back to article Free Android apps often secretly make calls, use the camera

Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks. The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Does this happen in the Apple App store as well / as much or is it genuinely more secure?

    1. jai

      wall-gardens FTW !!!!!!!!!

    2. Anonymous Coward
      Anonymous Coward

      Not possible to tell. Android apps have to say what permissions they use, iOS apps don't.

      Always makes me wonder why Android doesn't have a simple "ad-only internet" permission so you know that a free ap is only using it for adverts and not to send any other data. Probably just too awkward to implement given the number of ad networks out there.

      1. Dave 126 Silver badge

        An easy step for Google to implement:

        Allow searches of apps to be filtered by permissions.

      2. jubtastic1

        re: iOS app permissions

        Are requested when first running the app, if you say no and it needs it to work it will request again when you try and use the feature.

        Current App allowed permissions can also be viewed in Settings > Privacy and can be recinded from here.

        It's not possible to silently make a call or message from an iOS app, I think you could possibly initiate a camera instance then hide it under the apps chrome to sneakily take a photo but I haven't heard of this happening.

        Permission is not required for the microphone either so I suppose you could grab audio.

        There's an element of *nix vs windows here, in that one platform is (on the whole), easier to penetrate, has more seats to exploit with more of them on older less secure versions to boot. Which isn't to say that the latest versions of Windows or Android are less secure, just that there are a lot of older versions running out there.

        1. RICHTO
          Mushroom

          Re: re: iOS app permissions

          In terms of vulnerabilities, Windows Phone is far more secure.

      3. The_Regulator

        Permissions Yes, What They Access No

        This is the whole problem with android, google and the open source community especially due to how popular android is becoming. The bad guys out there get to provide you with cool apps to sideload onto your phone because who the heck knows which apps run on which version of android and then which version of the OS you have on your phone. Then they get to siphon off your contacts and location information and whatever else they can find to assist with spamming and hacking you and your friends later.

        Enjoy it while you can I guess, personally I would rather have vetted apps from apple or ms at least I know they are not mal/adware......

        1. Craigness
          WTF?

          Re: Permissions Yes, What They Access No

          @the_regulator why don' t you get yourself an android device and see for yourself what a load of nonsense you're putting out. People sideload becuse they don't know what version of android they have? Really? If you allow an app to access your contacts, which is a perfectly valid thing to ask users to grant to an app, then the app can access your contacts. The fact that android allows users to allow apps to access their contact data is NOT an android security issue.

      4. Anonymous Coward
        Anonymous Coward

        Actually a good idea

        A top-level .advert domain would make it easy to restrict access to adverts because the OS could add .advert to all URLs accessed by the app.

      5. toadwarrior

        Ios apps do have to ask permission to do certain things. They just don't have to give a list up front. The problem with android's list is people rarely read it or understand it. Because it's a generic list too it doesn't necessarily explain what exactly the app does.

    3. Dave 15

      Secure?

      Applications might have genuine need or reason to use any of these features. Whether those on the apple store are genuinely better 'vetted' I don't know, somehow I suspect not but I could be wrong (maybe apple do do something to earn the huge profit?)

    4. Anonymous Coward
      Anonymous Coward

      yes happens there too.

      Only last year hundreds of ios apps were found to be a accessing the address book and uploading the contents..

      What this "news" for doesn't talk about are the huge strides Google is taking....

      blogs.computerworld.com/android/21259/android-42-security

      Nor does it talk about androids superior app sandboxing approach.

    5. N13L5
      Pint

      An Android scare article sponsored by...

      who could it be?

      If you're worried, install Lookout Security and Antivirus, its free.

      And stop installing shit apps you don't need out of boredom...

      I've never had a problem in almost 4 years. It does help to read before clicking install.

  2. Anonymous Coward
    Anonymous Coward

    Very concerning. Could be Androids achilles heel as security really does seem to be an afterthought - might not be such an issue for the average person on here but remember most normal users just install this stuff and probably get exploited.

    1. Dave 15

      That both Android and iOS have security issues, the one that would worry is it using phone calls/data when I don't think (or know) it should. The rest is of little real life consequence to many people. The core OS in both situations wasn't really designed to be secure. Symbian tried very hard by blocking some of the traditional buffer over run routes used by viruses and getting users to allow particular applications permissions, but permissions are usually given by the user anxious to use the app.

