Apple (someone had to raise this)
This would far less likely get through on the iTunes Store - yes it's sometimes annoying how they do their what gets published and what doesn't approach, but security at least they are very tight on.
A popular mobile ad library used by multiple Android apps poses a severe malware threat, researchers at infosec firm FireEye have warned. The security researchers said that altogether 200 million affected apps had been downloaded. This ad library aggressively collects sensitive data and is able to perform dangerous operations …
Hmmm. I'm going to go with...
bollocks
I don't doubt for a second that there are any number of iOs apps out there with adware, and of those, that some of these adware providers are less that 100% on the ball with their security.
The only thing that Apple seem to be 'very tight on' is preventing people from producing apps that do things they don't want them to, such as provide a cheaper/better version of some functionality they want to sell to you themselves.
"The only thing that Apple seem to be 'very tight on' is preventing people from producing apps that do things they don't want them to, such as provide a cheaper/better version of some functionality they want to sell to you themselves."
On a point of information, they're pretty good at silence about their bugs and hardware problems, too. In fact, veritable Man Booker nominees, I should think.
The only reason its far less likely is because the ipolice say which advert libraries you can use. I.e. theirs. While that does limit the risk it also means all your eggs are in one basket should theirs turn out to have a flaw. It also is pretty crappy for the developer to not be able to use best of breed / best revenue return etc that he chooses. So its not as simple as saying ios is more secure (let just say 'phone chargers with malware'!) - its just a vunrability that exists on all platforms when a shared library is compromised by a flaw/bug/whatever...
So what I'm saying is with freedom comes responsibility - if android users accept stupid level of permissions for their chosen app then expect nonsense like this. If you don't want that level of responsibility and freedom, buy an iPhone and let apple decide what is good for you.
Personally, I'll stick with the little green android but each to their own. But neither side should be smug about this - "malware - its not just for windows" ;-)
"So what I'm saying is with freedom comes responsibility"
Mega platitude. Sounds impressive. But think about it, really think about it, instead of just skimming the words and its as clear as can be that what you have said is actually total nonsense and the best argument against the position you have adopted. It has the the outward clothes of a Shakespearean quote with the inner profundity of Benny Hill.
With freedom comes freedom, that's all. Freedom for instance to install malware if you so choose.
What I think you meant to say is that with freedom comes the need to be careful, but then if you actually said that it would have sounded a bit crap.
Sir, you are a fool and an idiot.
Lets take a slightly easier to understand argument about choice, freedom and responsibility :
In america you have the freedom to own a firearm. You can have the freedom to shoot whatever you want. However- you have the responsibility of using it wisely and from hurting other people with it. - however responsibility means its not a licence to kill people - when you look down the barrel you CHOOSE whether to pull the trigger - check the target before you fire - YOU ARE RESPONSIBLE FOR YOU ACTIONS with said firearm.
freedom = gun = *responsible* for own actions and freedom to choose but probably higher risk of getting hurt.
locked down freedom = no gun = no "difficult" choices to make but can still get shot though not fault of own.
And thats my point, if you choose android (like I have) I choose to take more precautions before I install software (pull the trigger) and if I don't like what I see, I don't. With IOS I have to assume thats all been done for me. Doesn't mean I won't get hurt - its just somebody else is responsible.
And if you don't get that I'm assuming the smart phone in your pocket is owned by a dumb ass.
HollyHopDrive, I apologise for taking the piss out of your post. Re-reading what I wrote I probably thought my reply was funnier than it came across.
You see there are two ways of taking the meaning of responsibility. As an attribute of how you act or as a something to be faced up to. You will notice I (rather dismissively - apologies again) said your argument was nonsense and the best argument against your position at the same time. Nonsense because when your use of the word "responsible" is taken, as most people take it to mean, as an attribute someone has, you find most people clearly don't want it in relation to keeping malware off their mobile devices.
With your reply you seem to have ruled out responsibility as an attribute, but instead refer to responsibility, the thing you acquire when you make choices. Responsibility and control being flip sides of the same coin.
