A Fifth of Android Apps Expose Private Data

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
A new reports says that a fifth of Android apps out there expose your private data. Heh, apps that expose you? Are you sure that’s not a feature? :D

Meanwhile, dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location, said Dan Hoffman, chief technology officer at SMobile Systems.
Click to expand...
 
You do have to explicitly grant an application those rights when you install. Each right an app requests is listed, and its all big and red and scary looking when it prompts you, too. That said, Google should consider a better method of distinguishing low severity rights (like just internet access) from medium severity (contacts and emails and internet) from high risks (such as internet access AND email access AND contact access AND making calls AND sending SMS)

But aside from maybe a better severity ranking system to better inform the users to truly dangerous situations, I don't see really any better way of dealing with the problem. That problem being running 3rd party programs on a device that you store everything on. iPhone has this problem, WinMo has this problem, etc... Its a problem with users, not the tech.
 
So there's no control panel that says what apps are allowed to access/do? I don't use fancy phones so I am totally unfamiliar with any mobile phone operating systems. Seems like a rather large oversight. I hope people I know with these fancy phones don't go giving out all my info in their address book.
 
When you install an app it lists what abilities it wants. You can then choose to not install the app.

For instance, if you install Pandora it tells you it needs access to your Contacts list. It didn't get installed on my phone because it doesn't need access to that.
 
niconx said:
So there's no control panel that says what apps are allowed to access/do? I don't use fancy phones so I am totally unfamiliar with any mobile phone operating systems. Seems like a rather large oversight. I hope people I know with these fancy phones don't go giving out all my info in their address book.
Click to expand...

You are told up front what an app can and can't do. For example:

wakeupcallmaker_install.png


This occurs regardless of where you are installing the app from. Installing from the market? You'll see that screen. Installing from an SD card? You'll see that screen. Installing from the browser? You'll see that screen.

Also, when you go to update an application manually, Android makes you re-confirm what permissions the app has. Froyo added automatic updating, but it will only allow automatic updating if the permissions didn't change. If the permissions change, you must manually update and re-confirm the permissions.

Its a very good system that I wished existed on other platforms (like the PC).
 
this is exactly the reason why apple has an approval process (and doesn't allow unapproved API's) as well as a remote kill switch for potential rogue applications that sneak through
 
kllrnohj said:
You do have to explicitly grant an application those rights when you install. Each right an app requests is listed, and its all big and red and scary looking when it prompts you, too. That said, Google should consider a better method of distinguishing low severity rights (like just internet access) from medium severity (contacts and emails and internet) from high risks (such as internet access AND email access AND contact access AND making calls AND sending SMS)

But aside from maybe a better severity ranking system to better inform the users to truly dangerous situations, I don't see really any better way of dealing with the problem. That problem being running 3rd party programs on a device that you store everything on. iPhone has this problem, WinMo has this problem, etc... Its a problem with users, not the tech.
Click to expand...

QFT, I learned the hard way when I started receiving unsolicited texts for strange services. Seems like an app I installed some time down the line must have farmed my phone number, and the app dev sold it to spammers. Keeping a close eye on those security settings now.
 
It appears the article has been revised to indicate the author is a silly twit who didn't do her research.
 
I'm sure the developers of these apps cringe in fear of being as successful as facebook.
 
dr.stevil said:
this is exactly the reason why apple has an approval process (and doesn't allow unapproved API's) as well as a remote kill switch for potential rogue applications that sneak through
Click to expand...
An iPhone app only has local access to its own files besides some very limited shared resources like pictures (requires manual intervention and uses SDK classes for access). Part of the approval process does check for use of restricted APIs, which could potentially break the sandboxing. It's not perfect, but it does do a pretty good job of preventing downloaded apps from running amuck.

If I had a Droid I'd be really careful about what I download. Let others try something else first.
 
I am not sure how Apple could prevent something like this slipping through. I am an android developer, and like previous posts mentioned, you are shown what permissions the application requires to function. From an application standpoint, you have to include the permissions you wish to access in your application manifest, if you don't include text messaging for example, and you try to send a text message with the app, it should crash w/ a message stating there are no permissions.

Other than that, the same thing goes with iphone, how can apple guarantee that an app to organize text messages does not harvest the phone numbers, and send those to the developer?

