back to article Why does an Android keyboard need to see your camera and log files – and why does it phone home to China?

Security biz Pentest is sounding alarms after it found an Android app it says has been downloaded 50 millions times despite being "little more than malware." UK-based Pentest said a whitepaper study [PDF] of the popular Flash Keyboard found that the Android app is "abusing" OS permissions, inserting potentially malicious ads, …

Page:

  1. Paratrooping Parrot
    Boffin

    Permissions

    I had deleted many Android software because they had permission creep. They had a few permissions, and then added more. Another set of software that I refused to update was a calculator that seemed to need access to the phone. It used to be excellent until they decided to team up with a phone answering company that basically hijacks your phone when it rings.

    I have increasingly had to delete software. Probably one of the most useful software I have installed on my Android mobile is No Root Firewall. It has stopped me from getting adverts for many installed software. :)

  2. Mike Flugennock
    Facepalm

    Why have 50 million people downloaded it?

    Uhhmm... because you can't fix stupid?

    1. wolfetone Silver badge

      Re: Why have 50 million people downloaded it?

      "Uhhmm... because you can't fix stupid?"

      Is that not what the Darwin awards are for?

      1. Steve the Cynic Silver badge

        Re: Why have 50 million people downloaded it?

        "Is that not what the Darwin awards are for?"

        They are only for *fatal* stupid. And even they don't *fix* stupid.

        Side note: Many of the incidents that lead to people being shortlisted for the Darwin Awards are linked to an apparently innocuous molecule sometimes called methylcarbinol.

        You or I know it by its full "scientific" (i.e. IUPAC systematic) name, ethanol. A distressingly large fraction of DA winners (and even runners-up and mere Honourable Mentions) were drunk to a lesser or, more frequently, greater extent.

  3. Christian Berger Silver badge

    That's yet another point caused by needless complexity

    Android has a "security system" limiting access rights for applications, but in reality that's useless as people just install stuff anyhow.

    Instead of useless security measures we should have mandatory code reviews. In the case of a "keyboard app" that shouldn't even be difficult, as such an app surely has less than a screen full of code.

    Since the distinction between good and bad is often a question of opinion, we need multiple sources providing code reviews. Ideally we'd even have a whole dialogue about code and code patches. For this to happen code needs to be much simpler and therefore better written than what we currently have.

    1. DougS Silver badge

      Re: That's yet another point caused by needless complexity

      So you want Google to wall up their garden with higher walls than Apple? Even Apple doesn't require submission of source code, which is what it sounds like you're suggesting. I'm sure app writers will be totally comfortable giving up their source code to Google, one of the world's largest software companies...

      1. P. Lee Silver badge

        Re: That's yet another point caused by needless complexity

        >So you want Google to wall up their garden with higher walls than Apple?

        I think what might be desirable to el reg's audience are FLOSS repos for android.

        You can keep your trivia apps, I just want vlc or mplayer, amarok firefox, kmail etc on a phone.

        I trust those guys more than I trust google.

        Alternatively a system of shims between apps and resources: a GPS fuzzer/usage verifier, a camera/mic use verifier, a contact data filter.

        1. Ken Hagan Gold badge

          Re: That's yet another point caused by needless complexity

          "You can keep your trivia apps, I just want vlc or mplayer, amarok firefox, kmail etc on a phone. I trust those guys more than I trust google."

          That would be Ubuntu Phone then. I haven't used any version of x-buntu for a few years now, because I think there are better distros for just about any given purpose, but I'd trust their phone offering well ahead of anything else I've seen on the market.

          Then again, perhaps running UP and sticking to the official repos is about as limiting and no safer than running Android and sticking to the Google-branded apps. In both cases you are intentionally cutting yourself off from all the third parties simply because you can't tell which ones are trustworthy.

        2. Gene Cash Silver badge

          Re: That's yet another point caused by needless complexity

          > I think what might be desirable to el reg's audience are FLOSS repos for android.

          You mean like F-Droid?

          1. DropBear Silver badge

            Re: That's yet another point caused by needless complexity

            "You mean like F-Droid?"

            Yup. And if you're missing the pretty pictures to see what the app looks like at a glance (which F-droid apparently considers to plebeian a thing to do) there''s always a chance its more handsome mirror Flossdroid can help...

        3. kwhitefoot

          Re: That's yet another point caused by needless complexity

          VLC is in the play store.

      2. Christian Berger Silver badge

        Re: That's yet another point caused by needless complexity

        What I want is a place where I can get some information on if someone looked at the code, or at least some information on the license of it. F-droid for example only accepts software where the source code is public... and they even warn you about software you might consider malware.