    2. HollyHopDrive

      I think the android security model on the whole is pretty good. (not perfect though, i feel like sometimes I'd like a 'prompt me for this' option to be available).

      Anyway, this problem is as old as the hills. Free apps that are more than you first expect. I bet loads of people install windows and mac applications without a second thought. Mobiles are at least better in this respect and android does at least give you the chance to see what you are about to let loose on your phone/tablet. Its up to the user to decide.

      Would you let a stranger in your house without knowing a bit about them first? If you do, you are stupid. How many cold callers come to your door selling you x,y,z but really all they want to do is a take a peek to see if you are worth robbing. Free loft insulation anybody? I had one the other day that insisted they needed to see inside my loft to see if I would qualify but refused to explain why. They seemed a bit fishy (my gut feel) and I sent them away. But how many people would let them in. 2 days later and your 42" plasma will be missing!

      I have often wondered about the stuff my son installs on his ipod. I have to trust the fact that apple have vetted the app. And if you believe that the problem doesn't exist there you are just as much of a fool. Anybody remember the tethering app that got past the ipolice. And I'm pretty sure you could get something equally nasty when you get no idea what permissions are required.

      Don't get me wrong, I'm not having a go at apple, microsoft or google/android. I'm just saying there is no perfect solution. If people want the freedom to run whatever apps they want they have a responsibility to make sure the software does only what is says. And with free apps there is no such thing as a free lunch.

    3. Tech Hippy

      Google are taking steps to up the protection available for the "normal user":

      http://blogs.computerworld.com/android/21259/android-42-security

  3. Anonymous Coward
    Anonymous Coward

    Android means freedom for you and freedom for the apps makers to screw around with your phone when you're not looking.

    Just shows many app developers can't be trusted.

    1. Anonymous Coward
      Anonymous Coward

      So too much freedom in this case is a bad thing. This is the second article I have read today about Android app problems / scams. Do Google really do no checking before apps are put online and how easy is it to sign up as a developer and get your warez infecting people? Bit too easy I guess.

    2. Anonymous Coward
      Anonymous Coward

      The Android user is told on installation exactly what permissions the software is requesting, and has to OK that for the installation to proceed. My understanding is that iOS keeps all this secret.

      I know which one I prefer.

    3. Field Marshal Von Krakenfart
      Holmes

      You only get what you (don't) pay for.

      Just shows many app developers can't be trusted.

      I don't think it just the app developers that can't be trusted. For the record I have an 'older' android phone and a newer android fondle slab.

      To refer android as open source I feel is slightly misleading in that it not an open source project developed by open source fanbois, the driver behind android is 'you are the product' google. If android was a true open source product there would be more options to control security/access to the device. Google have a vested interest in having a certain amount of laxness in android security, they want apps to to have enough access to your personal information so that the so-called free aps can deliver targeted goggle ads to your 'phone.

    4. Bah!

      Orly

      When you develop an app and use certain generic classes you may need to have permission to do so because those classes might have a number of broad functions. Just because the class is used request permission to have access to contacts doesn't mean the developer has used it to do so, but might be adding an entry to a database or checking that the phone status is appropriate to enable the app to run - you don't want to be calling an emergency number only to find the mp3 player is stuck on and wont switch off do you?

      The freedom for app developers allows great apps to be developed but they are still vetted and suspect apps are blocked.

  4. PushF12
    Megaphone

    Name them!

    These stories never give a list of the bad apps. Name the bastards.

    1. BillG
      Megaphone

      Re: Name them!

      Camera 360 Ultimate.

      Last version had all the permissions you could name. After many user complaints on XDA, the latest version has fewer permissions, but hooks into the standard Android browser to produce popup ads.

    2. Bah!

      Re: Name them!

      They don't name the apps because this is an Apple sponsored article based on propaganda FUD. The code used by a number of advertisers used by developers for free versions of apps usually requires certain general permissions because the classes that the ad's run often need to check the phones state and read/write to the memory to log what ad's it's run and check if you are of the correct demographic for the ad and get updates to the ad's. The paid for versions of apps don't use the code to pull and delegate ad's out so they don't request permission for those functions.

      This story has cropped up a dozen times often just after Google has a major product launch and has been disproven every time. It's pure FUD.

