?

The "objectionable content" thing is dubious, but if you want porn on your iPhone, just use the browser.

Re:News flash! (0)

Anonymous Coward | more than 4 years ago | (#33070552)

I do love the smell of dry erase markers..damn!

!!!!!Android FAIL!!!!!! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#33070402)

Ha ha!!!

Now you know why iPhone rules now and forever!

Thanks for setting the record STRAIGHT slashdot!

I'm not (0, Flamebait)

toxygen01 (901511) | more than 4 years ago | (#33070420)

an apple lover, but I believe there is a reason other than money, why appstore exists. It's because it offers people prevention exactly from cases like this one. ... and makes the platform "well bred".

Re:I'm not (1, Informative)

Anonymous Coward | more than 4 years ago | (#33070506)

I'm not convinced that such an app would necessarily be caught by Apple's model. Apple doesn't even really review the source code; there was a tethering app disguised as a flashlight app that made it to the app store and stayed there until the media brought attention to it.

Re:I'm not (1, Insightful)

Anonymous Coward | more than 4 years ago | (#33071060)

I'm not convinced that such an app would necessarily be caught by Apple's model. Apple doesn't even really review the source code; there was a tethering app disguised as a flashlight app that made it to the app store and stayed there until the media brought attention to it.

The iOS App Store approval process might not have caught this; but there is a non-zero probability it might have. Of course, given the problems with the approval process, there is also a non-zero possibility that Apple might have unintentionally blocked it for reasons having nothing to do with security. In any case, it would be interesting for Apple to release statistics on how many malware apps the App Store has blocked.

The current Android app distribution system, totally lacking any security review, has a zero probability of catching malware. Anyone with a brain knew that this was a significant possibility inherent in the more open model that Google has championed. However, this presents Google with a serious potential long-term problem--if Android phones are perceived as being insecure, it will impact sales. The market reaction will be interesting the first time somebody having a heart attack tries to dial 911 on an Android phone and dies because the phone said "u bin pwned noob!" instead of calling the rescue squad.

Fans of Android can mock Apple for its antenna woes and screwy app approval process (and rightly so); but if Android ends up being constantly hacked, it will hurt the Android platform far more than Apple's antenna and App Store problems. Nobody wants to have to download and manage anti-virus apps or firewalls onto their cell phone. That would make Apple look prescient for establishing a system that offers at least some promise of blocking malware from the iPhone ecosystem.

Re:I'm not (1)

geminidomino (614729) | more than 4 years ago | (#33070564)

You might want to read this cousin post [slashdot.org] and the links contained therein before you hold on too tightly to that belief.

Implied Racism! (4, Funny)

darkmeridian (119044) | more than 4 years ago | (#33070440)

I am surprised, shocked, and dismayed to see a fine journalistic source such as Slashdot stoop to yellow journalism, as it were. There is absolutely nothing suspicious about the origin of the website being being in Shenzen, China and the summary's implication of this is absolutely untoward. I expect a full apology posted immediately, then duped again tomorrow.

Re:Implied Racism! (0)

Anonymous Coward | more than 4 years ago | (#33070640)

The question begged is: Why would an (allegedly) non-Chinese application want/need to use a Chinese server?

Could easily have been in Romania, Russia, Indonesia, Iceland, etc.

Re:Implied Racism! (0)

Anonymous Coward | more than 4 years ago | (#33070722)

lol... "yellow" journalism... hahahahahahahahah

good troll is good

Re:Implied Racism! (1)

FuckingNickName (1362625) | more than 4 years ago | (#33070776)

A NYC lawyer blogs. http://www.chuangblog.com/ [chuangblog.com]

A catawampus squint reveals an implication that NYC lawyers chew wang.

Well, a fight with RIAA is never clean...

What will they think of next??? (0)

Anonymous Coward | more than 4 years ago | (#33070472)

A screensaver with a virus?

Re:What will they think of next??? (0)

Anonymous Coward | more than 4 years ago | (#33070554)

They already did that with Ubuntu users despite all the proclamations that Loonix was immune to such things.

People will click through anything (5, Insightful)

Coopjust (872796) | more than 4 years ago | (#33070492)

Even if they're told exactly what the app will have access to [wordpress.com] , people will click through anything.

Re:People will click through anything (1)

Nerdfest (867930) | more than 4 years ago | (#33070684)

Sadly there are reasons a wallpaper application would actually require full internet access, such as loading new pictures, etc. The fact it's a wallpaper application is not really that relevant, it could have been anything. I'm not sure of the depth of review at Apple, but I'm fairly sure the same thing could be slipped through without too much trouble. Poorly behaved applications are going to appear from time to time on any platform.

