Feeds

back to article Free Android apps often secretly make calls, use the camera

Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks. The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per cent …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Does this happen in the Apple App store as well / as much or is it genuinely more secure?

3
0
jai
Silver badge

wall-gardens FTW !!!!!!!!!

2
0
Anonymous Coward

Not possible to tell. Android apps have to say what permissions they use, iOS apps don't.

Always makes me wonder why Android doesn't have a simple "ad-only internet" permission so you know that a free ap is only using it for adverts and not to send any other data. Probably just too awkward to implement given the number of ad networks out there.

3
2
Silver badge

An easy step for Google to implement:

Allow searches of apps to be filtered by permissions.

2
0

Secure?

Applications might have genuine need or reason to use any of these features. Whether those on the apple store are genuinely better 'vetted' I don't know, somehow I suspect not but I could be wrong (maybe apple do do something to earn the huge profit?)

1
1
Bronze badge

re: iOS app permissions

Are requested when first running the app, if you say no and it needs it to work it will request again when you try and use the feature.

Current App allowed permissions can also be viewed in Settings > Privacy and can be recinded from here.

It's not possible to silently make a call or message from an iOS app, I think you could possibly initiate a camera instance then hide it under the apps chrome to sneakily take a photo but I haven't heard of this happening.

Permission is not required for the microphone either so I suppose you could grab audio.

There's an element of *nix vs windows here, in that one platform is (on the whole), easier to penetrate, has more seats to exploit with more of them on older less secure versions to boot. Which isn't to say that the latest versions of Windows or Android are less secure, just that there are a lot of older versions running out there.

3
0

Permissions Yes, What They Access No

This is the whole problem with android, google and the open source community especially due to how popular android is becoming. The bad guys out there get to provide you with cool apps to sideload onto your phone because who the heck knows which apps run on which version of android and then which version of the OS you have on your phone. Then they get to siphon off your contacts and location information and whatever else they can find to assist with spamming and hacking you and your friends later.

Enjoy it while you can I guess, personally I would rather have vetted apps from apple or ms at least I know they are not mal/adware......

1
6
Anonymous Coward

Actually a good idea

A top-level .advert domain would make it easy to restrict access to adverts because the OS could add .advert to all URLs accessed by the app.

1
0
Silver badge
WTF?

Re: Permissions Yes, What They Access No

@the_regulator why don' t you get yourself an android device and see for yourself what a load of nonsense you're putting out. People sideload becuse they don't know what version of android they have? Really? If you allow an app to access your contacts, which is a perfectly valid thing to ask users to grant to an app, then the app can access your contacts. The fact that android allows users to allow apps to access their contact data is NOT an android security issue.

2
0
Bronze badge
Mushroom

Re: re: iOS app permissions

In terms of vulnerabilities, Windows Phone is far more secure.

0
6

Ios apps do have to ask permission to do certain things. They just don't have to give a list up front. The problem with android's list is people rarely read it or understand it. Because it's a generic list too it doesn't necessarily explain what exactly the app does.

2
0
Anonymous Coward

yes happens there too.

Only last year hundreds of ios apps were found to be a accessing the address book and uploading the contents..

What this "news" for doesn't talk about are the huge strides Google is taking....

blogs.computerworld.com/android/21259/android-42-security

Nor does it talk about androids superior app sandboxing approach.

0
1
Pint

An Android scare article sponsored by...

who could it be?

If you're worried, install Lookout Security and Antivirus, its free.

And stop installing shit apps you don't need out of boredom...

I've never had a problem in almost 4 years. It does help to read before clicking install.

0
0
Anonymous Coward

Very concerning. Could be Androids achilles heel as security really does seem to be an afterthought - might not be such an issue for the average person on here but remember most normal users just install this stuff and probably get exploited.

3
0

That both Android and iOS have security issues, the one that would worry is it using phone calls/data when I don't think (or know) it should. The rest is of little real life consequence to many people. The core OS in both situations wasn't really designed to be secure. Symbian tried very hard by blocking some of the traditional buffer over run routes used by viruses and getting users to allow particular applications permissions, but permissions are usually given by the user anxious to use the app.

0
1

I think the android security model on the whole is pretty good. (not perfect though, i feel like sometimes I'd like a 'prompt me for this' option to be available).

Anyway, this problem is as old as the hills. Free apps that are more than you first expect. I bet loads of people install windows and mac applications without a second thought. Mobiles are at least better in this respect and android does at least give you the chance to see what you are about to let loose on your phone/tablet. Its up to the user to decide.

Would you let a stranger in your house without knowing a bit about them first? If you do, you are stupid. How many cold callers come to your door selling you x,y,z but really all they want to do is a take a peek to see if you are worth robbing. Free loft insulation anybody? I had one the other day that insisted they needed to see inside my loft to see if I would qualify but refused to explain why. They seemed a bit fishy (my gut feel) and I sent them away. But how many people would let them in. 2 days later and your 42" plasma will be missing!

I have often wondered about the stuff my son installs on his ipod. I have to trust the fact that apple have vetted the app. And if you believe that the problem doesn't exist there you are just as much of a fool. Anybody remember the tethering app that got past the ipolice. And I'm pretty sure you could get something equally nasty when you get no idea what permissions are required.

