2 out of 3 Android apps use private data 'suspiciously'
Google's Android operating system doesn't provide controls to adequately protect users' sensitive data, according to a study that found two-thirds of applications monitored used phone numbers, geolocation, and other information “suspiciously.” The study – by computer scientists at Pennsylvania State University, Duke University …
Oh wait, I don't need one because... I don't actually use a smartphone :P
Seriously though, would be developers should look into filtering packets on this device. Some sort of userfriendly personal 'firewall' might sell - of course you'd have to trust it... Be even better of course if it were completely free and open.
Unless google change their all apps are equal mantra firewalls/virus scanners will be useless. All they can do is sugest to the user they might want to uninstal a suspect app. If the app isn't on the list then it won't be able to spot it. In my disertation I wrote five (short) lines of code that could disable another app (such as a virus scanner) and worked ok a fully patched 2.2 (not that most people will ever be fully patched. Firewalls fair no better as the internet permission is an all or nothing afair.
People think I'm crazy for waiting until I can buy a Windows Phone 7 device, but when faced with uncertainty as to the safety of our personal data on an Android device I feel that something like the new Samsung Omnia 7 will give me the peace of mind that is needed.
The daft thing is that I shouldn't have to worry about anyone snooping on my activities through my handset, but nowadays it's no longer as simple as picking a phone based on stylish looks or bundled utilities. If I choose Apple I get a mobile phone that is under such strict control I may never truly know what personal information is shared. With an Android device there's the added bonus of the OS coming from a company known for making a living from targeted advertising to be considered along with the contents of this article. WP7 comes from a company known for upholding privacy legislation in their products so my (rudimentary) logic suggests I should give them a chance. Then again WP7 may be just as subject to abuse of personal data by third party app developers, but due to the Microsoft name the WP7 devices and available apps will be under much greater scrutiny than the iOS or Android alternatives as people hunt for ammo to use against MS.
People think I'm crazy for waiting until I can buy a Windows Phone 7 device.
They're right.
Not only will you be susceptible to badly written apps but infections as well.
"If I choose Apple I get a mobile phone that is under such strict control I may never truly know what personal information is shared."
Seriously? If you believe this drivel you should probably steer clear of a phone altogether and stay indoors where the bad men won't come and get you. To choose Microsoft over anyone else with regard to security is delusional.
You realise that like most of these "revelations" that it applies to all smartphones?
It's like an article a while back complaining how Windows is vulnerable to user stupidity, implying that other OSs aren't. I can't recall the name of the iPhone app that was pulled for using user's data in a suspicious way, I think it even went so far as to use undocumented APIs to pull the phone number.
While I agree that Android does need a better permission assignment system, I haven't seen anything that suggests WP7 will be any more secure, only Microsoft's reputation, and that scares me.
Ultimately, the problem is user's not realising how sensitive the data on their phones is and not using common sense to protect it.
"Not only will you be susceptible to badly written apps but infections as well."
And you base this assertion on what evidence exactly?
If you buy a Samsung you'll get a crap phone tool.
the hackers go after the os with the greatest penetration. On desktop that's windows, but on phones surely Apple's os or Android are the ones that'll be targetted. The idea that win 7 will get enough market share to warrant hacking seems a little unrealistic....
>>WP7 comes from a company known for upholding privacy legislation in their products so my (rudimentary) logic suggests I should give them a chance<<
Dear god in purgatory are you really that naive?
I didn't assert that but I agree. I base my agreement on years of badly written apps, stack overflows, Slammer and other comedic security gaffes.
Android suffers exactly from the same problems that Windows mobile suffered, fragmentation, unvetted applications downloaded from various websites, difficult updates of the operating system. The interface is also cannibalized by each vendor. Just bear in mind that success many times depends on marketing money. Look at Web Os, great system from what I've heard (not seen) but never took off. I am due for an upgrade and waiting to see what Windows phone can do, then will buy something else cause my mobile is almost 3 years old.
Just use the best mobile, go to the shop and ask for a demo, and then decide what fits you best and what your pocket can afford.
but having Apps access things for which there is no legitimate need for should be a no-no.
