Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

1.2% of Apps On Google Play Are Repackaged To Deliver Ads, Collect Info

timothy posted about 9 months ago | from the seems-like-an-undercount-to-me dept.

Security 131

An anonymous reader writes "Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google's official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google's reputation in general. Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature."

cancel ×

131 comments

Sorry! There are no comments related to the filter you selected.

F-Droid, FTW (5, Informative)

Anonymous Coward | about 9 months ago | (#45465231)

F-Droid is the open source store. Pleanty of good apps there that do just about anything you'd need an app to do, for free as in beer and free as in speach.

https://f-droid.org/ [f-droid.org]

Re:F-Droid, FTW (0)

sirber (891722) | about 9 months ago | (#45465321)

No facebook, netflix, etc.

Re:F-Droid, FTW (4, Interesting)

Nerdfest (867930) | about 9 months ago | (#45465481)

Many of us don't need FaceBook or NetFlix. F-Droid is great, and there's actually a lot of stuff that's actually on both. Wonder if some of the Play versions are included in some of the adware-added nstuff they're talking about ...

Anyway, it's damn nice to have options. I realize Google bashing is the funded topic these days, but I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.

Re:F-Droid, FTW (2)

N0Man74 (1620447) | about 9 months ago | (#45466249)

I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.

I haven't heard of a specific study on apps, but I have read about how the eBook side is highly saturated with people selling low quality bundles and repackaging of free and public domain works in order to make a quick buck. Given how little quality control there appears to be on the eBook side of things (and books are much part of the core of Amazon than apps) I doubt they fare any better on apps.

Openness does have it's disadvantages.

It isn't just the re-bundles. When there is a popular iOS only app, I have seen people in Play selling apps with the title and/or artwork of the iOS app, but then in fine print says "this is a fan app". There's no doubt in my mind that a lot of people (especially kids) don't read the details and download anyway.

I think Google should be more proactive about blocking and banning those that abuse the store and their customers.

Re:F-Droid, FTW (0)

Anonymous Coward | about 9 months ago | (#45467585)

The thing is what Google wants from Android is for it to deliver ad's and collect info.

Re:F-Droid, FTW (0)

Anonymous Coward | about 9 months ago | (#45468599)

Ad's what?

Re:F-Droid, FTW (0)

Anonymous Coward | about 9 months ago | (#45465551)

Facebook is not an app. Nor is Netflix. Those are services. They have apps that let you access their services, but there isn't a well defined api for doing so, making any open source service access app very build and maintain. If you need an app that doesn't connect to a service, its usually a good idea to check F-Droid first.

Re:F-Droid, FTW (1)

mrchaotica (681592) | about 9 months ago | (#45465725)

That's a feature, not a bug.

Re:F-Droid, FTW (0)

Anonymous Coward | about 9 months ago | (#45465983)

Facebook and friends aren't open-source. If it bothers you that F-Droid doesn't have those apps, then you should 'lobby' the app makers to release their source.

Regardless, F-Droid has plenty of useful stuff, from navigation (OSMand) to media players (including VLC), to games and browsers (including Firefox).

I've more or less dropped Google Play in favour of F-Droid, since it has pretty much everything I need.

Re:F-Droid, FTW (1)

shentino (1139071) | about 9 months ago | (#45466065)

netflix is allergic to open source, not the other way around.

Re:F-Droid, FTW (1)

Anonymous Coward | about 9 months ago | (#45466653)

Of course they are. They rely on contracts with content providers. No sane content provider will contract with NetFlix if NetFlix can't say that they do their best to make sure the content cannot be extracted and copied. If it was open source it would be easy to extract and copy - simply compile a modified version that saves every stream. That would not fly very well. They have no choice in the matter.

Re:F-Droid, FTW (1)

mlts (1038732) | about 9 months ago | (#45466309)

That's a bad thing?

Re:F-Droid, FTW (0, Troll)

Anonymous Coward | about 9 months ago | (#45467077)

Why the fuck would you want those? The whole point was to get rid of spying apps, right? Want movies, use TPB. Want to communicate, use e-mail. Now go out and play, kid.

Irrelevant (4, Insightful)

Russ1642 (1087959) | about 9 months ago | (#45465243)

The total number of apps doesn't matter. The only stats worth anything involve the number of apps that are actually downloaded and run. There are thousands of useless or malware infested apps out there but are people really using them?

Re:Irrelevant (1)

Anonymous Coward | about 9 months ago | (#45465415)

As someone who gets stuck helping people with cheap, crappy android phones.
Yes. Quite a bit. There is a lot of garbage on the play store that's pretty much designed to siphon up your info and spam you with ads in app and out of app. The purveyors of such garbage are good at SEOing and shilling up their crapware to the top of the lists too.