Don't get me wrong, I'm not having a go at apple, microsoft or google/android. I'm just saying there is no perfect solution. If people want the freedom to run whatever apps they want they have a responsibility to make sure the software does only what is says. And with free apps there is no such thing as a free lunch.

2
1

Google are taking steps to up the protection available for the "normal user":

http://blogs.computerworld.com/android/21259/android-42-security

0
0
Anonymous Coward

Android means freedom for you and freedom for the apps makers to screw around with your phone when you're not looking.

Just shows many app developers can't be trusted.

7
2
Anonymous Coward

So too much freedom in this case is a bad thing. This is the second article I have read today about Android app problems / scams. Do Google really do no checking before apps are put online and how easy is it to sign up as a developer and get your warez infecting people? Bit too easy I guess.

0
0
Anonymous Coward

The Android user is told on installation exactly what permissions the software is requesting, and has to OK that for the installation to proceed. My understanding is that iOS keeps all this secret.

I know which one I prefer.

5
1
Holmes

You only get what you (don't) pay for.

Just shows many app developers can't be trusted.

I don't think it just the app developers that can't be trusted. For the record I have an 'older' android phone and a newer android fondle slab.

To refer android as open source I feel is slightly misleading in that it not an open source project developed by open source fanbois, the driver behind android is 'you are the product' google. If android was a true open source product there would be more options to control security/access to the device. Google have a vested interest in having a certain amount of laxness in android security, they want apps to to have enough access to your personal information so that the so-called free aps can deliver targeted goggle ads to your 'phone.

1
0

Orly

When you develop an app and use certain generic classes you may need to have permission to do so because those classes might have a number of broad functions. Just because the class is used request permission to have access to contacts doesn't mean the developer has used it to do so, but might be adding an entry to a database or checking that the phone status is appropriate to enable the app to run - you don't want to be calling an emergency number only to find the mp3 player is stuck on and wont switch off do you?

The freedom for app developers allows great apps to be developed but they are still vetted and suspect apps are blocked.

0
0
Megaphone

Name them!

These stories never give a list of the bad apps. Name the bastards.

19
0
Bronze badge
Megaphone

Re: Name them!

Camera 360 Ultimate.

Last version had all the permissions you could name. After many user complaints on XDA, the latest version has fewer permissions, but hooks into the standard Android browser to produce popup ads.

1
0

Re: Name them!

They don't name the apps because this is an Apple sponsored article based on propaganda FUD. The code used by a number of advertisers used by developers for free versions of apps usually requires certain general permissions because the classes that the ad's run often need to check the phones state and read/write to the memory to log what ad's it's run and check if you are of the correct demographic for the ad and get updates to the ad's. The paid for versions of apps don't use the code to pull and delegate ad's out so they don't request permission for those functions.

This story has cropped up a dozen times often just after Google has a major product launch and has been disproven every time. It's pure FUD.

0
0
Anonymous Coward

No such thing as a free lunch. Next someone will launch some Android botnet and hack millions of handsets. I'm actually surprised banking apps will allow themselves to be installed on Android handsets - but guess it's a bit like a Windows PC as it could have spyware / trojans as well.

Think I'll be looking to WinPho or iOS now as they appear to be more secure.

3
10

Banking apps

Some banking apps and other "secure" apps (such as streaming paid-for video) try to stop you running them if you're on a rooted device, but that's about it.

0
0

The android fanbois on here hate you for that comment lol nice job finally people are starting to realize what crap that android really is, if everyone read all the security problems that android has had there would be a ton more win phone and ios users than there are already.

1
8
Silver badge
Headmaster

Sir

"discovered that free applications are five times more likely to track user location and a whopping 314 per cent more likely"

Can anyone adequately explain why the wording of this sentence lends itself to making the second figure seem more than the first? i.e. the use of a 'whopping 3 times' versus the plain old 'five tmes more likely' ?

Unless it was supposed to be 314 times more likely. Just seems weird and out of place here where people don't just accept the written word and there are pedants everywhere.

5
0
Bronze badge

Re: Sir

I second that. In fact, it's not even clear whether it's in the range of 3x more likely or 4x. My reasoning? If it were 100% more likely then we're talking twice as likely, or 100% for the baseline + 100% extra. So is "314% more likely" supposed to mean it's about 3.14 times as likely, or 4.14 times (100% + 314%)?

Whatever it is, the whole sentence (including the "whopping" part) is too confusing.

1
0
Bronze badge

lots of scaremongering again, but with some justifications... like the listed examples... an app that requests the ability to use camera, gps, address book and text messages... it could be setup to take photos when your on the loo and send messages to your ex's... or it might just be an app that allows you to take a photo, geotag and send to a contact without leaving the framework of the application...

It should be as simple as adding in the small print as to what extent and reasons an application wants access to various bits of phone...