I guess there is a lower barrier to entry for crooked developers trying to make a buck in the android market than there is the iphone market. Which was pretty much a feature of the whole android platform - lower barrier to enter the market. What would be nice, is for google to offer some kind of logging feature to display what each application is doing.. Kind of like what they do with each application and the battery usage. So it could show you it has used 5meg of internet usage in the last 24 hrs, sent 5 text messages etc. Let the user see more what is going on w/ each app...
 
dr.stevil said:
this is exactly the reason why apple has an approval process (and doesn't allow unapproved API's) as well as a remote kill switch for potential rogue applications that sneak through
Click to expand...

Apple's approval process does nothing for this problem. I can still write an app for the iPhone that grabs your phone number and posts it to a server, and as long as I stick to the public APIs (which officially allow that), then I'll sail right through the approval process.

pxc said:
An iPhone app only has local access to its own files besides some very limited shared resources like pictures (requires manual intervention and uses SDK classes for access). Part of the approval process does check for use of restricted APIs, which could potentially break the sandboxing. It's not perfect, but it does do a pretty good job of preventing downloaded apps from running amuck.

If I had a Droid I'd be really careful about what I download. Let others try something else first.
Click to expand...

Android doesn't allow you to use restricted APIs, period. You literally cannot invoke private APIs (even if you use reflection, the VM quickly puts a stop to it as soon as you try to invoke a restricted method), and the permission system prevents you from using public APIs to access data unless you have the required permission.

iPhone's application sandboxing/security is definitely not superior to Android's in any way, quite the opposite, in fact. Also, applications cannot access each other's data unless the app explicitly creates public interfaces for the data, and can optionally require custom permissions to access it. Those permissions can then be limited. For example, there are some Android system privileges that are impossible to get because the system will only grant you use of that privilege if you are signed with the same keys as the system.

Regardless, this article is an advertisement anyway. All the "statistics" come from SMobile Systems, which sells antivirus software for cell phones: http://smobilesystems.com/
 
Remember that time when the iPads gave away your information too?

I Lolled :D
 
kllrnohj said:
You are told up front what an app can and can't do. For example:

wakeupcallmaker_install.png


This occurs regardless of where you are installing the app from. Installing from the market? You'll see that screen. Installing from an SD card? You'll see that screen. Installing from the browser? You'll see that screen.

Also, when you go to update an application manually, Android makes you re-confirm what permissions the app has. Froyo added automatic updating, but it will only allow automatic updating if the permissions didn't change. If the permissions change, you must manually update and re-confirm the permissions.

Its a very good system that I wished existed on other platforms (like the PC).
Click to expand...
If any of you have played around with Android development, you know that all apps must define what permissions they require in the manifest.xml file, if an app doesn't request a permission, it can't access that resource, this is enforced through the JVM container. That list of permissions the user OKs is all the permissions that application is requesting, you can't really hide anything, so if anything seems out of place, it probably is.

Say a user downloads a replacement SMS management application, that app SHOULD be requesting access to send SMS messages. Then say the same user downloads a simple card game, the app SHOULD NOT be requesting access to send SMS messages.

Common sense + User education will go a looooong way to prevent unauthorized access to resources on the Android platform.

Below is a link to the relevant documentation for Application permissions:
http://developer.android.com/reference/android/Manifest.permission.html
 
Langly said:
Remember that time when the iPads gave away your information too?

I Lolled :D
Click to expand...

You mean the security breach of AT&T's website? Or was there another incident I'm unaware of?

Apple's approval process does nothing for this problem. I can still write an app for the iPhone that grabs your phone number and posts it to a server, and as long as I stick to the public APIs (which officially allow that), then I'll sail right through the approval process.
Click to expand...

yes, you absolutly can do that because, like you said, the SDK allows it (some applications require access to the contacts list). There is actually a class action lawsuit going on right now with a developer/company called Storm8. They were harvesting users phone numbers for purposes that aren't quite clear yet. Luckly that's been the extent of such events.

A lot of developers (and rabid fanboys) were/are very critical of Apples strict SDK for the iOS... this is the reason why. "Apple not letting 'x' app hit the appstore" is much better press than "'x' app causes users to incur $1,000.00 in overseas calls"
 
synapsis said:
When you install an app it lists what abilities it wants. You can then choose to not install the app.