  5. Anonymous Coward
    Anonymous Coward

    No such thing as a free lunch. Next someone will launch some Android botnet and hack millions of handsets. I'm actually surprised banking apps will allow themselves to be installed on Android handsets - but guess it's a bit like a Windows PC as it could have spyware / trojans as well.

    Think I'll be looking to WinPho or iOS now as they appear to be more secure.

    1. Argh

      Banking apps

      Some banking apps and other "secure" apps (such as streaming paid-for video) try to stop you running them if you're on a rooted device, but that's about it.

    2. The_Regulator

      The android fanbois on here hate you for that comment lol nice job finally people are starting to realize what crap that android really is, if everyone read all the security problems that android has had there would be a ton more win phone and ios users than there are already.

  6. Sir Runcible Spoon
    Headmaster

    Sir

    "discovered that free applications are five times more likely to track user location and a whopping 314 per cent more likely"

    Can anyone adequately explain why the wording of this sentence lends itself to making the second figure seem more than the first? i.e. the use of a 'whopping 3 times' versus the plain old 'five tmes more likely' ?

    Unless it was supposed to be 314 times more likely. Just seems weird and out of place here where people don't just accept the written word and there are pedants everywhere.

    1. Frumious Bandersnatch

      Re: Sir

      I second that. In fact, it's not even clear whether it's in the range of 3x more likely or 4x. My reasoning? If it were 100% more likely then we're talking twice as likely, or 100% for the baseline + 100% extra. So is "314% more likely" supposed to mean it's about 3.14 times as likely, or 4.14 times (100% + 314%)?

      Whatever it is, the whole sentence (including the "whopping" part) is too confusing.

  7. Matt_payne666

    lots of scaremongering again, but with some justifications... like the listed examples... an app that requests the ability to use camera, gps, address book and text messages... it could be setup to take photos when your on the loo and send messages to your ex's... or it might just be an app that allows you to take a photo, geotag and send to a contact without leaving the framework of the application...

    It should be as simple as adding in the small print as to what extent and reasons an application wants access to various bits of phone...

    1. Bah!

      Every time a developer writes an app and produces a free version it's supported by a 3rd party advertiser and they add the code that often needs to check the state of the app, the hardware such as the GPS and the location and the phone state - you don't want the ad to pop up on screen when your trying to call an emergency number blocking the keypad, and an advertiser might want demographically appropriate ad's shown, IE your location would be important so perhaps knowing that you are in a town with a Warner cinema but not a Cineworld Cinema would mean showing you the ad that relates to Warner is more likely to benefit both you and the advertiser. All of these functions might require various permissions, but these permissions often are so broad that they are misunderstood as meaning that you are being spied on and every time your phone is by your bed it's watching you give yourself some hand to gland action. Don't worry it's not.

      This article is re-written and published again and again, uncited and unprovable yet every time it's published it disproven too. It's often seen around the time there are major product launches and always gets bias against Google.

  8. M Gale

    So how do you differentiate...

    ...between "making a phone call" and "making a phone call"?

    Personally I think the only thing that needs to change is Google to finally see sense and allow post-install denial of permissions. Including on the bundled bloatware.

    1. Pete Smith 2
      Go

      Re: So how do you differentiate...

      You already can do.

      See LBE Privacy Guard.

      First thing I do when I install an app, is disable all the permissions that I think it doesn't need. WTF does Angry Birds need to know my location? <disables permission>

      1. M Gale

        Re: LBE Privacy Guard.

        Unfortunately that requires a rooted device. Useless for anybody outside of Reg readers and other techies, and to be honest I'm not too fond of the idea myself. I like having a warranty.

        Selective permission denial needs to be baked into the official build. Preferably with a popup for when a newly installed app first tries to use whatever part of the system that requires permission.

        1. Wraiththe

          Re: LBE Privacy Guard.

          The very fact that you have to root your phone shows the vendor and google are both in bed to facilitate, abuse, and allow this abuse to happen

          1. M Gale

            Re: LBE Privacy Guard.

            This of course, would be completely unlike the spying that was baked into iOS and only removed after they got caught with their pants down?

            All the phone companies are at it. Funny how Google are the only ones to get called on it though. You'd almost think there was an agenda.

            http://www.pcworld.com/article/227011/smartphone_spying_reality_check.html

    2. Anonymous Coward
      Anonymous Coward

      Re: So how do you differentiate...