There is a secondary concern: the use (theft) of user paid communications. This could mean that a device left plugged in, powered up and not used still incurs communication use fees.
Whilst there is nothing the user can do about the OS/manufacturer data use, all systems should be equipped with OS features that allow users to determine EXACTLY which App has access to what data. None need access to cell phone identification.
Until this happens I will happily use my 'dumb' phone knowing exactly who knows what about me.
plus phoning home every 30 seconds will eat battery life too.
What makes you think your dumb phone is safer?
Didn't Vodafone sell a tonne of user data and get caught a while back?
Network operators do the same thing, these apps may well be stealing info to sell to Orange, 3 and T Mobile
You never know
By selecting only from applications that access both personal data and the internet, they're overstating the significance of their study by about 3x. Furthermore, their summaries blur this distinction unnecessarily.
Specifically, their FAQ says "We studied just over 8% of the top 50 popular free applications in each category that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." Since there were 22 categories at the time they did the study, that would imply (22*50=1,100 * 8% =) 88 applications. However, they actually only tested 30, because of the 1,100 top 50 applications only (from the PDF) "roughly a third of the applications (358 of the 1,100 applications) require Internet permissions along with permissions to access
either location, camera, or audio data." -- meaning that the other 742 apps don't have the necessary permissions to play badly. The clause "..that had access to privacy sensitive information in order to get a sense of the behaviors of these applications." from the FAQ is grammatically ambiguous in this case (it may refer to "applications" or "category"), and not specific enough to indicate that over 2/3 of the applications are (relatively) safe by dint of not having the necessary permissions.
They also didn't include in their study apps from 10 of the 22 categories, but they don't explain whether that was due to a) there not being any or enough applications in those categories that required internet and personal data permissions, b) a conscious choice to focus on the other 12 categories, or c) the results of random selection (with an explanation of why they did not use a stratified sample).
Once you factor back in the applications they ignored, the numbers don't look quite so bad. Assuming their sample was representative, 2/3 of the 358, or about 239 applications of the top 1,100 of the time use personal data suspiciously. That's about 21.7% or just over 1 in 5 -- still significant, but a far cry from 2 out of 3. In fact, the worst case maximum is actually 358 of 1,100 or just under 1 in 3 (32.45%) because they are as mentioned above the only ones that actually acquire the permissions necessary to do anything "suspicious".
I understand why both the researchers and the reporter used the 2/3 figure -- you all believe you have to sell the point as hard as possible*. But the real story is that it's likely that at least 1 in 5 Android Apps use private data "suspiciously" -- and that number is still high enough to cause concern and to justify the further use of tools like TaintDroid. It's a pity you didn't trust the facts enough to avoid the unnecessary sensationalism.
*I am assuming, here, that Mr. Goodin did actually read and digest the paper as I did, rather than simply picking out the figures from the study, the FAQ, or a press release.
Couldn't have said it any better!
<standing ovation>
It all depends on the point of the exercise. To my mind including apps that don't have access to personal data would be clouding the picture. Of course you may just be complaining that the headline is misleading, which is fair, but of course if misleading headlines were banned there wouldn't be many left...
Unlike most of the commentaries so far.
Never mind that, I hate how Apple never lets me do what I want on my iPhone, blah blah blah. What's that? Apples policy protects users from the problems listed in the article?
This was predicted long, long ago when Google announced Android would be a free-for-all with no app security and no approval process. And bear in mind that a data-mining company like Google doesn't WANT apps locked out - grabbing your personal data/emails/browsing history/search history/document contents/chat transcripts is the whole point.
Where's the Evil Eric icon, ffs?
What, you mean like when you download an app and it flashes up a great big warning about what parts of the system the app wants access to, which you have to okay before downloading it? App security like that?
Have you actually _used_ an Android phone?
LOL, and why would you seriously believe that? Because Apple said so?
'Bilgepipe' - what a very apt name.