Re:People will click through anything (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#33070926)

Sadly there are reasons a wallpaper application would actually require full internet access, such as loading new pictures, etc. The fact it's a wallpaper application is not really that relevant, it could have been anything. I'm not sure of the depth of review at Apple, but I'm fairly sure the same thing could be slipped through without too much trouble. Poorly behaved applications are going to appear from time to time on any platform.

Internet? Sure. Phone, google account, location, and contact data? C'mon. Why would anyone grant these permissions?

Re:People will click through anything (1)

duranaki (776224) | more than 4 years ago | (#33070994)

It wasn't the internet access that was suspicious, it was the access to your google accounts and your personal information. The app is relevant because it at least lets you identify absurd permission requirements. I've avoided installing some things because there is a clear mismatch between what it says it does and what it asks permission to do. But I do agree it's easy to make malicious apps that can justify their permission requests. If a wallpaper app claimed to make wallpapers using your contacts icons, it would obviously need access.

Update from TFA - No capture of text messages (2, Informative)

miknix (1047580) | more than 4 years ago | (#33070502)

Update from TFA:

Update: Lookout notes it does not capture browsing history and text messages: It collects your browsing history, text messages, your phone’s SIM card number, subscriber identification, and even your voicemail password, as long as it is programmed automatically into your phone.

Looks like it doesn't collect browsing history and text messages after all.

Re:Update from TFA - No capture of text messages (1)

ircmaxell (1117387) | more than 4 years ago | (#33070774)

From the actual article linked by the OP:

Specifically, the app does collect data from your phone, but only the device's phone number, subscriber identifier, and voicemail number fields are retrieved.

I understand that this is newsworthy, but the Summary is blatantly wrong when it was posted, yet alone with future information...

Besides, the app requested this info from when it was installed. If you just clicked "ok" when it asked for permission to access your personal data and the internet, then it is not malware. Malware is doing something besides what it is telling you. Sure, it's not telling you its sending that info elsewhere, but it is telling you that it is accessing it.

Besides, there have been a LOT of Apple fanbois that have been using this to bash the "open system"... One thing that I must ask is if it asked you for access to that information, and you said ok, how is this the fault of the open system? In fact, I would rather have the system tell me what an App has access to than to trust a draconian dictator...

Yes this is bad. Yes it should be pulled from the market. But how many apps like this exist for both platforms that just haven't been found first? At least with Android, you get to see what the app has access to, so if you don't think it needs that access don't install the app. It seems (oddly enough, given Google's privacy nightmare) the better platform if you care about your privacy IMHO...

Developers Bitch (1, Flamebait)

codepunk (167897) | more than 4 years ago | (#33070544)

Developers bitch about the app store approval process but this is exactly why it exists. Yes it would be nice to sever ties with the app store but apple is doing a fairly good job of protecting it's ecosystem.

Re:Developers Bitch (2, Insightful)

mdm-adph (1030332) | more than 4 years ago | (#33070598)

As we've seen from the "colored flashlight app that's really a tethering app," I don't know why people are still putting their trust in Apple's "approval" process as far as safety is concerned. They obviously don't check the code behind an app -- today it's a tethering app, tomorrow it's one that's sending your data to China (if it doesn't already exist, and I'd be surprised if it didn't).

Re:Developers Bitch (1)

codepunk (167897) | more than 4 years ago | (#33070782)

I never said their process is safe but I can tell you for a fact that they do a comprehensive check on each and every app. Will it catch everything? Nope in fact I am pretty certain I could get quite a bit of stuff past the approval process. It may however be very difficult to do so without getting found out or tracked down for doing something like that.

Re:Developers Bitch (1)

mdm-adph (1030332) | more than 4 years ago | (#33070872)

"Comprehensive" apparently means a different thing to Apple than it does to the rest of the world, eh. I'd imagine it means they'd check the code. Apparently, as with the magic flashlight-tethering app, it doesn't.

I'd much rather they spend that time looking at the code rather than making sure the app doesn't have "teh boobz" so that Jobs' delicate humors won't be upset.

Re:Developers Bitch (1, Informative)

Skuld-Chan (302449) | more than 4 years ago | (#33070678)

Yet this happened to Apple (according to Steve Jobs interview with Walt Mossberg at All Things D) - there was an app that shipped that was reporting prototype OS versions back to a marketing company - and it was an approved application.

Re:Developers Bitch (0, Redundant)

Pojut (1027544) | more than 4 years ago | (#33070718)

Right. Because that approval process has worked [independent.co.uk] without any [cnn.com] flaws [thenextweb.com] .