      My LG did/does this. Every app needs to ask for permissions every time (it is run, not every time it reapplys, but if you close it, it looses permissions. It means it cannot eat bandwidth etc when I'm just reloading it to change settings or recheck something).

  9. RyokuMas
    Mushroom

    Tumbleweed...

    Wow... suddenly all those who immediately jump in a post "fail!" or equivalent on any Microsoft-related topic are nowhere to be seen...

    Still, I guess you get what you (don't) pay for.

    1. M Gale

      Re: Tumbleweed...

      Hi.

      Microsoft are fucking shit, and you're wrong. Try reading the posts.

      1. RICHTO
        Mushroom

        Re: Tumbleweed...

        Microsoft dont have this problem on Windows Phone. Zero malware, versus tons of it on Android. Plus the platform itself is far more secure.

        1. A J Stiles

          Re: Tumbleweed...

          Well, you can claim *any* platform is secure, when it doesn't actually have any apps written for it.

      2. RyokuMas

        Re: Tumbleweed...

        @MGale: Wow, did you come up with that all by yourself, or did Google pay you to say it?

        1. M Gale

          Re: Tumbleweed...

          Of course they do, but not in money.

          What can I say? Sergey's a bit of alright. Got an A0 poster of him topless pinned to the ceiling above my bed.

          Purr.

          See you soon, love.

  10. El Presidente
    FAIL

    Name and shame or the research is pointless

    the research might even be non existent fro all we know unless it's peer reviewed.

    Might as well be seen as a puff piece for Juniper Networks and Churnalism by El Reg for all the use it is.

    1. spiny norman

      Re: Name and shame or the research is pointless

      More press release research I guess. From a quick read of the article it seems to be an attention grabbling "Your phone can take secret pictures of you", followed by the less exciting, "and actually mostly for legitimate reasons".

      1. El Presidente
        FAIL

        Re: Name and shame or the research is pointless

        Replete with meaningless percentages and statistics.

        Yup, churnalism.

  11. drunk.smile
    Pint

    I'm confused by this story...

    At first glance, it sounds as though it's just scaremongering by a PR firm more than anything.

    "Juniper researchers also discovered that 12.5 per cent of free finance apps had the ability to initiate a phone call without going through the dialer interface. Two thirds (63.2 per cent) didn’t provide a description of this capability within the app. However, after installing a number of these applications, it became clear that this capability was legitimately used by the app to contact local financial institutions."

    - Okay, right... so the apps that required the permission did actually use the function legitimately. What's wrong with that?

    "Meanwhile, 5.53 per cent of free apps have permission to access the device camera"

    -Okay, right.... going by the detail provided on finance apps, what % of free apps use a camera legitimately as part of their software?

    Not going to take a second glance as it's nearly 4pm which is pub o'clock.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm confused by this story...

      "Not going to take a second glance as it's nearly 4pm which is pub o'clock."

      AKA ostrich mode enabled.

      1. drunk.smile

        Re: I'm confused by this story...

        Beer allows us to hide from many problems, but pretending to be a bird is not a side-effect.

        For that I advise some rather festive Christmas Vine.

      2. Craigness
        FAIL

        Re: ostritch mode enabled

        there's a coward with his head in the sand pretending that android allowing users to grant camera apps permission to use the camera is a security issue

    2. Miffo

      Re: I'm confused by this story...

      "At first glance, it sounds as though it's just scaremongering by a PR firm more than anything"

      Same way I read it - so free apps use the camera more than paid for apps. They imply some sinister reason for it but when they check into it - there's nothing wrong. Perhaps there's another reason for a difference between paid apps and free apps? There's no evidence here - just some figures.

  12. MrXavia
    Stop

    Why not just check permissions before installing

    Apps ask for permission, they don't get them without asking..... check the permissions when you install an app!!!

    Some apps need access to send sms & make calls but most dont 'NEED' more than internet access..

    I get suspicious when they want access to my contacts...

    1. sabroni Silver badge
      Thumb Up

      Re: Why not just check permissions before installing

      Yeah that's what I do. That's why I've not installed a single new app this year.

      1. MrXavia

        Re: Why not just check permissions before installing

        Quite a few only require internet access...

        But some require massive permissions for next to nothing...