The iPhone is more than capable of selling all your data to the app's author. It will ask you (once mind) if it can use your location data. That satnav app you have, you'll willingly let it use your location, of course it needs to. But it won't ask you before pinging home every 30s to track you. Hell, the APIs actively allow for it without any question - the Apple approval process wouldn't object to that sort of app, as they believe the API asking you for permission is enough.
You are trusting every app you have installed as soon as you give it that one permission. For example, iOS4, I didn't realise that the camera has been geotagging each photo since I owned it. Until this point, it's never asked my permission - it's only just started asking, previously it's assumed permission.
>> "the Apple approval process wouldn't object to that sort of app, as they believe the API asking you for permission is enough"
That is not true at all! The License Agreement specifically says that the App *must* use the information for its intended purposes. So a SatNav app that asks for your location information and uses it to tell you where you are is OK, but if it attempts to "phone home" in order to track you--which was not the explicit intent of the application as per its description--clearly violates the agreement.
There have been numerous cases where applications doing such things have been rejected by Apple (doing static analysis of code can reveal such things) and the developers banned from the App Store altogether for the transgression.
Now, if the application description says "Find out where you are using our SatNav and let us track you to give you better advertising" and the user decided to download it, then that's his problem; there's no violation there.
So, yes, for this particular case, the "walled-garden" and curation provided by Apple is superior to the wild west environment of the Android Marketplace.
-dZ.
I'm afraid we're going to need some validated sources for such a statement. "the iPhone is the most exploited mobile platform." I call BS. Additionally, of all the iTunes exploits, all required a phishing attack to first succeed, and most also only worked on machines with additional unpatched Windows vunls, and iTunes self notifies of updates as well and those vulns were closed within days (and none infected the phone, only windows itself).
Your post is complete BS and FUD and lies.
The only vulns on the iPhone I have found in a search just now were related to jail broken devices with a default root account active, or if the phone was physically connected to another machine specifically to hack it, and before the device could be remote wiped by the owner (and even that provided only limited access only to SMS history data). There are no data breach capable or device owning exploits I can find capable of getting into an iOS device OTA that is not jail broken, or that is not directed specifically to a hacked website (phishing scam) and even those were patched. No outed vulnerability of iOS was ever present ITW infecting actual devices, short of ones targeting unsecured SSH servers on hacked devices, they were all [proof of concepts (and most of those were incomplete showing only one PART of a potential hack). Android however has been bitten several times by apps in the marketplace actually containing Trojans, and there have been ITW exploits of the devices.
Patching is increasingly complicated and drawn out for Android as well due to 3rd party middlemen (Google releases a patch, then the manufacturer of the device checks it and releases a patch for their customer version of the OS assuming they're even using the current one, then the phone provider additionally modifies the code for their own needs and testing, and finally a patch is released; and any one of them may actually be a break in the process by no longer doing active development for a device, which has been the case sometimes as soon as 3 months after release, look at how many devices STILL won't get Froyo). iOS may one day have an ITW vuln, but in days every iOS device ever distributed could be patched. That is simply not possible on Android. (especially those with Flash, the single most exploited piece of code in history, with currently 37 unpatched vulnerabilities, including the Android 2.2 vulnerabilities released on Sept 10th and 14th that are unpatched)
Apple at least validates the app code of each submitted app to see if it touches the secured data sections of the phone (via any method, valid API or not), and automatically rejects apps that don't have cause to access data it touches even if documented and done through valid APIs. If undocumented access occurs, or if undocumented internet transmission of data occurs even with valid access without significant cause or explanation the app is still refused. Google has NEITHER protection. Plus, with side-loading possible on Android, even an approved app could be updated remotely to enable latent unaproved code. This is not only really hard to do on iOS, but even in the few rare cases it could be conceivable, doing so is illegal in addition to being a contract violation, and Apple THOROUGHLY back checks each dev and could provide police with easy ways to find them. Google also has no such verifiable trail to track down illegally operating hackers in their dev pool. Also by default, any app attempting to access data prompts when it does so, EACH TIME, unless you tell it to stop prompting. Android has no such feature beyond the cryptic warning at install that most users don't even understand (or read).
