The Register® — Biting the hand that feeds IT

Feeds

'Suspicious' Android wallpaper app nabs user data

An Android wallpaper application that collected data from users' phones and uploaded it to a site in China was downloaded "millions of times", according to mobile security firm Lookout. Kevin MaHaffey, chief technology officer at Lookout, used Jackeey Wallpaper as an example of the wider risk faced by smartphone users during a …

This topic is closed for new posts.

Page:

J 3
Pirate

Can anyone say...

...proof of concept?

Anyway, that's another good reason for me to keep my phone dumb.

Anonymous Coward
WTF?
Reply Icon

Or you can read the warning and decide....

If you ever need to install useless applications, why would you carry on installing after noticing the piriviliges required?

I understand that ease of use is important but taking clueless beings as lowest common denominator is certainly not the way to go forward. A little bit common sense and responsibility should be required instead of policing the marketplace.

Adam 10
Reply Icon

Privilege system needs improvement

I have a Desire, and one of the things that struck me when I first installed an App was that the "this app needs access to the following" page was a good idea. This was followed a few seconds later by the thought "Why does this app need access to this? And that? And that thing?"

There should be at least an option to have checkboxes next to each item so you can say something like "Yes, I don't mind this using my GPS, Yes it can use wi-fi but No, I don't want it using mobile data.". I wonder how much data is consumed by apps that really don't need to download or upload data, but do because that is what the developer decided it should do (for whatever reason).

The other thing Android needs is an in-built task killer - multitasking is great but many human users feel uneasy with anything they can't "switch off" on request.

Anonymous Coward
Anonymous Coward
Reply Icon

Sorry...

Stupidity is VERY resistant to education.

Arctic fox
Flame

What about prior consent?

“Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”

How about they don't have any effing right to collect jacks**t without prior consent from the individual downloader?

This post has been deleted by a moderator

Anonymous Coward
Anonymous Coward
Reply Icon

ooo

ooo Racism, go you.

No, I will not fix your computer
Stop
Reply Icon

Re: The Scourge of the Internet -- China

Numpty.....

1. China has the largest population in the world, around 1.3 billion people, so it's likely that you'll get more of everything from a place that there's more than anyone.

2. Acording to Sophos, China is numer 2 in the league table of countries that host the most malware and spam relays, however, number 1 is the USA doing 10% more than China (http://www.sophos.com/report2007) which isn't bad for a country with less than a quarter the population (per capita, the states is 5x worse than China).

Saying "Nobody does more to give the shaft to web surfers than Chinese people" is just plain stupid, nasty (and ignorantly racist), it's as stupid as saying "on average people in this world have less than one testicle each", while it might have a basis in statistical accuracy you cannot make such a sweeping judgement about "Chinese People".

Doshu
FAIL
Reply Icon

Troo dat

Every country in the world runs the entire gamut of human behavior.

Crass (and racist) generalizations about people are the stuff of simpletons and trolls.

Arctic fox
Thumb Up
Reply Icon

Not possible to.....

.....express it better than you have just done. Loads of kudos - agree completely.

Arctic fox
Reply Icon

Clarification

Just so there is no dubiety, I was replying to "No I won't fix your computer". The original posting made me want to v********

Anonymous Coward
Heart
Reply Icon

If we all pulled together on this one

we could get more men to carry donor cards, preserve their testicles (in formaldehyde, or possibly aspic?) post-mortem and donate them to the poor. How long would it be until EVERYBODY had one?

I admit I do feel a little guilty because I'm married to a man with three.

(The heart should be golden).

dotdavid

Android's permissions model could be better

While programs can say what permissions they require, there's currently to my knowledge no way that developers can say *why* they need those permissions.

A lot of apps require a network connection for adverts. If there was an "advertisement API" that programs could use which had those permissions, implementable by third party ad networks, then a lot of programs would no longer require that permission and you could be more confident that your stuffisn't leaking onto the interwebs....

Anonymous Coward
Anonymous Coward
Reply Icon

Yes/No/Maybe

The 'Advertisement' permission is a good idea, but it would require that Android ships with each advertisers APIs, or that I install them manually, automatically making it fail because I'm not going to do that.