        The big point is that _I_ need to be in control of _my_ hardware, not some company, not some app-store, but me. And this is currently impossible as Android is far to complex.

  4. smartypants

    Complicated permissions system + humans != security

    In just the same way that ordinary people (my mum, billionaire leaders of tech services, IT professionals included) don't or can't have a personal password policy which ensures security, the same people when faced with a multitude of questions when installing something will just press 'ok'.

    It's precisely the same thing that goes on when we click the "I have read the terms and conditions".

    Each time some failure of security results, there's lots of helpful advice on these threads about what people should do.

    But they're as likely to do it as the pope is likely to convert to islam. So it does beg the question why we keep on building a tech world which doesn't work well with the way humans actually are, rather than some mythical alternative where we study password policy 8 hours a night and read all the legal small-print before ticking a box.

    1. harmjschoonhoven

      Re: Complicated permissions system + humans != security

      But they're as likely to do it as the pope is likely to convert to islam. Pope Sylvester II came close to that after his visit to Córdoba.

      1. Marshalltown

        Re: Complicated permissions system + humans != security

        "Close," as the saying goes, "only counts in Horseshoes and hand grenades."

  5. Mystic Megabyte Silver badge
    Stop

    Anybody here installed Firefox?

    I backed out of installing Firefox when it asked me for my grandma's maiden name (slight exaggeration). Seriously, I thought that I had been hacked and shut down the phone.

    1. AlexV
      Go

      Re: Anybody here installed Firefox?

      Yes, it's a good browser. Plus, add-ons, which is even better. I would think it would require all those permissions to provide the web APIs to allow access to them. Firefox itself probably doesn't care about your GPS location (for example), but provides it as an API so that web pages like mapping services can access it. People like having web pages that run like apps. Almost as much as they like apps that run like web pages. Firefox would always ask you before granting permission for any site to use those APIs.

    2. oneeye

      Re: Anybody here installed Firefox?

      Firefox is a fabulous browser! Once you learn how to add some add-ons to harden it, that makes it a whole lot safer than many others. I use (ublock origin) ad blocker , (Self Destructing Cookies) , (Https everywhere) a (restart button) and from settings, a (Quit button) So much customization can be done with Firefox Android. Take the time to learn how to use it, you won't be sorry. And finally, one of my favorite features, it loads tabs in the background, like when I'm in my gmail app, I click links and they don't open the browser automatically. They are directed to the browser so when I finally open it, they are all there waiting on me. This is enabled in the settings. And it works for any link, clicked in any other apps.

  6. paulc

    still there in Google Play...

    doesn't appear to have been taken down at all

  7. jzl

    Obvious really

    Never trust software with "Flash" in the title.

  8. ukgnome Silver badge

    And meanwhile......

    Does this apple taste sweeter to you?

  9. Alumoi
    WTF?

    Keyboard app

    I can understand wanting to get rid of the sammy or google keyboard, but why look further than Hacker's keyboard?

    1. Anonymous Coward
      Anonymous Coward

      Re: Keyboard app

      And how well known is Hacker's keyboard compared to Flash Keyboard?

      A quick look on the play store, and there seems to be various Hacker's keyboards, none of them very popular (by number of downloads).

      Search generically on the store for 'kerboards', and the first Hacker's keyboard entry is at least 5 pages down the screen, (with the Flash one being about 2 screens down). So not something your average user is going to stumble on.

      Not saying it's not a good keyboard, just how are people not going to 'look further than Hacker's keyboard?' if hardy anyone seems to have heard of it or be using it in the first place?

      1. Alumoi

        Re: Keyboard app

        Here you go:

        https://f-droid.org/repository/browse/?fdfilter=keyboard&fdid=org.pocketworkstation.pckeyboard&fdpage=2

  10. Anonymous Coward
    FAIL

    Wow I'm stunned....

    ..that this has just been noticed.

    1st hit in Google Play for search term "Torch"

    Camera

    take pictures and videos

    Other

    receive data from Internet

    change system display settings

    modify system settings

    full network access

    prevent device from sleeping

    view network connections

    control flashlight

    People just blindly accept anything.

  11. En_croute

    Most users don't know what all the warning lights on their car dash means, yet alone a permissions statement/request from an Android OS/App.

    1. Brenda McViking
      Joke

      My car lit up a little light and told me to "check engine"

      So I did.

      It's still there, under the bonnet. Silly car.

  12. ATeal

    Two things

    1) When I first got my first ever Android phone, the HTC desire HD, looking at angry-bird's permission list saddened me, and make me look for firewalling, behold droid wall!

    2) Recently Google changed their keyboard AND THE F*CKING LAYOUT, surely keyboard layout is sacred! But no they changed it, the new one also had some fun new permissions. I installed it and now prevent it from updating. I thought this was about that!

