Re: ostritch mode enabled
there's a coward with his head in the sand pretending that android allowing users to grant camera apps permission to use the camera is a security issue
Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks. The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per …
"At first glance, it sounds as though it's just scaremongering by a PR firm more than anything"
Same way I read it - so free apps use the camera more than paid for apps. They imply some sinister reason for it but when they check into it - there's nothing wrong. Perhaps there's another reason for a difference between paid apps and free apps? There's no evidence here - just some figures.
Apps ask for permission, they don't get them without asking..... check the permissions when you install an app!!!
Some apps need access to send sms & make calls but most dont 'NEED' more than internet access..
I get suspicious when they want access to my contacts...
The problem isn't people like you and other Reg readers who are smart enough to know whether the permissions being asked for are reasonable for what the app does. It is the much larger portion of fairly clueless users who just say "yes" to everything because they don't really understand what is being asked anyway.
Reg readers don't need to care about this because they are going to wonder why an app that plays checkers needs access to the camera or the ability to send texts.
Android apps tell you when you install what permissions they need, if you aren't 100% sure about the app and it's asking for a lot of permissions or permissions you're not happy about (like the ability to make calls) you can and should choose not install it.
It's the the operating systems job, or the manufacturers job, to stop users making stupid decisions.
This is no different than PC security, PCs become infected with viruses extremely frequently because stupid users click "yes" on website banners etc offering antivirus software or similar without reading about it or checking it out in anyway first.
>Fix the real issue
>educate the users
Some users can't be arsed to invest the time. They would rather pay a premium and not have to worry about it. I guess it depends on how much they value their time verses their money- this varies wildly depending upon how much they earn.
There is room for both outlooks- instigate a walled garden, but allow users to leave it if they know what they are doing and take responsibility for their actions.
Like the checkbox in Android under "Security" that states "allow installation of apps from unknown sources". Smae one that puts up a big scary warning about damage to your tablet if you check it. Or perhaps the one under "Developer Options" that states "Debug mode when USB is connected". Same one that puts up an equally scary warning about installing apps without notification and reading log data.. after you've gone through the "are you sure you want to fuck around with developer options" warning.
...which apparently isn't enough for some people who would rather pay $99 for the "privilege".
I've thought for a while now that all apps should explain why they need the permissions they request. Some do already and some explain why they need additional permissions for an update. Make it mandatory for all published apps and this sort of crap will be easier to spot.
"Oh ... we need permission to use the camera to... erm... discretely spy on you."
Yes I know you can't make scammers tell the truth but a game requiring access to SMS or the ability to make calls would stick out like a sore thumb.
Agreed. How about this for an idea? For every permission an app requires, it must also submit to Google the reason for that permission, in specific detail. If it needs "Full Internet Access", for example, the submission must include specific reasons such as "This program receives advertising from the Internet to fund its development." Or if a financial app can send SMS messages, it must provide something like "This program can send SMS messages to financial institutions and read the replies to obtain account information." Google should require this of each specific permission and post them alongside the permissions themselves on the installation prompt. This would be a Google Play extension and could apply to all apps submitted in future, so it shouldn't break existing apps.
Privacy statements should be short and consise. List the resources available on a phone: Camera, contacts, GPS location, dialer, etc... then what it needs to access and WHY. I have no problem with an app using my contacts to function on the phone... that is normal. Esp. if it needs the info to use on clicking "share:" stupid, no brainer, so what. However, if it wants to upload my contacts or send them stuff I did not initiate... even worse in my name... holy crap! Of course a camera app needs to access the camera! DUH. But not when I am sleeping! Most people just want the cool things and say yes with out reading...or if they do try to read it, they become discouraged and just say yes - to get the cool thing. You bought the phone...now you need the apps. The stage is set, everything is as they intend: it is obviscated on purpose. Seriously, the permisions section when you agree in the app store is rediculously vague and useless. Basically what you need to know is: what is the app going to do with anything of yours. They do not say this.
One last note: Why is it that if you do not accept google's location services, you cannot use any GPS apps? You pay for a phone with GPS capabilities, but if you do not agree to let Google track your location, you cannot use ANY... ANYTHING that uses your GPS function on the phone.
I really do not thing this will ever change because most people don't have the time to worry about it, and they are too addicted to thier phones.
The apps and pretty much everything these days (even my DVD player) say if you do not like it, just don't use it.
A rollodex used to be one of the most valuable assets of a company, and these guys are getting them for free.
Another last note: Why do they allow the privacy notices with all the rederic, then links to the real privacy notices? (and sometimes those have links to the real privacy notices.)
A number of the better apps do this.
Or rather they explain the ones that aren't obvious. I installed a game recently that wanted access to coarse location data. It was an Ad supported app and there as a line in the app description explaining that this was simply so they could provide targeted Ads so you didn't get annoying Ads for things from other countries.
It might be legit for an application to use any of the features suggested. Applications which are 'funded' by providing shops the ability to know you are near and pump adverts at you might be totally legit and accepted by the user (for example). Many 'free' social networks will also want access to address books, maybe location and certainly camera...
Just because they access these features doesn't mean they have no right or need to.
However some might do it without you knowing and for no obvious good reason. This is a problem, it was addressed as much as possible in Symbian 9 onwards (several long years back) . The downside was most users still give the applications permission even when they don't understand for what or why.