I don't see this sort of shit with iphone users.

Re:Irrelevant (2)

Neuroelectronic (643221) | about 9 months ago | (#45465497)

Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

Re:Irrelevant (1)

coinreturn (617535) | about 9 months ago | (#45466155)

Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

Just plain wrong. You are either a liar or inept.

Re:Irrelevant (0)

thetoadwarrior (1268702) | about 9 months ago | (#45468399)

A butt hurt fandroid in this submission? That's unexpected.

Re:Irrelevant (2)

JLennox (942693) | about 9 months ago | (#45465523)

Complete control over a platform isn't justified by non-techies not knowing any better.

Apple owes everything to that not being a pre-existing model to computers.

Re:Irrelevant (1)

Anonymous Coward | about 9 months ago | (#45467309)

Define justified.

As far as Apple is concerned, their bank account balance justifies their decisions.

I'm not an apple fanboy by any means (my phone is a Samsung), but there are certain benefits to Apple's approach (not that I agree with it).

Re:Irrelevant (1)

ADRA (37398) | about 9 months ago | (#45467097)

I don't see this type of shit ever. Examples please.

Re:Irrelevant (4, Insightful)

fermion (181285) | about 9 months ago | (#45465561)

It does matter because Google Play is supposed to be the walled garden. It doesn't matter that 99% of the people in the school yard are supposed to be there, all it takes is few to turn the school yard into chaos.

It also matters to the developers who wants to make a profit. If someone else can repackage your app and place it on the preeminent platform for Android Apps in exchange for ad revenue, that is bad. It also hurts the reputation of the original developer if that app is violating real of perceived privacy expectations.

This is different from script kiddie or organized crime putting a pirated App on some open repository to be nice or steal identities. This is Google Play. People use it instead of more open repositories because they expect a level of security.

Re:Irrelevant (2)

mlts (1038732) | about 9 months ago | (#45465889)

I have mentioned this before, but Google needs to section off its store. One tier being the existing, "well, if not banned, it is allowed" free-for-all (which is a good thing for savvy users), but Google needs to have a tier similar to Amazon's store. Approval is a must, brutal approval guidelines, and no mercy with the banhammer.

This strategy has worked amazingly well for Apple. iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism. However, because the only [1] way for an app to install on an iDevice is through Apple's store, Apple's strong gatekeeper strategy has proven itself.

Google should see about having a tier or subset with heavy moderation. Then, have an option fairly hidden on the phone to allow access to the free-for-all tier. That way, users who just want to grab Angry Birds, and not Angry Birds + SMS Spammer will get the app they want.

[1]: Of course, there is the enterprise and beta mechanisms for adding apps, but this is not doable for most of Apple's base.

Re:Irrelevant (3, Informative)

immaterial (1520413) | about 9 months ago | (#45467109)

iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism.

What does this sentence mean? From context it looks like you're saying the only form of security on iOS is Apple's App Store approval system, but that's obviously false. Every app is sandboxed (no access to the system or other apps) and must request specific permission for privileged data (location/contacts/photos/calendars/etc.).

Re:Irrelevant (0)

Anonymous Coward | about 9 months ago | (#45467319)

iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism

wut

Re:Irrelevant (0)

Anonymous Coward | about 9 months ago | (#45466695)

This is extremely damaging to everybody involved, Google should do something about it ASAP.

Re:Irrelevant (1)

interkin3tic (1469267) | about 9 months ago | (#45467637)

Google play is supposed to be the walled garden? Since when? I thought people who wanted to exchange freedom for security were all on itunes.

Re:Irrelevant (0)

Anonymous Coward | about 9 months ago | (#45468105)

Except it is not. [google.com] No sex, no violence, have to use Google for in game content, cannot interface with other ad platforms for the ads. Sounds like iTunes to me.

Or maybe you were being sarcastic.

How many downloads? (3, Insightful)

Fwipp (1473271) | about 9 months ago | (#45465261)

How many people install the adware apps, though? I'd wager that the proportion of _downloads_ of adware is significantly less than 1.2%.

Re:How many downloads? (1)

TWX (665546) | about 9 months ago | (#45465337)

When any application that has no need for Internet access but wants it anyway, it's very hard to avoid it.

Last time I went looking for something as simple as a flash manual switch to use as a flashlight, it took digging through multiple apps to finally find one that didn't want Internet access.

Re:How many downloads? (1)

FatdogHaiku (978357) | about 9 months ago | (#45465419)

But... what if your flashlight needs an important update to help keep it secure on the internet?

Re:How many downloads? (1)

kbrannen (581293) | about 9 months ago | (#45467541)

Yes, I went thru that last week. My Nexus 5 didn't have a flashlight app, so I had to go find one. It took like 6 tries to find a flashlight app that didn't require network access, my email, or something else it didn't need. I mean really, if I'm fumbling to find a door lock in the dark, am I really going to be looking at an ad on my phone at the same time?