    2. Anonymous Coward
      Anonymous Coward

      Uninformed users

      The problem isn't people like you and other Reg readers who are smart enough to know whether the permissions being asked for are reasonable for what the app does. It is the much larger portion of fairly clueless users who just say "yes" to everything because they don't really understand what is being asked anyway.

      Reg readers don't need to care about this because they are going to wonder why an app that plays checkers needs access to the camera or the ability to send texts.

  13. Phil W

    Disconcerting perhaps....dangerous? only if you're silly

    Android apps tell you when you install what permissions they need, if you aren't 100% sure about the app and it's asking for a lot of permissions or permissions you're not happy about (like the ability to make calls) you can and should choose not install it.

    It's the the operating systems job, or the manufacturers job, to stop users making stupid decisions.

    This is no different than PC security, PCs become infected with viruses extremely frequently because stupid users click "yes" on website banners etc offering antivirus software or similar without reading about it or checking it out in anyway first.

  14. Tony 32
    Megaphone

    Fix the real issue

    educate the users

    1. Dave 126 Silver badge

      Re: Fix the real issue

      >Fix the real issue

      >educate the users

      Some users can't be arsed to invest the time. They would rather pay a premium and not have to worry about it. I guess it depends on how much they value their time verses their money- this varies wildly depending upon how much they earn.

      There is room for both outlooks- instigate a walled garden, but allow users to leave it if they know what they are doing and take responsibility for their actions.

      1. M Gale

        Re: Fix the real issue

        Like the checkbox in Android under "Security" that states "allow installation of apps from unknown sources". Smae one that puts up a big scary warning about damage to your tablet if you check it. Or perhaps the one under "Developer Options" that states "Debug mode when USB is connected". Same one that puts up an equally scary warning about installing apps without notification and reading log data.. after you've gone through the "are you sure you want to fuck around with developer options" warning.

        ...which apparently isn't enough for some people who would rather pay $99 for the "privilege".

  15. PaulR79

    Permissions use explained in description

    I've thought for a while now that all apps should explain why they need the permissions they request. Some do already and some explain why they need additional permissions for an update. Make it mandatory for all published apps and this sort of crap will be easier to spot.

    "Oh ... we need permission to use the camera to... erm... discretely spy on you."

    Yes I know you can't make scammers tell the truth but a game requiring access to SMS or the ability to make calls would stick out like a sore thumb.

    1. Charles 9

      Re: Permissions use explained in description

      Agreed. How about this for an idea? For every permission an app requires, it must also submit to Google the reason for that permission, in specific detail. If it needs "Full Internet Access", for example, the submission must include specific reasons such as "This program receives advertising from the Internet to fund its development." Or if a financial app can send SMS messages, it must provide something like "This program can send SMS messages to financial institutions and read the replies to obtain account information." Google should require this of each specific permission and post them alongside the permissions themselves on the installation prompt. This would be a Google Play extension and could apply to all apps submitted in future, so it shouldn't break existing apps.

      1. Wraiththe

        Re: Permissions use explained in description

        Privacy statements should be short and consise. List the resources available on a phone: Camera, contacts, GPS location, dialer, etc... then what it needs to access and WHY. I have no problem with an app using my contacts to function on the phone... that is normal. Esp. if it needs the info to use on clicking "share:" stupid, no brainer, so what. However, if it wants to upload my contacts or send them stuff I did not initiate... even worse in my name... holy crap! Of course a camera app needs to access the camera! DUH. But not when I am sleeping! Most people just want the cool things and say yes with out reading...or if they do try to read it, they become discouraged and just say yes - to get the cool thing. You bought the phone...now you need the apps. The stage is set, everything is as they intend: it is obviscated on purpose. Seriously, the permisions section when you agree in the app store is rediculously vague and useless. Basically what you need to know is: what is the app going to do with anything of yours. They do not say this.

        One last note: Why is it that if you do not accept google's location services, you cannot use any GPS apps? You pay for a phone with GPS capabilities, but if you do not agree to let Google track your location, you cannot use ANY... ANYTHING that uses your GPS function on the phone.

        I really do not thing this will ever change because most people don't have the time to worry about it, and they are too addicted to thier phones.

        The apps and pretty much everything these days (even my DVD player) say if you do not like it, just don't use it.

        A rollodex used to be one of the most valuable assets of a company, and these guys are getting them for free.