  13. Rimpel

    Gmail requires microphone permission

    slightly OT... On my phone I recently denied all apps access to the Microphone (running Cyanogen OS). Viewing mail in the gmail app works as normal but while composing a msg I get the following message every 30s or so:

    "This app won't work propertly unless you allow Google Play services' request to access the following: - Microphone. To continue, open settings, then Permissions and allow all listed items. [Cancel] [Open Settings]"

    wtf??

    1. David Nash Silver badge

      Re: Gmail requires microphone permission

      "wtf??"

      My guess is that it's so you can compose an email by dictating it to the phone.

      I never would but some might want to.

      1. oneeye

        Re: Gmail requires microphone permission

        Almost all keyboards have the mic. Icon to do just that, dictation. It works great too! So this permission is required, but in MM 6.0 you could disable this permission.

  14. viscount

    "Pentest estimates that the app has been installed on more devices than WhatsApp"

    Surely not?

    1. Boothy
      Coat

      I keep getting messages that are apparently from WhatsApp telling me I have have deferred messages waiting for me to read.

      One of these days I must get round to signing up for an account to see what they are about!

  15. FuzzyWuzzys Silver badge
    Facepalm

    Oh come on!!

    Get the rights you might like up front, then you don't have to ask to be "upgraded" to better privs later on!

    If you work in backroom server tech circles this is the oldest developer trick in the book and usually the first trick you learn to say no to when you first start in backroom tech!

  16. Sorry, you cannot reuse an old handle.

    Why is calling China dodgy

    The developer is based in Hong Kong (see website) so I'd say that it's not to far a stretch to "call" China for some server-based analytics.

    What I would actually find strange is for such an app to "call" the USA or the Netherlands instead!

  17. This post has been deleted by its author

  18. john devoy

    what a crock

    What do they mean they don't think its intentional? Do they think pixies changed the code while the devs were sleeping, of course it's all intentional. What they mean is it's blatant malware stealing data but they don't want to offend the Chinese.

  19. A Ghost
    Unhappy

    I was given an Android phone

    It's supposed to be a good one. I had it demoed for me and it certainly has some nice features.

    It's still in the draw. I won't be using it.

    Reason?

    Crap like this.

    No mobiles, no tablets, no internet enabled on any computers except for an old beater with dual boot XP/Linux. And the XP is only for testing some stuff - it won't have internet enabled by default.

    I realise I am in the minority, but I really don't need a phone/tablet etc. as I don't have any friends. Everything I need to do I can do on an air-gapped computer, and Linux is actually a real treat to use for surfing as it is a much richer experience compared to the bloat of a hi-jacked windows machine.

    People keep asking me if I have Whatsapp or wtf the latest fad is, and I say 'no, I don't have a mobile phone/tablet'. They then shuffle slowly sideways muttering excuses to get away from the weirdo. Fine. If people can't conduct business by going through channels other than these security nightmares, then they won't do business with me. Their loss.

    And I'm not a Luddite. I embrace technology. But it has all turned into 'hippy-hell' when it should have been 'hippy-heaven'. I pray that this is some kind of bubble and that it will burst. But my greatest fear is that this is the future, forever, now.

    Whatever happened to ethical hackers? The internet is going through another wild-west phase, this time far nastier and more nefarious than that which went before.

    Stop the spinning globe in the upper top corner. I want to get off.

  20. DasWezel
    Facepalm

    App Permissions

    ... Are why I spent some appreciable time on my replacement phone last night looking for a simple flashlight widget.

    No stupid fully-blown app, no ads, no stupid strobe effects, just a simple widget to toggle the camera flash LED. Preferably without claiming to be the "brightest" app too.

    Considering the LED toggle seems to be the Android equivalent of Hello World, trying to find one that wasn't full of crap was decidedly trying.

  21. Jake Maverick

    how could the 'hands' be anymore sinister....? really? guessing most likely 'security services' if there's been no immediate exploitation for financial gain....

  22. Mahhn

    That's easy. Firewall logs on your home wireless connection (free firewall set up on an old PC, that everything runs through). Skip looking at the device and just sniff the traffic :)

  23. razorfishsl

    Massive YAWN here.........

    There is a multitude of helpful application in china for mobile AND computers

    Windows Translation apps that translate to multiple languages as you mouse over, or as you type.......

    Yep type in your user name & password an off it goes to the central server tools for a translation....

    Then we have 'QQ' as always , ever so helpful ... in providing remote access to your computer or business systems to ANYONE, just fire QQ up and give anyone a remote session.

    oh... and watch those babies SPAM adverts all over your system, maybe 30GB of bandwidth per 150 users a DAY!!!!!

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019