Then simply require an explanation for each permission. If it requires fine (GPS) location, it can explain, "This program uses location-specific advertising to fund its development." Honest enough, wouldn't you think, and easy enough to explain for legitimate uses.
Of course, disguising a malware use INSIDE a legitimate use (say a spy camera in a photo editing app) is another matter, but it should help some.
So free apps are more likely to access your contacts? You mean apps like Gmail, Facebook, Hotmail? Apps to send SMS... like Handcent? Take photos? Google translate, Tesco, Asda. Location? You mean like The Met Office, Green Flag, English Heritage or National Trust apps? My banking app lets me locate the nearest ATM or branch, and then phone the branch. Google maps lets you view info on shops, restaurants etc. and then phone them. Are all these sinister? They're all free. (Cue petty sniping about how sinister Google and Facebook are).
No doubt there are dodgy apps out there, but, stop the bullshit pointless reporting like this.
I suppose this is the part of Juniper that used to be SMobile. Frankly I don't believe a word they say. Why does the headline bear no relationship to the content of the article? Did they find ANY apps that SECRETLY make calls and use the camera? I think not. I still remember the time when an SMobile executive went on local TV in the US after a bridge collapse saying, yes, wasn't it terrible that people died, but think how much worse it would have been if the emergency services had malware on their smartphones. WTF?
Insist on absolutely no Native Code outside the kernel -- at all. And enforce it, iron-fistedly.
If everything in userland is fully interpretated, then not only does this mean it doesn't matter what processor is fitted -- ARM, Intel or some souped-up 6502-descendant -- but also, the software is transparent as far as the user is concerned. Third-party code auditing should provide a reasonable level of security, since all auditing houses would be competing with one another; any one giving out a false all-clear would destroy their reputation in an instant.
(And in the meantime, there's always flight mode.)
"or some souped-up 6502-descendant"
You know how ARM was invented?
"Acorn's aim at that time was to produce personal computers which met the needs of the business community by providing office automation facilities. Clearly, more power was needed than was offered by the 6502. In the fine tradition of the computer hobbyist, the design team decided to develop their own processor, which would provide an environment with some similarities to the familiar 6502 instruction set but lead Acorn and its products directly into the world of 32-bit computing."
(http://www.ot1.com/arm/armchap1.html)
I love Android - and I love Windows as it is. But I understand why many don't. In the same way that a mechanic enjoys tinkering with cars, I enjoy tinkering with PC's and phones.
Android and Windows assume a certain level of 'interest' in what's being done. Many people using PC's and phones don't care how something's being done - they just want to run that casino app, or visit a porn site, or whatever else. If you stick boxes up saying "Are you sure you want to do this?" they'll quickly learn to always hit "Yes" to the box that pops up. If you have a screen during install that says "This app has access to your phone; it can make phone calls. This app has access to your camera, it can take photos whenever it likes" - people train themselves into "always hit Install on the next page". It's as it is with EULA screens.
There is a fundamental problem here. We require that drivers have a license to drive; for their own safety, and for the safety of everyone else. We require they have a certain level of understanding as to how a car works. We require them to understand safety signs that give them warnings - and to understand the implications.
But give them a phone or PC that has access to their bank details, contact details of all their friends and colleagues, potentially access to business networks and business resources - and it falls back to "I want porn now - Yes, Yes, Install, Yes".
I don't know what the solution is, despite my driving license example. The options thus far appear to be "Better education" - but years of Windows and malware suggest that won't work, or walled gardens that restrict everybody's ability to tinker.
The style and content of this story were Sun level sensation, with virtually nothing of interest.
"Free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books than paid counterparts."
whopping? after the first part suggests 5 times more likely to track location and the second part talks about a whopping 314 percent, do you think we are idiots, sun readers, or just so bored that bad maths and english will brighten up our day.
Is requesting the capability to use location services proof that free applications are 5 times more likely to track user locations. I don't know but this whole piece and the study reads as thin on facts and big on BS.
Not surprising. Not many people write code just for fun. They'll want something in return. It's better to pay someone up front for their work rather than find out they choose to compensate themselves in other ways.
Android needs far better control over security. Let users disable certain access and there should be a setting to make it so an app can do something unless it gets a user to ok it at the time of access. Those who don't mind being nagged can get more protection.
when I write code I expect it to save me time and effort in the long run, if I think its OK I'll share it.
I have worked for commercial organisations who write code to make money. More time is spent trying to ensure they get that money (and more) than solving the problem at hand.
If Apple had spent the money designing apps rather than take motorola to court for living in the same 3d world as everyone else they could have perhaps even written a mapping app that worked. Not that they need to - most users would rename the place they got to rather than admit they'd pissed their money up the wall.
The researchers found it not immediately obvious what some permissions were required for, and in that regard I've had several users complain about one of my free apps requiring the location permission with quite a few "location, wtf!?!? 1 star, uninstalled" type "reviews". It's an app for building a GPS track to export for geo tagging photos in Light room. I really didn't think I'd need to explain that permission...
So yes, lack of app permission detail would help a lot - but as is always the case user stupidity is going to be one of the biggest points of failure but it's not hard to envisage a scenario were a dodgy dev writes a load of BS for permission description and people install it anyway.
The free lunch point needs ramming home - too many users think there's no reason whatsoever to have ads on a free app.