        Another last note: Why do they allow the privacy notices with all the rederic, then links to the real privacy notices? (and sometimes those have links to the real privacy notices.)

    2. Phil W

      Re: Permissions use explained in description

      A number of the better apps do this.

      Or rather they explain the ones that aren't obvious. I installed a game recently that wanted access to coarse location data. It was an Ad supported app and there as a line in the app description explaining that this was simply so they could provide targeted Ads so you didn't get annoying Ads for things from other countries.

  16. Wam

    "Whopping"

    "free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books"

    Five times more likely is more whopping likely than 314 percent more likely!

  17. Dave 15

    oh well...

    It might be legit for an application to use any of the features suggested. Applications which are 'funded' by providing shops the ability to know you are near and pump adverts at you might be totally legit and accepted by the user (for example). Many 'free' social networks will also want access to address books, maybe location and certainly camera...

    Just because they access these features doesn't mean they have no right or need to.

    However some might do it without you knowing and for no obvious good reason. This is a problem, it was addressed as much as possible in Symbian 9 onwards (several long years back) . The downside was most users still give the applications permission even when they don't understand for what or why.

    1. Charles 9

      Re: oh well...

      Then simply require an explanation for each permission. If it requires fine (GPS) location, it can explain, "This program uses location-specific advertising to fund its development." Honest enough, wouldn't you think, and easy enough to explain for legitimate uses.

      Of course, disguising a malware use INSIDE a legitimate use (say a spy camera in a photo editing app) is another matter, but it should help some.

  18. John Hawkins
    Black Helicopters

    Root your device and install 'Permissions Denied'

    If you're worried about this sort of thing you can set permissions for each app using the app 'Permissions Denied'. I have.

    Now I'll just return to cleaning my guns...

  19. Shane O'Connor

    How have they tested 1.7million apps on the android app store when Google only just announced it has 700,000 apps on its books?

  20. milky milky
    WTF?

    1.7m apps audited?

    As of September, there were only 700,000 apps on the Android market, where did the other million come from?

    1. Charles 9

      Re: 1.7m apps audited?

      OUTSIDE Google Play, perhaps? It's the APK itself that contains the permission list.

  21. Ben Norris
    FAIL

    False assumptions

    Could it be that there are simply more free camera apps than paid for ones? Why the assumption that they must be nefarious? Likewise with text messaging, etc.

  22. Anonymous Coward
    Anonymous Coward

    Interesting thing about phones... there are usually no indicators that the camera is in use unlike most web cams I've seen recently...

  23. thesykes
    FAIL

    So free apps are more likely to access your contacts? You mean apps like Gmail, Facebook, Hotmail? Apps to send SMS... like Handcent? Take photos? Google translate, Tesco, Asda. Location? You mean like The Met Office, Green Flag, English Heritage or National Trust apps? My banking app lets me locate the nearest ATM or branch, and then phone the branch. Google maps lets you view info on shops, restaurants etc. and then phone them. Are all these sinister? They're all free. (Cue petty sniping about how sinister Google and Facebook are).

    No doubt there are dodgy apps out there, but, stop the bullshit pointless reporting like this.

    1. Miffo

      Games

      Maybe most paid apps are games and therefore don't need access to much - that'd explain this difference they noticed.

  24. Craig 8
    Unhappy

    I suppose this is the part of Juniper that used to be SMobile. Frankly I don't believe a word they say. Why does the headline bear no relationship to the content of the article? Did they find ANY apps that SECRETLY make calls and use the camera? I think not. I still remember the time when an SMobile executive went on local TV in the US after a bridge collapse saying, yes, wasn't it terrible that people died, but think how much worse it would have been if the emergency services had malware on their smartphones. WTF?

    1. Craig 8
      WTF?

      SMobile's Ethics

      In case anyone doubts that they shamelessly used a fatal disaster to plug their anti-virus product, I was amazed to find the video still online here: http://www.smobilesystems.com/fox-news-interview-with-rick-roscitt/

  25. A J Stiles
    Holmes

    How to Fix It

    Insist on absolutely no Native Code outside the kernel -- at all. And enforce it, iron-fistedly.