For instance, if you install Pandora it tells you it needs access to your Contacts list. It didn't get installed on my phone because it doesn't need access to that.
Click to expand...

Same. No app gets installed on my Droid if it requires access to strange things.

kllrnohj said:
Apple's approval process does nothing for this problem. I can still write an app for the iPhone that grabs your phone number and posts it to a server, and as long as I stick to the public APIs (which officially allow that), then I'll sail right through the approval process.



Android doesn't allow you to use restricted APIs, period. You literally cannot invoke private APIs (even if you use reflection, the VM quickly puts a stop to it as soon as you try to invoke a restricted method), and the permission system prevents you from using public APIs to access data unless you have the required permission.

iPhone's application sandboxing/security is definitely not superior to Android's in any way, quite the opposite, in fact. Also, applications cannot access each other's data unless the app explicitly creates public interfaces for the data, and can optionally require custom permissions to access it. Those permissions can then be limited. For example, there are some Android system privileges that are impossible to get because the system will only grant you use of that privilege if you are signed with the same keys as the system.

Regardless, this article is an advertisement anyway. All the "statistics" come from SMobile Systems, which sells antivirus software for cell phones: http://smobilesystems.com/
Click to expand...

Many thanks for that informative post. Always nice to read information that is correct and kllrnohj you are always way ahead of the game with some of this.
 
SPARTAN VI said:
QFT, I learned the hard way when I started receiving unsolicited texts for strange services. Seems like an app I installed some time down the line must have farmed my phone number, and the app dev sold it to spammers. Keeping a close eye on those security settings now.
Click to expand...

Yes I started to get strange texts also! I've had my verizon service for over 5 years and only started getting spam text a few days ago. I really think it's from one of these apps. Hope Google starts to put some restrictions to these types of developers soon.
 
S1N3R6Y said:
Yes I started to get strange texts also! I've had my verizon service for over 5 years and only started getting spam text a few days ago. I really think it's from one of these apps. Hope Google starts to put some restrictions to these types of developers soon.
Click to expand...

I have the same thing...but don't even have a smart phone. It happened for years. I mean theres only so many phone numbers, it's not like its encrypted.
 
dr.stevil said:
yes, you absolutly can do that because, like you said, the SDK allows it (some applications require access to the contacts list). There is actually a class action lawsuit going on right now with a developer/company called Storm8. They were harvesting users phone numbers for purposes that aren't quite clear yet. Luckly that's been the extent of such events.

A lot of developers (and rabid fanboys) were/are very critical of Apples strict SDK for the iOS... this is the reason why. "Apple not letting 'x' app hit the appstore" is much better press than "'x' app causes users to incur $1,000.00 in overseas calls"
Click to expand...

And its really not any different on the Android side of things, other than Android doesn't let you use private APIs due to its architecture whereas Apple has to look for programs using private APIs.

Apps can be pulled from the marketplace, Google claims to verify the business information of developers in the marketplace (costs $25 to become a marketplace developer), etc...

What this article boils down to is that 20% (or whatever percentage they gave) of apps in the Android marketplace use privileges that access sensitive information. It is not saying that they are malicious, just that they have the ability to access it (granted by users). Which is an interesting statistic, but not particularly meaningful.

Also, the whole "private API" nonsense really doesn't exist at all on Android. Android doesn't distinguish between 1st and 3rd party apps. Even things like GMail, Contacts, Phone, and Google Maps are governed by the same permissions and use the same APIs as 3rd party apps. The biggest difference is that apps like Contacts and Phone are signed by the system keys, allowing them to access more system permissions (because those system permissions are limited to apps signed with the same keys as the declaring application and not because they are whitelisted or treated differently - its still the same system).

Also, the iOS SDK *IS* really limited, and not to protect the users of the phone but to protect Apple's market. For example, the bluetooth APIs are a complete joke and practically nonexistent, only allowing you to pair 2 iOS devices together. There isn't any security concern there, just the concern that it would allow apps to communicate with hardware not made by Apple, and Apple can't let that happen.
 