3
0

Every time a developer writes an app and produces a free version it's supported by a 3rd party advertiser and they add the code that often needs to check the state of the app, the hardware such as the GPS and the location and the phone state - you don't want the ad to pop up on screen when your trying to call an emergency number blocking the keypad, and an advertiser might want demographically appropriate ad's shown, IE your location would be important so perhaps knowing that you are in a town with a Warner cinema but not a Cineworld Cinema would mean showing you the ad that relates to Warner is more likely to benefit both you and the advertiser. All of these functions might require various permissions, but these permissions often are so broad that they are misunderstood as meaning that you are being spied on and every time your phone is by your bed it's watching you give yourself some hand to gland action. Don't worry it's not.

This article is re-written and published again and again, uncited and unprovable yet every time it's published it disproven too. It's often seen around the time there are major product launches and always gets bias against Google.

0
0
Silver badge

So how do you differentiate...

...between "making a phone call" and "making a phone call"?

Personally I think the only thing that needs to change is Google to finally see sense and allow post-install denial of permissions. Including on the bundled bloatware.

9
0
Go

Re: So how do you differentiate...

You already can do.

See LBE Privacy Guard.

First thing I do when I install an app, is disable all the permissions that I think it doesn't need. WTF does Angry Birds need to know my location? <disables permission>

2
0
Anonymous Coward

Re: So how do you differentiate...

My LG did/does this. Every app needs to ask for permissions every time (it is run, not every time it reapplys, but if you close it, it looses permissions. It means it cannot eat bandwidth etc when I'm just reloading it to change settings or recheck something).

1
0
Silver badge

Re: LBE Privacy Guard.

Unfortunately that requires a rooted device. Useless for anybody outside of Reg readers and other techies, and to be honest I'm not too fond of the idea myself. I like having a warranty.

Selective permission denial needs to be baked into the official build. Preferably with a popup for when a newly installed app first tries to use whatever part of the system that requires permission.

0
0

Re: LBE Privacy Guard.

The very fact that you have to root your phone shows the vendor and google are both in bed to facilitate, abuse, and allow this abuse to happen

0
0
Silver badge

Re: LBE Privacy Guard.

This of course, would be completely unlike the spying that was baked into iOS and only removed after they got caught with their pants down?

All the phone companies are at it. Funny how Google are the only ones to get called on it though. You'd almost think there was an agenda.

http://www.pcworld.com/article/227011/smartphone_spying_reality_check.html

0
0
Bronze badge
Mushroom

Tumbleweed...

Wow... suddenly all those who immediately jump in a post "fail!" or equivalent on any Microsoft-related topic are nowhere to be seen...

Still, I guess you get what you (don't) pay for.

0
0
Silver badge

Re: Tumbleweed...

Hi.

Microsoft are fucking shit, and you're wrong. Try reading the posts.

4
3
Bronze badge
Mushroom

Re: Tumbleweed...

Microsoft dont have this problem on Windows Phone. Zero malware, versus tons of it on Android. Plus the platform itself is far more secure.

1
4
Silver badge

Re: Tumbleweed...

Well, you can claim *any* platform is secure, when it doesn't actually have any apps written for it.

1
0
Bronze badge

Re: Tumbleweed...

@MGale: Wow, did you come up with that all by yourself, or did Google pay you to say it?

0
0
Silver badge

Re: Tumbleweed...

Of course they do, but not in money.

What can I say? Sergey's a bit of alright. Got an A0 poster of him topless pinned to the ceiling above my bed.

Purr.

See you soon, love.

0
0
FAIL

Name and shame or the research is pointless

the research might even be non existent fro all we know unless it's peer reviewed.

Might as well be seen as a puff piece for Juniper Networks and Churnalism by El Reg for all the use it is.

7
0

Re: Name and shame or the research is pointless

More press release research I guess. From a quick read of the article it seems to be an attention grabbling "Your phone can take secret pictures of you", followed by the less exciting, "and actually mostly for legitimate reasons".

4
0
FAIL

Re: Name and shame or the research is pointless

Replete with meaningless percentages and statistics.

Yup, churnalism.

0
0
Pint

I'm confused by this story...

At first glance, it sounds as though it's just scaremongering by a PR firm more than anything.

"Juniper researchers also discovered that 12.5 per cent of free finance apps had the ability to initiate a phone call without going through the dialer interface. Two thirds (63.2 per cent) didn’t provide a description of this capability within the app. However, after installing a number of these applications, it became clear that this capability was legitimately used by the app to contact local financial institutions."

- Okay, right... so the apps that required the permission did actually use the function legitimately. What's wrong with that?

"Meanwhile, 5.53 per cent of free apps have permission to access the device camera"

-Okay, right.... going by the detail provided on finance apps, what % of free apps use a camera legitimately as part of their software?

Not going to take a second glance as it's nearly 4pm which is pub o'clock.

3
0
Anonymous Coward

Re: I'm confused by this story...

"Not going to take a second glance as it's nearly 4pm which is pub o'clock."

AKA ostrich mode enabled.

2
7

Re: I'm confused by this story...

Beer allows us to hide from many problems, but pretending to be a bird is not a side-effect.

For that I advise some rather festive Christmas Vine.

0
0

Page:

This topic is closed for new posts.