    If everything in userland is fully interpretated, then not only does this mean it doesn't matter what processor is fitted -- ARM, Intel or some souped-up 6502-descendant -- but also, the software is transparent as far as the user is concerned. Third-party code auditing should provide a reasonable level of security, since all auditing houses would be competing with one another; any one giving out a false all-clear would destroy their reputation in an instant.

    (And in the meantime, there's always flight mode.)

    1. M Gale

      Re: How to Fix It

      "or some souped-up 6502-descendant"

      You know how ARM was invented?

      "Acorn's aim at that time was to produce personal computers which met the needs of the business community by providing office automation facilities. Clearly, more power was needed than was offered by the 6502. In the fine tradition of the computer hobbyist, the design team decided to develop their own processor, which would provide an environment with some similarities to the familiar 6502 instruction set but lead Acorn and its products directly into the world of 32-bit computing."

      (http://www.ot1.com/arm/armchap1.html)

    2. Charles 9

      Re: How to Fix It

      What about where performance is needed, such as games? How do you balance the power requirement with the security requirement?

  26. Anonymous Coward
    Anonymous Coward

    The Windows security model and Android security model are very similar

    I love Android - and I love Windows as it is. But I understand why many don't. In the same way that a mechanic enjoys tinkering with cars, I enjoy tinkering with PC's and phones.

    Android and Windows assume a certain level of 'interest' in what's being done. Many people using PC's and phones don't care how something's being done - they just want to run that casino app, or visit a porn site, or whatever else. If you stick boxes up saying "Are you sure you want to do this?" they'll quickly learn to always hit "Yes" to the box that pops up. If you have a screen during install that says "This app has access to your phone; it can make phone calls. This app has access to your camera, it can take photos whenever it likes" - people train themselves into "always hit Install on the next page". It's as it is with EULA screens.

    There is a fundamental problem here. We require that drivers have a license to drive; for their own safety, and for the safety of everyone else. We require they have a certain level of understanding as to how a car works. We require them to understand safety signs that give them warnings - and to understand the implications.

    But give them a phone or PC that has access to their bank details, contact details of all their friends and colleagues, potentially access to business networks and business resources - and it falls back to "I want porn now - Yes, Yes, Install, Yes".

    I don't know what the solution is, despite my driving license example. The options thus far appear to be "Better education" - but years of Windows and malware suggest that won't work, or walled gardens that restrict everybody's ability to tinker.

  27. stewski

    Sensationalist BS

    The style and content of this story were Sun level sensation, with virtually nothing of interest.

    "Free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books than paid counterparts."

    whopping? after the first part suggests 5 times more likely to track location and the second part talks about a whopping 314 percent, do you think we are idiots, sun readers, or just so bored that bad maths and english will brighten up our day.

    Is requesting the capability to use location services proof that free applications are 5 times more likely to track user locations. I don't know but this whole piece and the study reads as thin on facts and big on BS.

  28. toadwarrior

    Not surprising. Not many people write code just for fun. They'll want something in return. It's better to pay someone up front for their work rather than find out they choose to compensate themselves in other ways.

    Android needs far better control over security. Let users disable certain access and there should be a setting to make it so an app can do something unless it gets a user to ok it at the time of access. Those who don't mind being nagged can get more protection.

    1. Tom 7

      Yes toad

      when I write code I expect it to save me time and effort in the long run, if I think its OK I'll share it.

      I have worked for commercial organisations who write code to make money. More time is spent trying to ensure they get that money (and more) than solving the problem at hand.

      If Apple had spent the money designing apps rather than take motorola to court for living in the same 3d world as everyone else they could have perhaps even written a mapping app that worked. Not that they need to - most users would rename the place they got to rather than admit they'd pissed their money up the wall.

  29. Anonymous Coward
    Anonymous Coward

    The researchers found it not immediately obvious what some permissions were required for, and in that regard I've had several users complain about one of my free apps requiring the location permission with quite a few "location, wtf!?!? 1 star, uninstalled" type "reviews". It's an app for building a GPS track to export for geo tagging photos in Light room. I really didn't think I'd need to explain that permission...

    So yes, lack of app permission detail would help a lot - but as is always the case user stupidity is going to be one of the biggest points of failure but it's not hard to envisage a scenario were a dodgy dev writes a load of BS for permission description and people install it anyway.

    The free lunch point needs ramming home - too many users think there's no reason whatsoever to have ads on a free app.

This topic is closed for new posts.

Other stories you might like