I think tick-boxes are the way to go for each permission. The Internet permission could have a 3rd option: enable, disable, prompt, whereby it prompts, with the requested hostname, IP address and reverse lookup of that IP address. You then confirm that you want to allow that connection, just once, or permanently.

That could get extremely ugly for a 'user experience' perspective though.

Anonymous Coward
FAIL

If you sleep with dogs...

you are going to get fleas...

simples

Anonymous Coward
Flame
Reply Icon

If you get into bed with Apple...

you are going to get royally shafted...

simples

Anonymous Coward
Anonymous Coward
Reply Icon

If you sleep with pigs

you are going to get stuffed - with an apple! Then arrested.

simples

Anonymous Coward
Flame
Reply Icon

So...

I'm not allowed to sleep with my antique Babe the Pig plush anymore?

What is the world coming to!

Anonymous Coward
WTF?
Reply Icon

Sorry?

What;' this got to do with Apple, it's is about an Android app problem isn't it?

Jeez, just cos it has a big A at the beginning you Apple-haters just suddenly stop reading once you hit an upper-case A?

Wang N Staines

Stay Away From Android!

If there is no control and vetting of apps then stay away from the platform.

I'm sticking to the walled garden, at least I'm protected from 3rd party collection/hacking.

Ian 70
Reply Icon

Or of course

You could just pay attention to what you are installing.

Would you seriously install a wallpaper application downloaded from the internet on a desktop machine?

Chris Walton
WTF?
Reply Icon

@wang N Staines

"If there is no control and vetting of apps then stay away from the platform."

You mean like Windows, Linux, Mac and pretty much every platform going?

Google and Apple do vet the apps that appear on their market places but there will always be a chance something nasty slips through. Unlike Apple, Android gives a warning when installing every app about what it is allowed to access.

Of course I'm forgetting that Steve Jobs is actually the second coming of Jesus and can fix an iphone 4's reception with just a touch of his hand...

Geoff Campbell
FAIL
Reply Icon

Yeah, well....

....if you're not clever enough to play out in the real world, the walled garden is probably the best place for you.

GJC

bluesxman
Flame
Reply Icon

RE: Steve Jobs [...] can fix an iphone 4's reception with just a touch of his hand..

I'm pretty sure touching it with your hand is what fucks it up it the first place...

ThomH
Reply Icon

@Chris Walton

iPhone apps have to ask the user for permission (either explicitly or implicitly) to access various things at runtime. It's not accurate to say that no warning is presented to iPhone users.

Applications that try to access the location get a pop-up box saying "This application is trying to access location services" and then it's up to the user to allow or deny it. If you allow it, you grant permission for all future launches. But the more common approach is that taken to sending an email or getting contact details from the address book — the only mechanism to get at those details is to use a supplied Apple dialogue. To get a contact, for example, you have to ask the OS to request that the user pick a contact, the user picks one using the standard interface, the program gets the name of that single contact back. So the user still knows exactly what's going on and grants permission.

I think there was one occasion where somebody figured out how to get the user's phone number on the iPhone using some sort of API quirk. That was a mistake on Apple's part and has been fixed. The usual prohibitions on illegal APIs act as the rest of the barrier.

That all being said, these are the main points I take from the story:

– a wallpaper app can get 3 million downloads on Android; and

– Android is doing so well that people are starting to care about malware for it.

I care less every day about Apple versus Google (other than where one side is misrepresented).

Anonymous Coward
FAIL
Reply Icon

As most users aren't.

Assuming, by 'clever', you mean have an awareness of software security.

Don't forget, most users aren't technically gifted, something that people in technical roles (particularly developers in their ivory towers) often forget.

morphoyle
Reply Icon

lol

No you aren't. Remember about a month ago, when Apple had to pull 3 or 4 apps after several people had suspicious charges on their itunes accounts? Apple users tend to have short memories, so you have probably forgotten already. Why didn't the guards at the gates of your walled garden catch those initially? Or the flashlight app with hidden tethering?

EvilGav 1

Social engineering . . .

. . . again.

The app's on Android tell you what they want access to, if an app that puports to simply be wallpapers wants access to all of your contacts and the ability to use data services (to upload), why the hell would you install it ?