Apple is not 100% safe, granted, but all access to data is monitored, and the use of it once accessed is equally monitored, and anyone who seeks to violate this has to do it in the open with their name and bank accounts exposed. Their OS being single sourced is patched much more quickly, and can even adapt to 0 day exploits with a little help from the media and/or AT&T automates SMS alerts instructing users to connect to their iTunes PC and update. Apple can also easily and quickly if really necessary pull any app OTA from all deployed devices, Google can only do that from their own personal marketplace (not 3rd party or open markets).
"Which is of course why the iPhone is the most exploited mobile platform and has had the most vulnerabilities to date right? "
Got any evidence for this, or are you just making shit up like almost all Anonymous Cowards do?
of reading these clueless reports.
Any free app that uses AdMob will likely also enable Coarse Location permission so that it delivers local adverts based on your rough location (based on current cell tower(s) triangulation).
Big Whoop....
I wonder why Intel are funding this report?... (MeeGoo, time to badmouth Android). When will Nokia resort to funding such similar FUD? (Very soon is by guess, considering their current Smartphone traincrash).
why do they need your phone number and device id? Updated every 30 seconds? wow.
If only there was a smartphone/app platform that was more protective of user data, with more control over the apps that were published, so users could feel somewhat safer with their purchases and smartphone use.
:D
>For example, if a user allows an application to access her location information, she has no way of knowing .....
'She' knows 'her' location is shared and can say no thanks before the installation takes place. Once its out there, its out there to be further shared anyway, even if the phone itself is only sharing directly with a single service.
Surely the story should be that other smartphones don't provide any access controls at all.
"Surely the story should be that other smartphones don't provide any access controls at all."
Yes, that would be the story. Apart from being completely wrong of course.
Android tells you when the app is installed, others tell you when you run it for the first time or whenever you run it.
If I run the sat nav on my phone, I don't think it unreasonable for it to ask me to use my location. If I turn on the feature that tracks my journey to alert me of traffic problems I don't think it's unreasonable to allow it to connect to the server every 5 minutes or whatever.
I do not, however, expect the sat nav to upload the address I have tagged as "Home" along with my phone numbers, for example, or to keep tracking me when I leave the app.
Android doesn't prevent this kind of thing happening and neither do any of the other smart-phone systems in all likelihood.
This type of program is usually referred to as a Trojan and generally frowned upon when it's a supposedly legitimate piece of paid for software..
>> "Android doesn't prevent this kind of thing happening and neither do any of the other smart-phone systems in all likelihood."
Apple does. They do static-analysis code check, as well as testing, on the submitted applications to determine access and transfers and to see if it does what is expected, and nothing suspicious. Applications have been rejected for communicating, say, location information when the application has no real reason to use this information. The license agreement for the App Store includes provisions to prevent such things.
-dZ.
This is Google. This is the currency they expect to be paid with: Your privacy. Anyone who expected anything different is deluded.
I went to install a game yesterday, only to find that it wanted permission to access my SMS Messages. Cancelled the instal.
Here are two little tidbits of information that some of my predecessor commentards obviously do not possess, probably due to not actually knowing anything about Android, much less owning an Android phone.
Every Android application HAS TO ASK PERMISSION for Internet access.
Every Android application HAS TO ASK PERMISSION for access to personal information such as contact data.
This applies also to other stuff, for example GPS or SMS: in short, prior to installation / update, the user is asked whether to grant a list of specific requested permissions to the app. It's certainly not a perfect solution, but it still means that Tetris game you downloaded will have no ability to siphon off your private information unless you explicitly allow it to.
but even that is very coarse. I install a GPS navigation app. It needs access to the internet to get maps - fair enough. It needs access to your contacts to build up its "pin point" list for the GPS. Fair enough. It needs the device ID to register the paid licence as it is non transferable. Fair enough
What it didnt tell me is that it it tags my GPS location to my friends locations and sends all this info home along with my device ID. That way it can send me info tidbits about pizzas when I go to peoples houses.