But this is the strong argument against the position you have adopted that I referred to. If I arrive at the edge of the Saharah I am free to trek across it. However I want a guide and I don't want to take responsibility for making all choices about the journey because:
a) I'm not Ray Mears and don't know the desert
b) If I make a wrong choice I die
c) There are other things I *choose* get on with that aren't desert orienteering and survival, such as mountain biking and Skiing
d) There are guides who are experts and better at it than me.
Now the thing is regarding my smart-phone and technology, as it happens, I, like many on these forums, actually am a little like Ray Mears. I'm perfectly capable of trekking across the technology "desert" without incident - avoiding viruses, dropping to the command line as needed. But, even so, I still happy for a lift and a guide through the desert, because I've got my mountain biking and skiing and other stuff to concentrate on. I simply not interested in spending my time desert orienteering. And in the mobile world I want to focus on the things I really want to do with my life instead of managing virus scanners on my bloody mobile phone.
The iPhone is a device, and can only reasonably compared to a police state by way of metaphor and on strict understanding it is a metaphor. Some people on here forget it is a device in civil-life and that Stalin isn't sitting on your shoulder telling you you can never take your eyes off that walled garden displayed on it's screen. You won't be thrown in the Gulag if you decide at some time you want to buy a Nexus 7 instead.
It is a tool which frees people to do more of what they want to do (getting across the desert to go Skiing and Mountain biking) and less of what they don't want to do (configuring security settings, installing malware defences, auditing app permissions).
People have freedom over what to do with their lives and can perfectly responsibly choose to delegate desert orientation to experts. Installing AV software, auditing security settings, etc. is simply not an efficient use of most people's time. We are free to choose to do more with our time than that.
And you are a blinkered, sanctimonious idiot.
If you think the American way with guns - responsibility works, you must be in a tiny minority. I understand that there are individual American cities with higher death rates through these responsible gun owners than the murder figures for the whole of Britain, or Germany or other countries.
You also seem to think that, to own or use a mobile 'phone, you must have a good technical understanding and background that was unnecessary to use a land line.
Or are you suggesting that, for every item one uses, one should have a thorough understanding of it and the design behind it? Do you? When you go to buy, say, a new microwave, do you understand all the computing within it? All the electronics? The mechanics, in working detail, or all the moving parts? Do you insist small children pass a test in how to use a mobile phone, or open the fridge?
Most of us have enough to do just keeping up with our own professions and living busy lives. Few people even bother to read the instructions of most things that they buy and, most things are well enough built and designed that this is fine. Apple understands this and provides for this market as well as for those who want to go deeper. As Android matures, its resellers and packagers are learning this too, which is one reason why Samsung is doing well.
Now you need to learn and understand it.
> ... over time, has more gun deaths than the US in total, not excepting the Civil War. Largely state owned, interestingly.
Not excepting the world wars either, eh? Other than that your statement would appear to not hold up:
United States 10.3 (2011) - firearm-related deaths per 100,000 people
Germany 1.24 (2010) - firearm-related deaths per 100,000 people
--> http://en.wikipedia.org/wiki/List_of_countries_by_firearm-related_death_rate
> Dead is dead. And no, let's not except two world wars.
OK, so the US with its civil war, Hiroshima, Nagasaki, Vietnam, Iraq, etc. has caused fewer gun deaths than the Nazis, the most vicious killing machine of all time. Congratulations, what an achievement!
I still struggle to see your point though. Does that mean in your estimation that US gun laws which today contribute to many times more deaths than Germany's are a good thing? And by extension (a long shot anyway) that Android's permissioning system must thus be better than that of other mobile OSs?
You are an IGNORANT twat...learn to read statistics dumbass. The cities that have high murder rates are suffering from GANG Violence and Drug Wars.
These cities are NOT suffering at the hands of responsible gun owners. Responsible gun owners handle guns safely, criminals do not. Even YOUR criminals have guns though you do not.
These gang members will always have access to guns as they are criminals and no amount of laws or other regulations will ever matter to them. They don't get their guns from legal channels.
I really wish you people would stop pontificating on subjects that you have absolutely no experience with or using allegories that have no correlation to reality.
Dear dear! So not only do you have more guns and gun owners out of control, you also have gang and drug problems on the scale of a minor civil war in your major cities. Hmm.