Re:How many downloads? (0)

Anonymous Coward | about 9 months ago | (#45468443)

How much were you willing to pay? If it's nothing, then why are you surprised?

The current flashlight application (Flashlight LED Genius) requires Internet permission because I didn't want to pay for it and I don't care that it shows me ads in the main interface.

Re:How many downloads? (1)

gstoddart (321705) | about 9 months ago | (#45465491)

Last time I went looking for something as simple as a flash manual switch to use as a flashlight, it took digging through multiple apps to finally find one that didn't want Internet access.

Indeed. My first steps after downloading a new app is to put the device into airplane mode and run it.

If it needs internet connection for something, it gets binned immediately. Especially for something which has no legitimate need for any network access (like a flashlight and most games).

So many of them start up and immediately want to go to an ad server.

Re:How many downloads? (1)

GTRacer (234395) | about 9 months ago | (#45467123)

... Now that I'm done picking my jaw up off the floor I think I'm going to try this with the apps I already have.

That said, I've taken great pains to only install apps with a decent critical mass of reviews or trustable endorsements. And I pay rather than get the "free" versions so I don't risk ad-network attacks.

Re:How many downloads? (1)

bickerdyke (670000) | about 9 months ago | (#45467685)

Why install it at all and not just bin it as soon it wants internet access?

Either you have that problem on iThings too or you're ignoring the pre-install permission list on Android for some unknwon reason.

Re:How many downloads? (1)

RenderSeven (938535) | about 9 months ago | (#45465785)

Exactly. The must be a good 50 flashlight apps but I cant find a single one that doesnt run ads or need dubious privileges. I even started with highest price ones first and they still want too much info. (If you know of one please let me know). But very common to want my phone book, ability to place calls, access the GPS location, modify SD card contents, and so on.

Sometimes its explainable - I install GPS Status paid version, and when it asked for full network access I emailed the dev, and he answered quickly saying he got lazy and loads all the help screens from the web. So OK, yeah maybe.

The average user I hear from all complain about poor performance, unstable operation, and high data charges, and dont understand that its because they installed 100 free crapware apps.

Re:How many downloads? (2)

FictionPimp (712802) | about 9 months ago | (#45465863)

I use Nexus Flashlight. It requires access to the camera, and the ability to keep your phone from going to sleep. Nothing else.

Re:How many downloads? (1)

RenderSeven (938535) | about 9 months ago | (#45466137)

EXCELLENT! You made my day.

Re:How many downloads? (2)

TWX (665546) | about 9 months ago | (#45467075)

If that one gives you issues, I use "LED Light". It doesn't list the Samsung Galaxy SII (T-Mobile version) as on the supported devices list, but it seems to work fine. Only annoyance is that it doesn't completely close on exit and I have to go exit its process, but how little I use it, I can accept that.

Re:How many downloads? (1)

kbrannen (581293) | about 9 months ago | (#45467589)

I finally found "Flashlight", by Devesh Parekh. It requires no perms and just turns your whole screen bright white; hit the back button to turn it off. Really simple and it fits the needs, even if you don't have a camera flash.

Re:How many downloads? (2)

mlts (1038732) | about 9 months ago | (#45465975)

To help mitigate things with dodgy apps, I use Droidwall configured to block by default. Droidwall needs a facelift, but it is a decent front end for iptables.

Android needs to keep its permission model, but add additional permissions similar to iOS 6+ where when the first time an app asks for access to contacts/camera/phone/SMS/photos/music/etc., it pops up a dialog where the user can confirm or deny permissions. Blackberry has had this model for over a decade, and it has been quite good.

Re:How many downloads? (3, Informative)

mrchaotica (681592) | about 9 months ago | (#45466389)

Droidwall needs a facelift, but it is a decent front end for iptables.

According to FDroid, Droidwall got abandoned, forked and renamed to AFWall+.

Re:How many downloads? (0)

Anonymous Coward | about 9 months ago | (#45468465)

If history repeats itself, then people will randomly click yes to any prompts anyway.

Most people will not read permissions and a lot don't care. I, for one, would hate "Would you like to share contacts?" "Would you like to share your location?" every time a new application asked for it. It's just annoying and unnecessary.

Re:How many downloads? (1)

turning in circles (2882659) | about 9 months ago | (#45467623)

I am still unhappy about the internet accessibility of the apps that T-Mobile preloaded onto my phone, that I can't get rid of without jailbreaking the phone. The apps I download, I can control, but the ones preinstalled - (e.g. Yelp? Why do I want Yelp to know everything about me all the time?) - I'm stuck with.

