back to article Why does an Android keyboard need to see your camera and log files – and why does it phone home to China?

Security biz Pentest is sounding alarms after it found an Android app it says has been downloaded 50 millions times despite being "little more than malware." UK-based Pentest said a whitepaper study [PDF] of the popular Flash Keyboard found that the Android app is "abusing" OS permissions, inserting potentially malicious ads, …

  1. This post has been deleted by its author

    1. asdf Silver badge

      Re: F-Droid only if you can

      Ok I got the hint nobody wants to hear about how much better an "insecure" software source like F-Droid (which has never had malware) is.

      1. Anonymous Coward
        Anonymous Coward

        Re: F-Droid only if you can

        "why does it phone home to China?"

        I think I prefer that to phoning home to Google...

        1. oneeye

          Re: F-Droid only if you can

          Phoning home to China leaves your phone open to being completely taken over. Any connections that cross the "Great Firewall" can be intercepted. Google is not going to install malware or sling ads on your lockscreen. This keyboard app is still in playstore, and one of the multitude of permissions is, "download files with out notice" . Helloooow? Does that alone but bother you. Perhaps it would be best if you did a little homework before embarrassing yourself.

    2. bazza Silver badge

      Re: F-Droid only if you can

      Just for sake of debate, is this actually any worse than what Google themselves snaffle? Probably not.

      1. asdf Silver badge

        Re: F-Droid only if you can

        Well requiring an open source code repository for all apps discourages the Asian scammers up front plus the apps are free. The drawback is of course a much more limited selection of fart apps (and admittedly other apps as well). To be honest a teen girl social butterfly couldn't probably get by with just F-Droid but its perfect for a back up out of warranty after market rom phone on which you don't want to have any sign on accounts.

        1. Sorry that handle is already taken. Silver badge

          Re: F-Droid only if you can

          Well requiring an open source code repository for all apps discourages the Asian scammers

          But does it discourage the Russian scammers?

          1. asdf Silver badge

            Re: F-Droid only if you can

            So far at least the answer is yes. How much of that is its not worth hacking a much smaller IT nerd centric repository where its tougher to hide shenanigans versus the much juicier Play store target its hard to say.

      2. King Jack Silver badge
        FAIL

        Re: F-Droid only if you can

        @ bazza

        Please can we stop using that stupid argument to justify things. Something is NOT fine because somebody else is doing it.

        1. bazza Silver badge

          Re: F-Droid only if you can

          @King Jack,

          @ bazza Please can we stop using that stupid argument

          Ooo, touchy! Been stung by some Android malware recently?

          As you blatantly ignored my innocent call for debate on my question, I'll kick it off.

          So what's worse? An app whose permissions are blatantly and clearly more acquisitive than necessary?

          Or Google's lengthy EULA which grants them far more rights, yet goes unread by and largely unexplained to end users?

          Google are fundamentally no more or less trustworthy than any other US company. Arguably they're less trustworthy than a European company who operate in a much stronger data protection legal environment. Google operate in a data protection legal vacuum by comparison.

          But they're just another company, and one who are on a mission to get more of your private data so as to screw more advertising revenue from that market. So far they have managed to be far more successful at it than most others so far.

          Granting them special access to ones private data is fine if that's what one wants. But having done that it's inconsistent to then whinge about an app that quite openly and clearly (by means of its permissions) tries to do the same thing but on a more limited basis. Especially as it can be avoided entirely, simply by not installing it.

          Sure, an app such as this keyboard seems particularly slimy (but then so is Google's EULA), and it is kinda crazy to install it. But millions of installers seem not too worried about the permissions that were put before their very eyes.

          Difficult Challenge For Google

          It might be that this kind of thing gets installed because people don't care, which in turn may be because they don't put anything they really care about on their phones.

          Yet Google wants them to trust their entire lives to their mobile (so they can extract advertising cues from it). However if people are deliberately withholding data from them that's going to limit how much Google can grow their business.

          And then there'll always be those people who find the whole Google-sees-everything nature of Android utterly repulsive. And given Apple's success, you have to conclude that there's a monied majority (majority as in Apple have made more money than Google) who'd rather not join Google's club. And then you get the BB10 users such as myself...

      3. Uffish

        Re: Google already snaffles stuff

        I've got a new app for you, you'll love it; it doesn't take much more than Google takes but it sends it all to me.

        1. Anonymous Coward
          Anonymous Coward

          Re: Google already snaffles stuff

          "I've got a new app for you, you'll love it; it doesn't take much more than Google takes but it sends it all to me."

          If in return it blocks stuff going to Google so that they can't target adverts at everything I do, great - you have deal...

  2. hellwig Silver badge

    No.... ok, Betteridge's law of headlines does not apply here apparently.

    I'm sure the publisher will claim ignorance. "oops, we had those things on for testing and forgot to disable them".

    The bigger question is, why would anyone use a keyboard app that requested those permissions? User education is the only way to keep users safe. Otherwise, we'll all be playing in an empty sandbox wearing safety helmets and drinking out of sippie cups, because, you know, we don't want poor Johnny to feel left out of group activities.

    Johnny here is the moron who's too stupid to know that you shouldn't install anything from China that requires internet, camera, contacts, etc... Don't be Johnny!

    1. asdf Silver badge

      >The bigger question is, why would anyone use a keyboard app that requested those permissions?

      Um because Grandma isn't an expert on app permissions which is another reason why Apple can charge the premium they do. They do a better job sippy cup or not of protecting users from their own ignorance.

      1. jzl

        Not only is Grandma not an expert on app permissions, Grandma most likely hasn't even heard of app permissions.