S1N3R6Y said:
Yes I started to get strange texts also! I've had my verizon service for over 5 years and only started getting spam text a few days ago. I really think it's from one of these apps. Hope Google starts to put some restrictions to these types of developers soon.
Click to expand...

Have you ever dialed a wrong number? I know I have, and so have many people. Have you ever accidentally dialed a number that didn't exist? Probably not, because there aren't many phone numbers not in use.

Thus, it is completely possible that you are getting spam texts from a company simply guessing phone numbers, not to mention the hundreds of other ways to get people's phone numbers (such as facebook).

Have verizon start blocking the numbers you are getting spamed from.
 
dr.stevil said:
A lot of developers (and rabid fanboys) were/are very critical of Apples strict SDK for the iOS... this is the reason why. "Apple not letting 'x' app hit the appstore" is much better press than "'x' app causes users to incur $1,000.00 in overseas calls"
Click to expand...

You'd have a point if this were the only reason why Apple ever blocked or withdrew apps from the app store.

However, that's not the case.
 
chrispix said:
What would be nice, is for google to offer some kind of logging feature to display what each application is doing.. Kind of like what they do with each application and the battery usage. So it could show you it has used 5meg of internet usage in the last 24 hrs, sent 5 text messages etc. Let the user see more what is going on w/ each app...
Click to expand...

This would be fantastic. Have you submitted an enhancement request? :p

I was thinking it'd be great to be able to just disable specific permissions for certain apps, and have them translated to no-ops in the VM or something. Some way to be a bit more granular about it.

And statistics about what services Android apps use passes for news around here?
 
dr.stevil said:
this is exactly the reason why apple has an approval process (and doesn't allow unapproved API's) as well as a remote kill switch for potential rogue applications that sneak through
Click to expand...

Yes, Apple's system of making decisions for its users is much better than putting the responsibility in the hands of the users. As has been said, every app you install on Android tells you what it wants to have access to and if it bothers you, don't install it/find an alternative app.
 
InsanePerson said:
Yes, Apple's system of making decisions for its users is much better than putting the responsibility in the hands of the users. As has been said, every app you install on Android tells you what it wants to have access to and if it bothers you, don't install it/find an alternative app.
Click to expand...

SPARTAN VI said:
QFT, I learned the hard way when I started receiving unsolicited texts for strange services. Seems like an app I installed some time down the line must have farmed my phone number, and the app dev sold it to spammers. Keeping a close eye on those security settings now.
Click to expand...

S1N3R6Y said:
Yes I started to get strange texts also! I've had my verizon service for over 5 years and only started getting spam text a few days ago. I really think it's from one of these apps. Hope Google starts to put some restrictions to these types of developers soon.
Click to expand...

Just saying ;) this has also happened to two of my friends that have an android phones (G1 and a droid). It might just be a coincidence, but it might not be either. I don't disagree about letting the users have more control over what they want to use but at the same time, I can understand why they'd want to limit it, especially with something as vulnerable as a cell phone. I can see a large data breach causing not only a lot of bad press, but also a major legal backlash.
 
dr.stevil said:
Just saying ;) this has also happened to two of my friends that have an android phones (G1 and a droid). It might just be a coincidence, but it might not be either. I don't disagree about letting the users have more control over what they want to use but at the same time, I can understand why they'd want to limit it, especially with something as vulnerable as a cell phone. I can see a large data breach causing not only a lot of bad press, but also a major legal backlash.
Click to expand...

WHAT has happened to two of your friends? I haven't heard of any Android malicious apps out there. Not saying they don't exist, just that there doesn't seem to be many of them if there are any at all.
 
dr.stevil said:
spammed with SMS ads
Click to expand...

We have phones here that have never had a 3rd party application installed on them (other than mine - I do mobile development) that get SMS ads and random phone calls. They've never been used to make phone calls, and the phone number has never been posted anywhere. Java phones, Brew phones, Blackberry, Android, and *gasp* even the iPhone we have all get SMS ads and random phone calls.

Basically, what happened to your friends would have happened regardless of what phone they got. It is extremely unlikely that it is the result of a malicious app. But even if it was, that just means your friends are idiots that installed random crap and then granted it access to all their info.
 
You must log in or register to reply here.
Back
Top