Damn Repackaging (0, Flamebait)

Anonymous Coward | about 9 months ago | (#45465315)

Fortunately the other 98.8% of apps are still able to deliver ads and collect your info in the manner intended by their original developers.

90% of Win/Mac app upgrades are repacked crap (-1, Troll)

JoeyRox (2711699) | about 9 months ago | (#45465357)

That offer no significant feature or usability improvements and are sold only to extract another toll from their users.

Re:90% of Win/Mac app upgrades are repacked crap (0)

Anonymous Coward | about 9 months ago | (#45465453)

Fanboy much lately?

All or nothing approach is silly (5, Interesting)

Mr_Silver (213637) | about 9 months ago | (#45465375)

I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.

Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".

A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.

That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.

Re:All or nothing approach is silly (1)

Nerdfest (867930) | about 9 months ago | (#45465515)

As a solution to the 'barely managed marketplace', you could use another marketplace, like Amazon, or F-Droid mentrioned above. I wonder if anyone is working on a more tightly curated market for Android. I would think that there's money to be made from the more security-conscious.

Re:All or nothing approach is silly (1)

Jartan (219704) | about 9 months ago | (#45466331)

Apart from F-Droid none of the stores are actually curated. They all want tons of free apps so they won't ever discriminate against user tracking/adds.

That's fine if you only use open source. For the rest of us it's a huge pain in the ass.

Re:All or nothing approach is silly (4, Funny)

vidnet (580068) | about 9 months ago | (#45465535)

pop up a request to access the other permissions at the time when they are needed

Because that worked so well for Vista?

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45465597)

A "better way" would be for the mouth breathing masses to self-educate about this type of this - or go back to playing snake on a candy bar phone.

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45465707)

I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.

Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".

A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.

That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.

How about this: the fart app you just asked Google Play Store to install asked for contacts and SMS privileges? DELETED. It's as easy as that, and if you can't make that distinction up front god help you trying to make it at the spur of the moment. I like the permissions model since it makes it clear what the app can do at any point in the future, no matter what state my phone is in or what I happen to be trying to do. If I dont want an app vendor to have the permission, I don't want that app. Quite simple, really. If you happen to like doing it the opposite way, good for you, but fuck you if you think it's the only way it will work.

Re:All or nothing approach is silly (4, Insightful)

mlts (1038732) | about 9 months ago | (#45466019)

The problem is that Google's model works for people who know what they are doing.

However, one reason iOS is so successful is the perception that you don't have to watch anything. If it is on Apple's store, it is safe for human consumption.

The majority of the people out there will not look at the permissions an app wants, and just tap "accept". Android's model works with savvy users, but for the teen texter who barely can type while holding the steering wheel, it has its issues.

Two ways to fix this: Go with additional permission requests upon first use like Apple or Blackberry's offerings, go with a tier of Play Store which is heavily curated, or both.

Re:All or nothing approach is silly (1)

Anonymous Coward | about 9 months ago | (#45467089)

The problem is that Google's model works for people who know what they are doing.

However, one reason iOS is so successful is the perception that you don't have to watch anything. If it is on Apple's store, it is safe for human consumption.

The majority of the people out there will not look at the permissions an app wants, and just tap "accept". Android's model works with savvy users, but for the teen texter who barely can type while holding the steering wheel, it has its issues.

Two ways to fix this: Go with additional permission requests upon first use like Apple or Blackberry's offerings, go with a tier of Play Store which is heavily curated, or both.

Fix 3: Parental Controls > Require password for new apps. Poof the device is now safe in the hands of your teenager or grandmother.

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45468513)

You actually think that most people will read the additional permission requests? That's actually really funny. In reality, to most users, their privacy is in danger among all platforms because they don't know what's going on.

The perception of the vast majority of Android Play Store users is also "if it's on the Play Store, it's safe for human consumption." ... because it's true. 1.2% of 400,000 is only 4,000. Chances of randomly landing on one? Near zero -- regular users will install all the applications everyone else is: Angry Birds, Candy Crush, etc and nothing else.

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45465745)

Thanks that's the best summation of the issues with the play store that I've read. Those permissions mean shit-all if they're shown to you once and have the all-or-nothing appeal of a click-through EULA. Users just ignore them.

It would be much better to set as security policy (With sane, safe defaults) and white list privileges one by one. App doesn't work without certain access privs? That's the app's problem. The developer will have to make sure to tell users to turn required features on. (This is sort of how iOS does it. Programs have to ask for access to location, photos, contacts when they need them. Even default built-in apple apps do)

There's no reason a flashlight app should have access to your contacts and emails.

Re:All or nothing approach is silly (1)

Luthair (847766) | about 9 months ago | (#45466275)

Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions (as opposed to the iphone model in which the user is never told what the application can do).