Re:Developers Bitch (0)

Anonymous Coward | more than 4 years ago | (#33070744)

Developers bitch about the app store approval process but this is exactly why it exists. Yes it would be nice to sever ties with the app store but apple is doing a fairly good job of protecting it's ecosystem.

They do not. We've got a nice stream of gps locations and other statistics pouring in, and selling this data for good revenue.
I won't tell you what the app appears to do but let's just say apple didn't check the code.

Re:Developers Bitch (5, Informative)

kyz (225372) | more than 4 years ago | (#33071044)

Apple is doing an equally bad job of protecting its ecosystem.

There have been several customer-data-grabbing iPhone apps, and these have only been yanked after members of the public alerted Apple to them.

Pinchmedia: http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html [blogspot.com]

Storm8: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail??blogid=150&entry_id=51077 [sfgate.com]

MogoRoad: http://www.theregister.co.uk/2009/09/30/iphone_security/ [theregister.co.uk]

Smuggling tethering past the censors: http://top10.com/mobilephones/news/2010/07/app_smuggles_tethering_onto_iphone/ [top10.com]

Apple don't look at the source code of apps, they just test the binary and scan it for badness.

Provided the binary encrypts its strings, and does nothing dodgy during the short testing window (less than two weeks), Apple approve it.

Apple's custodianship doesn't protect you from determined data thieves, only the incompetent ones.

Android market, while just as bad as Apple, at least gives you the opportunity to decide if you want an app based on what permissions it demands. If it demands too much, you reject it. Once you give it the "OK", it can't turn around and demand more. I'd prefer that Apple added that (telling you what permissions the code has, not letting it have more), even if they keep their approval process.

50k or 4 million? (0, Troll)

SuperKendall (25149) | more than 4 years ago | (#33070558)

The original VentureBeat article [venturebeat.com] claimed the wallpaper app had been downloaded 50k times. So where is the new figure from?

Re:50k or 4 million? (1)

Aladrin (926209) | more than 4 years ago | (#33070682)

They've both pulled out of someone's ass. Google doesn't release those stats.

I was going to troll, but... (3, Insightful)

Xaedalus (1192463) | more than 4 years ago | (#33070562)

When I read TFA, I saw the part where 47% of Droid apps use third party coding, and 23% of Apple apps also use it. Then I realized, there's no safe place to hide. I like my walled garden, but even that has leaks.

Android needs a sandbox. (4, Informative)

yog (19073) | more than 4 years ago | (#33070574)

This is sort of like the early days of MS-DOS, back when everyone trusted everything they downloaded.

Although Android apps do run in a security "sandbox" whereby they can't access the user space of other apps (see http://developer.android.com/guide/topics/security/security.html [android.com] for more information), they can and do access the general configuration information of the phone such as personal data, phone calls, and SIM information, and some apps obviously need to use the phone's dialup or networking capabilities.

At install time, the user is shown a list of resources the app will access, but since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.

I think there needs to be some sort of sandbox where apps can reside prior to full release into the wild. Probably, most users won't understand how to use such a feature, but knowledgeable users would make use of it, and ultimately it would help promulgate security concepts into the general consciousness. Power users who write reviews and prominent blog pieces on Android will be able to help guide the masses to safer use of apps.

Re:Android needs a sandbox. (1)

MistrBlank (1183469) | more than 4 years ago | (#33070628)

You mean like the much aligned method used in iOS.

The end result is users and developers complaining they are walled in.

Re:Android needs a sandbox. (1)

MistrBlank (1183469) | more than 4 years ago | (#33070650)

should have been maligned...

And no I'm not saying it's bad, I agree that's how it should be, but the stupid users clamor for things they don't understand.

Re:Android needs a sandbox. (1)

Skuld-Chan (302449) | more than 4 years ago | (#33070732)

Its actually very similar to Windows now. Every single infected machine that ends up on my desk was because of some wallpaper/cursor pack/toolbar app that ran amuck because it was actually malware.

Users really need to get into the habit of not downloading frivolous apps. If you want a cool wallpaper - download the picture and use the included gallery to crop the picture the way you want it.

Re:Android needs a sandbox. (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#33071004)

At install time, the user is shown a list of resources the app will access, but since most apps need at least some resources on the device to be useful, we are all in the habit of just clicking past this screen and installing, and then hoping the app is not malevolent in some way.

That's a bad habit to be in - why would you get into it? Deny first - go back and approve only after you see what doesn't work.

This isn't an Android issue, it's common sense for any platform.