It's not an OS vulnerability, it's a problem with a malicious developer (potentially) and gullible users.

Anonymous Coward
Anonymous Coward
Reply Icon

I agree

but it still raises a more serious question...

Google rushed to remove a benign proof of concept app they claimed was dangerous, so why haven't they moved to remove this app that is clearly malicious (stealing personal details and uploading them to a server in China without getting explicit permission is not the actions of someone trustworthy).

Anonymous Coward
Big Brother
Reply Icon

Malicious?

I would agree to 'untrustworthy'. But the behaviour is the sort of thing I'd expect from the Chinese State, and given what looks - to me anyway - like the largely successful indoctrination of its subjects, and particularly, perhaps, of those allowed to conduct business legally, I wouldn't necessarily ascribe malicious intent to this. More the distorted ethics of a brainwashed region.

Anonymous Coward
Anonymous Coward
Reply Icon

China

So China is that bad is it?

Not at all like the USA, UK, <insert country of choice here> ?

Yeah, thought so.

Is China really that much worse than everywhere else - or just to your brainwashed brain?

Platelet

If only

If only someone produced a malware scanning app for andriod, oh wait...

Juan Inamillion
FAIL

Nothing to see here..

...move along.

ukdeluded
Unhappy

Hmm ... App Police?!

Does this validate the Apple approach of policing the apps? If only they used their power for good!

Cameron Colley

Doesn't the app have to ask for permission?

I would have though that phone platforms would ask the user, at least the first time, whether they wanted the app to access other things on the phone? I know on my Symbian phone, for example, an FTP app has to get permission to access local files and folders.

Doesn't Android have anything similar?

Geoff Campbell
Happy
Reply Icon

@Cameron

Yes, it does - every app install tells the user in quite plain language which permissions the application requires, and needs a positive confirmation before proceeding.

Never overestimate the reach and power of human stupidity, however.

GJC

Fuzzysteve
Reply Icon

When it's installed it has to ask

There's a list of the permissions the application is asking for, shown at install time. You either approve all of them, or none.

spacca

hmmm

Sure this will turn into a flamewar, but this does highlight the need for a closely observed and regulated marketplace when it comes to phones. Either that or someone will invariably produce a virus and malware protection programme to run on the phones to keep that vast majority of the normal, non geeky phone using public safe from their own technological shortcomings. Android will take over the market (I don't think that there is any question of that) but the hardware will have to run security just to make using it safe. Joy.

And, it's not like this is a minor issue, when phones are doing everything a computer does (loosely) but combine payment systems (already running in some parts of the world) and also tonnes of personal info that is in general unprotected, it's only a matter of time before the first big F'up happens. Be interesting to see who accepts the blame.

I for one am happy with Apple's take on how to control their market, it may not be perfect (far from it) but I do feel secure.

adnim
Reply Icon

Feeling secure

I guess that's enough "feeling secure", and as Apple, like every other international company can be trusted implicitly we have nothing to worry about.

Personally I don't trust any operating system that I haven't installed and locked down myself. To be honest, I don't entirely trust those that I do either, there are a lot of very clever hackers out there.

What the Android OS needs is the smart phone equivalent of a firewall. Everything blocked from making any connection to anything unless explicitly given permission to do so. The user should also be able to log any data sent to and from the phone. If data is encrypted before transmission then the user should be able to see that data prior to encryption. Any practice that tries to bypass such features should be considered rogue.

Yes users/consumers are still going to blindly trust applications, but developers are less likely to publish data stealing applications if it was a legal requirement that all output from those apps be open to monitoring by the user.

Arctic fox
Thumb Up
Reply Icon

To Spacca and Admin......

...Interesting and common sense. I appreciate your postings.

Arctic Fox

cynic 2
Black Helicopters

Dev response

A quick grope around the Internets found this: http://www.scribd.com/doc/35072457/Jackeey-Response. It's not totally convincing -- the device info and phone number should have been hashed.

Anonymous Coward
FAIL

Swings and roundabouts.

Some people are too stupid for their own good.

Ever time you download an Android application, it shows the security policy for this application. This wallpaper application will have stated that it reads your phonebook, it reads your user information, it reads other stuff, it needs network connectivity etc etc etc...