Odd, many of the "random" incidents of murder of fellow students, workers and so on seem to be committed by people who neighbours, friends, family often thought were decent, quiet types with a normal interest in guns that they had acquired legally, presumably after checks for their responsibility.
Now you will tell me that all these responsible gun owners managed to stop most of the irresponsible ones. One dreads to think how many more murderous incidents there could be without the responsible owners. You fail to explain why American criminal gangs etc. seem so much better armed, numerous and murderous than their European counterparts. Must be all those responsible gun owners they've got as neighbours.
Hey, back to "responsible" gadget owners, you know, mobile telephones, microwaves, that sort of thing and the test you would have to make sure only "responsible" people get them, and how you would define "responsible".
Perhaps it would be better to have design and implementation reflect reality and cater to the end user. That does not prevent the supply of specialist kit for those who want to assemble their own device, just like buying a kit car or a crystal radio kit.
Apple doesn't stipulate which advert libraries you can use.
Example third-party libraries with explicit iOS SDKs include Google AdMob (https://developers.google.com/mobile-ads-sdk/download), Flurry AppCircle (http://www.flurry.com/appCircle-a.html), InMobi (http://www.inmobi.com/products/sdk/) and MoPub (http://www.mopub.com/resources/open-source-sdk/).
The main reason this is far less likely on iOS is that Apple doesn't allow any application to collect text messages, phone call history or contacts. There are no APIs at all for the first two, and contacts can be collected only by a call that shows some Apple-defined user interface and eventually returns a single contact if the user confirms that course of events.
So on the iOS side it'd have to be a security privilege raising exploit as well as a trojan, rather than merely a trojan.
I wonder if no-one writes apps for Blackberry is because Blackberry (the company) is a bugger to deal with. They seem the same sort of control freaks as Apple. What with PIN numbers and restriction of the so-called Blackberry Internet Service I'm beginning to wish the bloody thing would break (again) so I'd have to buy an Android. Mind you I'd then have to negotiate with T Mobile to unlock my SIM and credit for use with a non Blackberry phone.
I guess I'm just not the "prosumer" their delusional mindset imagines will buy the new overpriced OS10 hardware they are pushing, just as consumers, resellers and the banks desert them
This would far less likely get through on the iTunes Store
They already had a boo-boo years ago. Can't remember the name of the apps or the vendor, but it was something like iMob or something like that; the app would slurp your contact list and other stuff and send all that data to the company selling the games. And they had all those apps get through the iBone Store! Which shows that the whole iTunes Store approval process is more of a security theater thing.
"Android more secure than iphone (comparing OS vs a phone again)"
You are kidding or deluded. Android is based on Java on top of Linux. Both are pretty much top of the pops for security vulenrabilities in their respective fields....
Not that IOS is much better, but it is better.
I think the downvotes are more because the Linux kernel and its team are actually pretty good at security, and because Android implements Java via its own Google-specific virtual machine, using none of Oracle's code and therefore shouldn't be tainted with the same brush.
"I think the downvotes are more because the Linux kernel and its team are actually pretty good at security"
They really are not. There have been well over 900 security vulnerabilities in the Linux kernel alone so far. To put that in perspective, the whole of Windows XP is only on about 500!
"You are kidding or deluded. Android is based on Java on top of Linux. Both are pretty much top of the pops for security vulenrabilities in their respective fields...."
The part of your argument that won me over was the well-sourced examples and references to comprehensive studies.
Whilst the ad app developer has been contacted about the vulnerabilities, no-one seems to have addressed why on Earth the software had this capability in the first place.
I often authorise apps that ask for excessive permissions, and then disable those permissions (using 'android tuner') one installed. If the app breaks, it is deleted.
Users should be able to accept/deny certain permissions on install, not just the current 'all or nothing' approach.
You raise a good point BUT how many of the millions of average Android users know (or care) about this stuff.
Sad as it may seem, sometime the Walled Gardens of Apple and Microsoft do have their advantages.
Perhaps there is a need for a 'security enhanced Android?' that would become the default for the masses but with the ability for us 'geeks' to disable it (at our own risk naturally...)
"Perhaps there is a need for a 'security enhanced Android?"
May not be possible - the main reason for Android IS data collection (given who created it), so I cannot see Google making your road to non-data supplier a smooth one.