It would be nice if the Android model presented a little more granular information at times, e.g. its perfectly reasonable for a media application to know a phone call is on going in order to pause, but last I checked this was lumped in with knowing who called and a few other pieces. From a privacy perspective it would also be nice to be able to install applications and deny them certain permissions (e.g. provide an empty contact list, or location data) in Android 4.3 this was available through a hidden menu, hopefully it will become more easily available future versions.

Re:All or nothing approach is silly (3, Interesting)

tlhIngan (30335) | about 9 months ago | (#45467037)

Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions (as opposed to the iphone model in which the user is never told what the application can do).

Except to 99.99% of Android users, that permission information is completely useless to them. They don't know what it means, other than it's a screen that pops up whenever they install anything. They don't read it, they just tap Install and be done with it.

The technical term is Dancing Pigs [wikipedia.org] (or dancing rabbits), and it describes basically that the user is most likely not pick the right choice security wise. They see an app in the Play store, tap install, then up comes the list of gobbledygook with a button that says "Install". They bypass the list and tap install, because they just wanted to install the app.

Relying on the user to make security decisions is poor security - all it affords you is the ability to blame the user for this mischoices, except said user is part of the very large majority who don't understand the screen, don't understand the need for it, and certainly don't understand why they need to spend the time reading it.

And that doesn't even get into the weird permissions you need in order to do stuff (like Read Phone State and Identity to get notifications when someone is calling).

The iPhone model isn't any better, but popping up extra dialogs doesn't work. Though, iOS at least does notify you and give you the ability to decline individual permissions (e.g., to stuff like location information, contacts and other stuff). But it too suffers from popup-it is.

Hell, the user can monkey around with some pretty complex steps if you tell them how to do it in small easy steps and they see benefit at the end. It's how they can do stuff like install OpenSSH, run PuTTY and enter in complex command lines - as long as they want to do it, they'll blindly follow. It's how the early jailbreak viruses spread - because people would do them to pirate apps and such and leave OpenSSH running with default passwords (because the HOWTO they used didn't tell them they needed to).

And I'm almost certain if you've helped someone tat they'll say something like "every time I print, nothing comes out of the printer" despite every time they print, a big screen shows saying "NO PAPER IN TRAY". No, they don't read dialogs either (happens with developers as well - the solution may be right there staring them in the face...).

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45467153)

as opposed to the iphone model in which the user is never told what the application can do

You don't have a very good understanding of how the iPhone security model works. If the user doesn't want to share contacts, music, photos, location info, etc. they can still use the app, possibly in a limited fashion, because it prompts you once to allow each kind of access.

I personally prefer this method because there are apps that I use that I don't want having certain types of data, like Skype. I don't want MS getting all of my contact information, so I deny it access and add the 3-4 contacts that I Skype with manually. You don't have that option with Android, which is why people consider it "all-or-nothing". The iPhone actually gives the user finer-grained security control than Android.

Re:All or nothing approach is silly (3, Interesting)

zequav (2700007) | about 9 months ago | (#45466575)

There is App Ops in android >=4.3. Install App Ops Starter and disable the permissions you don't want to grant to an app.

Re:All or nothing approach is silly (1)

MetalOne (564360) | about 9 months ago | (#45466707)

I wish it would go a step further and not give any apps access to the contacts. It seems to me that an app that needs a contact should make a request to the operating system. The operating system could present the contacts to the user to select one, and then the operating system could return an opaque handle representing the contact to the app. The opaque handle could then be used to send email or what not.

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45466733)

You've answered your own question. Google wants people to blindly accept permissions and they would prefer if you didn't have the ability to use an app while denying it the rights necessary to violate your privacy.

Re:All or nothing approach is silly (1)

cyberfunkr (591238) | about 9 months ago | (#45467013)

The main problem of this is the developer now has the onus of describing to the user exactly WHY they really need that functionality within the app, and put in warnings and error screens if the user decides to turn off/disallow access. This adds a huge amount of bulk/overhead to even the simplest of apps.

What happens if a photo editing software is denied access to your camera and/or saved photos? It appears broken so the developer gets negative reviews. This is an obvious example, but there could be more hidden rationals in other apps.

- Your ToDo app wants to use the GPS so it can remind you when you are at a location to fulfill a task.
- Your calendar needs your contact list to send out invitations.
- Your game needs to access your camera to use VR or adjust the lighting.

You end up with every app giving a series of popups asking for permissions that may or may not make sense. And if there is one thing we've learned, it's that when constantly bogged down with warning popups, people start ignoring them and just click "Yes" for everything making the whole security aspect moot.

I'd rather see on the app store product page a listing of, "Here are the permissions this app requires, and here is the explanation for why it needs it." Then I can choose BEFORE I EVEN DOWNLOAD the app if I feel safe. Now, they could still be lying through their virtual teeth, but at least I have the foreknowledge to ponder why this app that is supposed to teach me about the stars needs my contact list and access to Facebook.