If they want to live in nicey nicey land, get an iPhone. However really these people shouldn't be allowed to touch ANY technology as they are clearly too stupid.

Anonymous Coward
Flame
Reply Icon

Usual 'dig at apple' response....*yawn*

So you read every little EULA, disclaimer and small print that passes in front of you. Gee, what an exciting life you must lead.

Personally, I like to get on with my life, therefore, I like certain devices and platforms to just work. Generally, Apple achieves this (new OS issues and design flaw on the 4G accepted), at the cost of certain freedoms. For my needs from a phone, this is a fair trade. On a desktop, it is not, ergo, I use a PC, not a Mac.

Calling people 'stupid' because they don't have a technical understanding (or even a need to be such), or choose a platform that you don't like for whatever reason is the sort of thing I'd expect from the narrow minded. Surely, you aren't that, you appear to be very well read (at least with regards to security disclaimers, EULA etc etc).....

DryBones
FAIL
Reply Icon

Erm... no.

Roints off for the farcical comparison, by the way. A EULA is a legal form with all the length and relevance to daily life implicit in such a thing. A permissions list should be easily readable and take one screen. If they have any resemblance to each other, the coders need to be spoken to sharply.

As Snow Crash put it, guns have come to paradise, But people are not making the mental switch yet that anytime you have something that you can put things into, some of it may be shoddy, malicious, or just utter crap. ... Wait, when did I start talking about internet postings? >_> <_< >_>

It's perfectly possible to make a much better phish, a social networking aggregator app, for example. Pick one: 1) Walled garden. Relatively little worrying about security with the occasional slipthrough. 2) Wide open. Think about security or get burned worse than if you are. 3) Take away the ability to add functionality to a phone.

Lottie

I fail to see...

... Why you'd go about downloading wallpapers anyway. It's less hassle to find a pic on Google image search, save to the phone and select it that way.

Still, it sure is worrying just how little attention folk pay to what permissions are requested by their downloads.

Geoff Campbell
Pirate
Reply Icon

Wallpapers

Android aupports active wallpapers, where the pictures move. Utterly pointless IMHO, but some people seem to like them.

GJC

Jimbo 6
Megaphone
Reply Icon

Utterly pointless, but some people seem to like them

Into that category, I will happily put Androids, iPhones, Twitter accounts, Fleabay customer services staff, personalised number plates, skinny lattes, lads mags, and most of the paraphernalia of modern 'life'.

halms
Thumb Up

its not a theory

there's no governing in android apps. developer are not required to publish their source codes. thereby, no one can know for sure what the app does. it wont pop up 'hey, i got your mobile no. now im gonna send it to my master'. no. it does so in the background, acts as it wanna do something legit, but instead adds some more data to it. this is easily done, especially with rooted devices. can be done with jailbroken iphones too. this is not a theory. any experienced programmer know how to do it.

Anonymous Coward
FAIL

Geeks

Yet more proof that Android is well and truly the domain of the geek. My boss just bought himself a Desire and the first time he installed an app it flashed up that it needed internet access to which he showed me it and said "Whats this?". Your average punter has no idea on these kinda things and will happily click yes willy nilly. As someone else said theres no explanation as to WHY they need the access requested and until you actually install and use an app that may well not be clear. Even the message it did give wasn't that clear to a non techy and there was some confusion as to whether you were granting access to download the app or for the app itself to then use the internet.

The question I guess is should you really have to worry about such things on a phone or should it be safe to use without fear that an errant yes click will expose your contacts to the world? Perhaps with much clearer user guidance then fair enough

I'll stick with Jobs and his app police for the time being thanks all the same.

nemo20000
FAIL

This isn't a story. This is a story...

Android apps list the privileges they require when installing. As has been said, you can review those, decide you don't like the look of them and not install. You can also email the developer to ask what the privileges are for. So, no real story here.

This is a story: http://www.wired.com/gadgetlab/2010/07/apple-approves-pulls-flashlight-app-with-hidden-tethering-mode/

iPhone apps do not list their capabilities. Apple scrutineers do not inspect the app source so can't spot hidden functionality in advance. Apple users can't tell what an app will actually do when they install.

Which is more alarming?

Page:

This topic is closed for new posts.