I think there may be a chance with the Ubuntu phone, as long as none of their own UI guys gets to design the front end (as in "noooo - not Unity...").
"sometime the Walled Gardens of Apple and Microsoft do have their advantages."
You mean like all those apps on iOS that were caught out deliberately downloading your entire contact list and messages to the app servers a little while back?
Good protection that...
Hmm. Nice argument, but doesn't really address the specific issue, which is a dodgy malware component loaded into loads of apps. A single app in the app store isn't quite the same thing.
It's not impossible to get malware into the Apple store, but we don't currently have any reports of a compromised library that has made it's way into lots of apps in the Apple store.
So, better protection than the Play store. Unless you can provide info to the contrary....?
Maybe you should ensure that when your app is denied a permission it fails gracefully and informs the user clearly why it has failed? Or is catching exceptions just too difficult in native Android apps?
The idea that we shouldn't bother with security because it makes life difficult for developers is ludicrous.
Sorry... saying it yet again... Google should look at the model that Symbian had for permissions. A user could permanently, or on a case by case basis (interactively), allow or deny the app permission to perform specific actions and the developers knew this was the case so they wrote their code to handle it. A programmer worth his salt knows how to code 'defensively' and how to pop up a message telling the user that if they disallow feature X then the app can't work...
Google should look at the model that Symbian had for permissions. A user could permanently, or on a case by case basis (interactively), allow or deny the app permission to perform specific actions
Ah. I knew Apple took that idea from somewhere (iOS gives you that control too).
'That would be an absolute nightmare for app developers.'
Tough. It's not the user's job to make life easier for the developer. It's the developer's job to make life easier for the user.
Android's APIs clearly need a serious rethink if this is such a chore for developers to deal with. iOS app developers have to deal with this kind of thing too and most do so without kicking up a big fuss. (It helps that the relevant iOS APIs are pretty easy to use. Perhaps Google should be aware that the "I" in "API" stands for "Interface" – i.e. developers need good UIs too!)
'How do you deal with an angry user who's blocked a fundamentally required permission for your app and then starts reviewing it poorly because "it doesn't work"?'
Oh, I don't know... how about being better at app design and development, catching the errors caused by disabled permissions, and failing gracefully with suitably clear messages and notices to the user explaining why a feature isn't working?
Whilst the ad app developer has been contacted about the vulnerabilities, no-one seems to have addressed why on Earth the software had this capability in the first place.
Exactly. Command-and-control functionality doesn't get "accidentally" coded and put into an app library.
I often authorise apps that ask for excessive permissions, and then disable those permissions (using 'android tuner') one installed. If the app breaks, it is deleted.
This is actually what I prefer in iOS, the fact that it is quite granular about permissions. The "Android way" is to have it all or the app won't install, where an iOS app will happily install but will then tell you that it needs xyz access to do its job. TomTom, for instance, is rather pointless without location services, but I don't let it access my contacts for addresses - it's a choice I get to make on iOS.
I see from the comment that you can download an Android app to retro-actively adjust permissions to something more sensible, but in my opinion that should be part of the OS. I don't trust Google at the best of time, and I want to know why Google itself has an app killswitch and app remote load ability - AFAIK, Apple hasn't tried to pull that one yet.
Also what hasn't been mentioned is the changes Google made to their Developers Policy and the Content policy section back in August 2013, which seems to outlaw some of the behaviours being seen.
Another point is that looking at related research on the web, it would seem that the functionality of the ad library may also be different depending upon whether the app was downloaded from Play or a third-party site...
"How unusual! Most companies run on fairy dust and pixie tears!"
Yeah, yeah, and all that, but this is security where, generally, public safety outweighs the bottomline, at least to some extent. What if all security companies started hoarding their vulnerabilities? So, in order to have a secure device, I have to subscribe to a dozen different security apps? Might as well get out now...
I hope, at some point, a list of affected apps does get published. I don't just let my apps auto-update (see the latest Google Maps fiasco for a good example of why), so I'd like to know if any of my apps need updating.