Re:All or nothing approach is silly (1)

interkin3tic (1469267) | about 9 months ago | (#45467663)

Coupled with a barely managed market place

I seem to recall there being a lot of outcry when google banned a developer or two from the store. Now you're saying it's barely managed? You realize you can't have it both ways. You can't have it accessible to all (which I think is a major advantage of these virtual stores) AND have it completely free of slime.

Re:All or nothing approach is silly (0)

Anonymous Coward | about 9 months ago | (#45468327)

Slashdot is composed of more than one person and many of those people have different opinions. I can't believe that people actually have trouble with this concept.

Re:All or nothing approach is silly (1)

thetoadwarrior (1268702) | about 9 months ago | (#45468409)

Google needs the all or nothing approach or you might stop their programs from sucking your data out of your phone.

Mozilla does that too. (4, Interesting)

Animats (122034) | about 9 months ago | (#45465385)

Mozilla allows that, too. There's a slimeball company [wips.com] that takes over abandoned Firefox add-ons, adds spyware, and puts them up on Mozilla's "store". They did this to BlockSite [nabble.com] . Users were very angry. [mozilla.org]

Mozilla's reaction? Mozilla's add-on policies [mozilla.org] prohibit this: "Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)" ... "These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review." The spyware was just fine with Jorge Villalobos [mozilla.org] , Mozilla's add-on project manager, who wrote "That's outdated, since we don't enforce that policy."

You can't trust the Mozilla Foundation any more. That's sad.

Opt-in though? (1)

grimJester (890090) | about 9 months ago | (#45465653)

That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.

Re:Opt-in though? (4, Insightful)

Animats (122034) | about 9 months ago | (#45465831)

As long as the feature is opt in...

The "opt in" was more like "we're making you an offer you can't refuse." [mozillazine.org] It was pushed as an update to an existing add-on. The page with the terms was deliberately confusing. The privacy policy was originally missing. Some users reported that if you refused the tracking, the add-on then blocked major sites such as Flickr.

I was amazed that got past Mozilla's approval process. They've sold out.

Amazon App Store? (1)

Neuroelectronic (643221) | about 9 months ago | (#45465473)

I wonder if the Amazon android marketplace has this issue. I wonder if anyone even cares.

Quantity over quality (1)

rudy_wayne (414635) | about 9 months ago | (#45465511)

Google Play has recently surpassed the one million mark when it comes to the apps it offers

There's the problem right there. It isn't possible to have 1 million apps that are actually useful. Not even close. Just that number alone tells you that there is a problem -- that you have an enormous number of apps that are simply duplicates of others or malicious or just plain useless.

Re:Quantity over quality (4, Insightful)

mythosaz (572040) | about 9 months ago | (#45465717)

Useless to whom?

There's a ton of duplication, but not without some feature or preference issue. While I can imagine that the most obvious flashlight features are duplicated across all flashlight apps, I'm sure that there's a number of features (like support for specific phones and odd hardware lights, and widgets) preferences (tray icon, UI), or innovations (auto-off, strobe) that haven't been incorporated into the One True Flashlight App just yet. ...now when you want the one with the "help me" strobe that supports S4 gestures to change modes, you need some duplication.

There's also a dozen niche apps. How many Magic The Gathering life counters do you need? [I'm nerd enough to know there's plenty of room for different apps here.] How many keyboards do you need? How many pop the bubbles games do you need?

Just because you can't run a million apps doesn't mean that the thousand you could possibly use are the same as the thousand I could possibly use. Combine your thousand and my thousand and now we've probably got only 100 that overlap. You couldn't care less about having multiple Nissan Leaf apps because Torque Pro doesn't support reading advanced battery values from it -- but I do. Someone else cares about all sorts of stuff neither of us do.

Re:Quantity over quality (0)

Anonymous Coward | about 9 months ago | (#45467687)

Maybe there is 1000 that I think I might want - I think there are probably about 10 I actually would use on a regular basis.

And they deliberately try to stop me finding what I do want. (No Adware or Tracking.) Only the top 3 in each class of application.

They should move all the privacy invading stuff to its own catagory. (Be most of it leaving the good stuff actually easy to find).

I cannot even do a search for apps that don't use full internet access. (Wasting my battery is not acceptable to me in any way shape or form).

Re:Quantity over quality (1)

mythosaz (572040) | about 9 months ago | (#45468609)

Maybe there is 1000 that I think I might want - I think there are probably about 10 I actually would use on a regular basis.

To be clear, I've got 95 icons on my phone, meaning I've got 60 things that aren't "Phone," "Settings," or the full suite of Google apps.