Private API's (-1, Troll)

Ukab the Great (87152) | more than 4 years ago | (#33070656)

And that's why Apple's private API's are private, and that's why the App store rejects apps that use private API's. Some things are just too dangerous to let people have programmatic access to them, in spite of geeks with a high overdeveloped sense of "can" and a highly underdeveloped sense of "should" screaming about how unfair the engineering tradeoff is.

Re:Private API's (1)

uprise78 (1256084) | more than 4 years ago | (#33070848)

let the down-modding begin! adios to your score. you can't go into an android thread and start saying private API's are a good thing. recipe for disaster. Open is god! Open is right!

Middle Ground (0)

djpretzel (891427) | more than 4 years ago | (#33070714)

I think it's time to explore the happy medium between the "Big Brother" Apple vision and the "Wild West" that is the Android marketplace... this is the type of bad PR that can & should change some policies.

Re:Middle Ground (2, Informative)

cduffy (652) | more than 4 years ago | (#33071024)

The apps (or rather, the Android Market) told you at install-time that they wanted access to your Google accounts. Anyone who didn't back out on seeing that... well, I wouldn't say "deserves what they get", but I will say "was adequately forewarned".

Re:Middle Ground (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#33071040)

;this is the type of bad PR that can & should change some policies

This is the type of PR that has nannies running about to enact new policies to "protect the users" -- when if the users had paid attention in the first place (eg - denied the requested permissions) this never would have been a problem. Don't punish the few because the many can't or don't read.

I saw this app... (1)

bit trollent (824666) | more than 4 years ago | (#33070752)

I remember looking at the permissions required required for this background image application thinking, why could a wallpaper application really need my contacts, location, browsing history etc..

If you live and breathe technology like we do, it was obvious that this application was spyware.

I've got the "Lookout" application on my phone, both for the location based phone recover, backup, and antivirus. I wonder if the company will one day use my backups for profit, sleaze, or stupidity.

At the end of the day, life is insecure. I fret over every application I install to my computer. The same is true of my phone. I also assume that the government already reads all my text messages.

I don't begrudge Apple for keeping a close eye on application store. I just insist on the kind of flexibility and power that android applications have.

You won't find a text message reading background application on the iPhone app store. You also won't find a replacement for the home screen, because Apple doesn't approve of that.

You win some, you lose some.

Who's gonna start an Apple scrutinizing flamewar? (1)

adosch (1397357) | more than 4 years ago | (#33070794)

It's too bad that malicious people have to ruin an open-source forum like the Android with crap like this. I can see why Apple scrutinizes over the application approval process because I'm sure this is one concern on top of just being plain difficult about the whole matter.

I guess don't have a criminal mindset and have put my tomfoolery hat away, it's bad enough having hack and malicious threats on the computer level, now my phone? I miss the days of my 2x10 backlit serial display analog cell phone that did nothing more than dial a phone number.

News Flash Stupid People Dupped Again! (1)

Nethemas the Great (909900) | more than 4 years ago | (#33070796)

The platforms may vary but at the end of the day, this is just yet another stupid article about stupid people giving away their private data because they did something stupid. Since we, or at least anyone in IT, engineer and support alike already know that stupid people do stupid things why are these articles considered "news worthy" here? Is it meant to inspire us to come up with our own interesting ways to dupe stupid people? Surely we get enough reminders in our day to day that we don't need them for that.

Well, they do ask (1)

AC-x (735297) | more than 4 years ago | (#33070898)

Looking at one of these apps ("Dark World Wallpapers") the app asks for the following permissions:

- Storage - modify/delete SD card contents
- Your location - coarse (network-based) location
- Network Communication - full Internet access
- Phone calls - read phone state and identity

It's nice android warns what permissions an app needs, but some of them (especially the "Phone calls" section) could be worded better to make it clearer what an app can potentially do.

And the evil overlord said (1)

cyberzephyr (705742) | more than 4 years ago | (#33070924)

(Deep voice): Hahahahahahaha we got them my minions

Typo in summary. (1)

ElectricTurtle (1171201) | more than 4 years ago | (#33070936)

It's Shenzhen, not Shenzen. And note to gweilos: 'zh' is pronounced roughly like a 'j' in 'Benjamin'.

what are permissions for ? (0)

Anonymous Coward | more than 4 years ago | (#33070998)

people that installed that app are just stupid... I don't mean you... I mean people.... there should an app something like 'faceplant' counting how many apps you have that require permissions for thing that they aren't suppose to do...

soylent green is people (0)

Anonymous Coward | more than 4 years ago | (#33071062)

tell everyone!

Oh and wallpaper apps are trouble... but just about everybody knows that right?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?