"FireEye Mobile Threat Prevention applies a unique approach and technology that made it possible to discover the security issues outlined in this post quickly and accurately despite these challenges." [Source: FireEye blog: http://www.fireeye.com/blog/technical/2013/10/ad-vulna-a-vulnaggressive-vulnerable-aggressive-adware-threatening-millions.html ].
Suspect that soon we will be seeing other's offering similar service enhancements to their security apps.
This post has been deleted by its author
Horrible stuff, but really, Google should have allowed permission denying on an app long ago.
May I also suggest a very simple idea?
If an application wants certain permissions considered dodgy, maybe Google should require the source for review, or even charge for the permission use (paying for a code review, effectively).
How can they avoid being charged every time they update?
Put all the code that requires review in a separate function that can be checksummed easily without delay to ensure it hasn't changed..
What permissions are considered "dodgy" then? By who? Are they listed under a separate "Dodgy" section of the Android manual?
How dodgy the permissions required and used by an app are entirely dependant on context. What may be consider dodgy on your "Fart App", could be perfectly reasonable on your "Personal Diary App". Determining this, of course, requires an intelligent review of the actual app. It is not something that a blanket policy can draw the line on which apps should have it, and which should not.
So your simple idea could only ever work if it applied to all apps. Which is kind of what Apple does and Google doesn't.
Of course, I didn't go into those details exactly, because I'm not actually paid to develop Android's security policy.
So for me to say "running as a background process" "running on startup".. "accessing account information".. "sending emails without confirmation".. and so on and so on very specifically would be a fair waste of time.
Americanism this. Americanism that.
It's just a matter of thinking through what the phrase means ('could care less').
Those for whom it's an unmanageable task are still allowed to post gnarled meaning here, but people know to smile and say, 'Yes, dear. We know what you're trying to say'.
To me, Could Care Less is the very opposite of the English, Could not care less.
The former says, I could care less than I do, or, in English, I do care a bit.
The English says, I care as little as it is possible for me to care, or, I do not care at all. Rather different. Just another example of American being English spoken by foreigners. Think through it all you like, in literal terms, they have opposite meanings.
I have a few android apps on the market and multiple ad companies have scraped my contact email to spam me. The spam is always the same - do you want to earn some preposterously high eCPM? Great! Then install this ad software in your app and you'll be swimming in cash!
Then you go to see what permissions the ad software actually uses and how it will affect your app. It wants permissions for gps, internet, receive texts, see running processes etc., it wants to shit icons and notifications all over the user's home screens, bury your app under interstitials, videos and other nonsense.
Basically it's malware in all but name. Maybe it really does increase the eCPM - briefly - but then the hate from users would doom the app to oblivion. I think I would rather a lower eCPM, a better app rating and happier users from ad software which knows its place and doesn't step out of place.
"It wants permissions for gps, internet, receive texts, see running processes etc., it wants to shit icons and notifications all over the user's home screens, bury your app under interstitials, videos and other nonsense.
Basically it's malware in all but name"
So don't install it then!!!
The Android permissions model is not working sometimes, because of the fact that most of the apps need internet access to gather viable data. And one some app developers are putting advertising SDKs in their apps to gain some bucks from ads, they don't even realize the threads they are making for their users. A typical example was the Airpush SDK which was able to make GCM/Push notifications like ads (wtf?!) ...
Yesterday, I found a new app on Google Play called Network Connections which shows all connections made from my phone to remote servers, and I should tell you that apart from the standard ones made to Google, Sync contacts, Analytics, Flurry, etc. there are many strange ones to IPs in China....
This is a trust issue and sadly there is not a single entity in the entire ecosystem that is actually worthy of trust.
Stuff like this *can* be fixed, but by properly disabling one bad guy you disable them all and since the bad guys are running the show, well...
FWIW, I think it is possible for the good guys to run the show, but our window of opportunity is rapidly closing.
I got my first android phone about 6 months ago.
I was surprised when a few of the latest updates wanted access to parts of my phone that don't concern them.
I noticed for instance that a free LIGHTER app had permission to access my contacts and access to the internet !!! WTF!!! It's only a picture of a zippo lighter. Same thing with a picture of a candle. When I realised this I deleted both.
Why do these simple apps want my contacts and to get on to the internet with my phone???
I don't like it. My next phone will be... will be... will there be anything else other than iphone or Android?