I think this is what the article was pointing at - legitimate uses of accepting functionality may not dictate what it actually DOES with it.
...but keep in mind that the same could happen in any other existing mainstream system - the desktop version of Windows included. Otherwise we would not have trojans :).
Ultimately it's the question of the trustworthiness of the developer, and, in fairness, a lot of non-rubbish apps on the Android Market provide either a full-blown privacy policy, or at least an explanation as to why they need internet access.
The problem exists in all current systems, and for a simple reason - no one so far came up with a system that does all three of the following things:
-provides a fine-grained control over access rights of an application,
-does not use a lot of resources to implement this feature,
-is not damn annoying either to the developers or the users.
I was (yes, same AC here ;p ) only commenting on the unfair scaremongering present in the previously posted comments, i.e. "a lot of apps MAY be shifty with the data they get [that the user allows them to get], so ANDROID SUXXX0RZ!!!!1oneone!".
Android users are exceptionally dumb if they seriously expect any level of privacy when using their phone - it's a Google product ffs. You forfeit your right to privacy the moment you use anything from that fucking company.
I pay for an App for it's utility, so if they want additional income they should charge more and not give my data away at MY COST, yet!
You pay for an app, yes. So that means you think it will have some value. But you seem to be under the impression that the people writing the app have 'providing value for you' as their only goal.
In one sense you're right, mobile apps should be more expensive, which would provide developers with sufficient revenue that they wouldn't feel the need to do things like this. But it turns out that if you price a mobile app much above $1.99 most people won't buy it.
That figure is from the Apple market, but given the constant hectoring about price, there's no reason to imagine that Android fanboys are any less price sensitive than Apple fanboys.
..but every time you select an app for installation, Android tells you precisely what the app can access (yes it's accurate) - the researchers admit this is true as well.
How about a little common sense people??
Downloading an alarm app that needs access to your phone service, internet and system? Um lets see, sound a bit suspect??
Downloading a torch app that needs access to your location, system tools, internet, your dogs rabies result? Yeah, that's gonna be canceled fast.
You have a brain and intelligence (we hope): use it.
I'm mulling over my choices with my next phone (will be my first smartphone). Do these kinds of apps have their part to play regarding the generally poor battery life? Just when you think your device is sat there being idle, in fact it's calling the mothership / ad server / etc?
Does it make sense for the OS owner to supervise the movement of data of the handset? Every request has to pass through it's servers using it's APIs so that it can monitor the use of the personal data.
Google could sell it as 'helping to keep users safe', but the amount of data it would gather about how firms use users data would really help it's ad-engines.
If the study doesn't name names, the study ain't worth shit.
Saying that "There are no guarantees apps for Apple's iPhone or Research in Motion's Blackberry would fare any better if subjected to the same scrutiny" does nothing if they haven't actually BEEN put under the same scutiny.
Till that happens, it serves as scaremongering against Android, and perhaps lead the market towards Apple or RIM on the basis that Security By Obscurity is a good thing. Or maybe that what you don't know won't hurt you...
I on the other hand see this as first class, complete and absolute, full up and down, grade A bullshit.
And I'm not buying it.
How fine-grained control would you need? A map app needs GPS and the internet, so you let the app access those. That's fine. But how do you know whether the GPS data is just used internally within the app or if it's being sent to tracking companies?
So allowing the app to access the things it needs and nothing else still doesn't really protect you unless you had super-fine-grained control. But then who would know how to actually set the controls correctly?
Its down to the way ad based apps need to be able to serve ads to you via internet, probably need some method of id-ing the device to know which ads have already been served etc and also could benefit from knowing where you are so that you get relevant ads (this is useful - I'm constantly irritated here at work by getting ads in French because our corporate WAN has its internet gateway in France and thus websites assume that as my request originates from France that I must be French)
Now the problem is that to do this with the current set of permissions that Android supports involves opening up quite a lot of the access permissions. I think I've read that Google have seen this as an issue and are going to add a specific set of permissions/API for ads.
Sign up, sign up for The Register's weekly IT security newsletter - click here