I use about 5 of those on the average day.
I use about 15 of those in an average week.
I've probably got 10 of them I can delete right now - but space is cheap.

Re:Quantity over quality (0)

Anonymous Coward | about 9 months ago | (#45465867)

Google Play has recently surpassed the one million mark when it comes to the apps it offers

There's the problem right there. It isn't possible to have 1 million apps that are actually useful. Not even close. Just that number alone tells you that there is a problem -- that you have an enormous number of apps that are simply duplicates of others or malicious or just plain useless.

1 million apps can most certainly be useful, if they are built to fit a specific niche (for example my health insurance company published an app for managing health improvement incentives) since there are plenty if niches out there. They "could" be 1 million fart app duplicates, or they could be useful, organization specific apps. 15 years ago you would have said that same thing about .com sites; "surely 1 million is too many, they are all just duplicates for ads or viruses" but today it is clear that the world needs more than that, and there are good ways (search engines) of navigating them all.

Not a month goes by ... (1)

guanxi (216397) | about 9 months ago | (#45465553)

Not a month goes by ...

  * Without someone finding salmonella in a piece of chicken
  * Without someone finding a defect in a new GM car
  * Without someone's computer crashing
  * Without someone finding a spelling error in a Slashdot post ...

Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?

Re:Not a month goes by ... (1)

koan (80826) | about 9 months ago | (#45465727)

"Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?"

You need a comparison, what's Apple's rate?

Re:Not a month goes by ... (1)

coinreturn (617535) | about 9 months ago | (#45466283)

"Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?"

You need a comparison, what's Apple's rate?

As TFA states: "By design, Android applications can be disassembled, modified and reassembled to provide new functionalities."

Fortunately, that's not the case in the "walled garden" of derision.

Re:Not a month goes by ... (0)

Anonymous Coward | about 9 months ago | (#45467783)

I'm pretty sure you can do that with an IOS app. If you wanted to resubmit it to apple to show up, it would have to get through their more stringent review, however.

What is being added (4, Informative)

Fnord666 (889225) | about 9 months ago | (#45465621)

Here [hotforsecurity.com] is a decent graphic showing just what is being added to these repackaged applications.

Link to the original article (3, Informative)

Fnord666 (889225) | about 9 months ago | (#45465649)

here [hotforsecurity.com] is the original article in case anyone is interested. It goes into greater detail about the issues involved.

Re:Link to the original article (1)

adisakp (705706) | about 9 months ago | (#45467643)

Did the Net-Security.org site repackage this article before it was repackaged by Slashdot?

Laugh (1)

koan (80826) | about 9 months ago | (#45465703)

Google should be proactive about this (more so if they already are) because in a sense they are starting to become the Microsoft of mobile, with crap embedded and 3rd party apps.

I guess I have a winner for my "Who can fuck up Linux the worst" contest.

Avoidance (2)

xigxag (167441) | about 9 months ago | (#45465847)

A couple of simple things can be done to avoid phone malware.

1) Investigate the app before you install it. Click on the developer's web page and see if it looks legit. Read the reviews. Check to see that the permissions it's asking for have a legitimate purpose.

2) As TFA notes, most of these malware apps are free. Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.

3) In other words, remember that your phone is a computer. Don't take careless risks with your phone or tablet that you would never take with your desktop or laptop.

Re:Avoidance (1)

coinreturn (617535) | about 9 months ago | (#45466225)

Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.

Good advice. I need to start charging for my shady, repackaged malware on Google Play.

I am shocked! (1)

deviated_prevert (1146403) | about 9 months ago | (#45466123)

How soon people forget there are still all sorts of places to get modified Windows toolbars and shit ass apps like bear share and the likes for free and most of them hose you and phone home to momma. Most likely it is the same crowd of assholes that are modding Android apps and including phone home features that did shit like bear share and all the other Windows crapware back in the 90's. I just wonder how many of the gambling and porn sites are distributing free shit apps for Android, most likely about the same number that include iPhone, iPad and Windows apps on their sites.

As long as there are ponzi scams like Linkbucks and largely Mafia run gaming and porn sites happening on the net you will have shitty apps that phone home or redirect. It is no surprise that they are targeting Android. Again it comes down to if the original source is not available DON'T TRUST IT and this includes any app that is free to use regardless of the OS. ESPECIALLY good apps that have been modified and redistributed by someone else and do not match the checksum of the original binary.

It is not that these assholes that write phone home apps don't still write crap for Windows, it is just that they are going after a much larger audience when they target Android devices. Google does need to get proactive and dump the bullshit apps from their store though.

Microsoft seems to be learning the lesson but because they are starting to really fall behind in the consumer device market we will not see many shit apps for Windows phone or RT. Naturally this does not mean that all the shit apps for x86 will disappear it is just that fewer and fewer older Windows devices are using the net and and the scamware writers are trying desperately to catch up with the usage curve which has swung decidedly toward Android. Last but not least most users have over the years been scared away from installing free apps off net on Windows and there is damn good reason for it! Crapware is a plague and the only answer is to expose the apps and remove them from the net if possible.

I have a friend that frequents gaming sites and regularly complains about how shitty his high end i5 laptop with Win7 runs, but the guy just does not understand how malicious the spyware from gaming sites can be. He even has tool bars with activeX which are installed for his gaming sites. I warn him but he just does not get it, but then again I would say he is addicted to gambling so perhaps he is having trouble seeing through his WINDOWS with the rose coloured glasses he wears.

Re:I am shocked! (1)

toonces33 (841696) | about 9 months ago | (#45466295)

I had to clean up my sister-in-laws computer at one point. People had been downloading "free" games from god knows where, and it was horribly infected with all sorts of malware. When I got a hold of the thing, it wouldn't boot because of the crap that was installed.

I have considered (0)

Anonymous Coward | about 9 months ago | (#45466147)

repackaging apps to remove the (*&(*& advertising. But it would have been only for my own benefit.

A little offtopic, but... (0)

Anonymous Coward | about 9 months ago | (#45466201)

Are there any good estimates on numbers of actual mobile infections out there?

Security firms press-releases all talk about numbers of malware app kinds detected, and most aren't even clear on where do they look and what constitutes malware in their definition.

Application policy (2)

WaffleMonster (969671) | about 9 months ago | (#45466457)

The only prompt which should ever appear when installing an App is for owner to select a profile of permissions the owner of the device feels comfortable giving to the application. Once this decision is made operating system is expected to do whatever is necessary to sell the lie that Rumpelstiltskin at 7185551212 is my only contact, my current location is the South Pole and my phone number is 1-900-909-4300.

The problem is none of the current cast of characters - not Microsoft, Google, Apple give a shit about the user they only care about profits which is why the user is always allowed to be treated like shit. Their days of owning the mobile OS space are numbered.

Hosts files are MULTI-PLATFORM... apk (-1)

Anonymous Coward | about 9 months ago | (#45466491)

So this? Seriously, a "piece of cake" to overcome via custom hosts files - & (of course) THIS is the easiest + best way to one:

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775 [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Installing the custom hosts you generate on ANDROID phones?

Cake too:

http://it.slashdot.org/comments.pl?sid=4081759&cid=44546757 [slashdot.org]

(Via the ADB/Android Debugging Bridge & its PULL command, but use smaller optimized hosts there folks - not much room).

APK

P.S.=> It's a TRULY VERY SIMPLE - & hosts beat the hell out of other "solutions" on a myriad of ubiquitous levels as noted above - no questions asked!

...apk hardcodes fav sites - faster than remote DNS),

Hey, downmodder: (0)

Anonymous Coward | about 9 months ago | (#45467921)

The "best you got" = unjustifiable downmods? You've got zero... & you know it, I know it (as does anybody else reading with 1/2 a brain).

* To top that off, others will see it anyhow (bet THAT just "breaks your heart", doesn't it?)... It's been up for nearly 3 hrs. anyhow - you're TOO LATE anyhow!

Yes, folks: It truly makes me laugh - just SEEING you "struck speechless" thus!

(You, with NO VALID on topic critique to disprove the points I made on the value of hosts in added speed, security, reliability, & even anonymity (to an extent on the latter) - only technically unjustified downmods, nothing more, lol!).

I love it...

APK

P.S.=> Well, that's fine by me, since You're only making me STRONGER each time you fools bogusly downmod my posts on hosts (you know that, don't you?) & yet you can't offer ANY valid technical critique vs. my points

... apk

FUD (1)

morgauxo (974071) | about 9 months ago | (#45467087)

From the tone of the article this sounds scary!

But really, 1.2% Come on! That's tiny! 1.2% tells me Google is doing a pretty good job!

Repackaged versions of real apps? Oooooh... scary! If you see a second copy of an app, especially one with worse ratings, or a free app with a different author than the same paid app.. DON'T INSTALL IT. Duh!!

Any stats for.. (0)

Anonymous Coward | about 9 months ago | (#45467853)

SourceForge? [slashdot.org]

Meh (1)

excelsior_gr (969383) | about 9 months ago | (#45468363)

This means that I blindly need to install about 100 apps in order to get one or two that are "malicious". If some effort is invested in judging the legitimacy of the apps, then all 100 installs will probably turn out to be ok. This sounds pretty fine to me.

Gardener wanted (2)

saha (615847) | about 9 months ago | (#45468375)

Perhaps the Android garden doesn't need a wall, but it could really use a full time gardener
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>