        1. kwhitefoot

          And even if she has she doesn't have any way or not giving the permission other than not installing the app. I have a lot of apps that require more privileges than I like to give but I can't revoke them. For instance Kitchen Timer needs rwd access to my SD card and a Latin English dictionary demand the right to read phone status (it's on a tablet without phone capability and still works so it plainly isn't a necessity).

    2. zaax

      Thats facebook then. Why facebook needs so may permissions...

    3. Anonymous Coward
      Anonymous Coward

      Totally agree.

      That's why I always use a USB keyboard with my smartphone. Along with taping over both front and rear cameras, filling the mic with bluetack, turning off location settings and disabling the network.

      1. Dadmin

        Where was your USB or bluetooth keyboard made? Is it China? Now, what would you do if there was malware built into your keyboard that could secretly activate itself at random times and also gathered and forwarded your info? Do you know how to decode a USB connection stream and monitor it for this kind of weird activity? Me neither, but that's my next security project for home; what are my Chinese keyboards doing when I'm not looking? Please continue typing, people. Nothing to fear, so far.

    4. This post has been deleted by its author

    5. DropBear Silver badge
      Unhappy

      Because there is no existing app that doesn't require ALL the existing permissions; if you want to actually install anything at all, you learn quickly to sign away your first-born (and as many more offspring as requested) without even thinking twice about it. I should know - I refuse to do that but the price I continually pay for it is basically having nothing to install. "It's the integration, stupid" - every app has bloated into getting integration with all aspects of your phone, so it asks for everything...

      1. fidodogbreath Silver badge

        "It's the integration, stupid"

        More likely: "It's the monetization, stupid."

    6. Fatman Silver badge
      Joke

      RE: Johnny here is the moron

      <quote>Johnny here is the moron who's too stupid to know that you shouldn't install anything from China that requires internet, camera, contacts, etc...</quote>

      STOP talking about executive manglement in such a derogatory manner.

      </snark>

  3. Sebastian A
    Stop

    Almost every app I consider for installation

    demands access rights far exceeding what I consider reasonable for the job it's doing.

    I sometimes think that only a small fraction of users even review the permissions, and fewer even decide against installing based on that.

    I have no idea why Google yanked the Permission Manager functionality. Is it to suck up to developers who'd otherwise have to structure reasonable requests for access? Not like they're endangering their entire ecosystem by alienating a few devs who just request full access to phone/text/location for a simple flashlight app. They are however endangering their user base by allowing that bullshit to continue.

    1. Adam 1 Silver badge

      Re: Almost every app I consider for installation

      Android 6 permissions model works differently. You don't grant any permissions* until the app tries to use that feature (basically the same as iOS). You can also retrospectively revoke permissions even on legacy apps (which may cause them to crash, but my personal experience is that most of my apps survived the denial of things that are not functionally related to the app's purpose)

      * admittedly that's Google's version of any, meaning it can still do network etc.

      1. Adam Azarchs

        Re: Almost every app I consider for installation

        With android M, permissions are granted at runtime and the app gets an exception if it isn't granted the permission. Older apps still get their permissions up-front at install time, but a savvy user can disable them before first run. The reason the old K permissions manager was disabled was, put simply, because it broke too many things if you actually used it, and it broke them in unpredictable ways that were very difficult to debug.

        As stated, of course, pretty much everything has network access permissions. But pretty much every app needs those for one reason or another (at the very least for ads in the case of the flashlight apps, which why are you even installing that if you're on L or M? It's built into the OS!). And one doesn't want to ask users about a permission that every app asks for because that just contributes to people ignoring the permissions warnings.

        Unfortunately the new permissions framework on M doesn't help much since most people aren't on devices which have been upgraded to M. That's Android's real problem relative to Apple - most users don't care about permissions and privacy settings, but they do care about apps. And fewer apps get written, and they have fewer features, when only 10% of the phones have the latest OS.

        1. Barry Rueger Silver badge

          Re: Almost every app I consider for installation

          "most users don't care about permissions and privacy settings"

          I'm not sure that's true, or fair to most users.

          I think that most of us, to one degree or another, have just surrendered.

          A few decades ago people remarked on the page of dense fine print on the back of a car rental contract.

          Everyone knew it was absurd, and everyone accepted that no-one ever read it, but it was part of the deal, so you just signed.

          What's changed is that literally everything you do on-line forces you to "sign" a long, dense, and unread contract, and with apps, accept a more or less random demand for permissions.

          People just don't have hours each day to read these things.

          Even if they did, the fact remains that if you need a service like FedEx, Netflix, or any of hundreds of government sites, you have NO choice in the matter: accept the contract conditions.

          Heck, even my entirely open source computer makes me click to accept the various licences.

          1. DougS Silver badge

            Re: Almost every app I consider for installation

            I don't buy the "users have just surrendered". That may be true of Reg readers, but the average Android or iOS user doesn't really have a clue what it means when they are asked for permission to use location information. They'll just agree if asked, just like they will agree every time Windows 7 asks for permission to do something that needs admin rights, etc.

            The thing in Apple's favor is that since this sort of permission has been required forever, app writers know they can't get away with requesting ridiculous permissions, like wanting access to contacts or photos for an app which has no earthly reason for wanting it. The average user might not know why that's a bad idea, but the ones who do give one star ratings that kill it in the app store.

            Eventually the same might be true for Android, the problem is it will take many years until app writers are forced to change their ways because there will be hundreds of millions of people on Android 4.x and 5.x for years and years now. Another problem is that many Android apps simply break if a permission is denied, because they haven't been updated to expect the possibility of a permission being refused since that's so new. But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!

            1. Anonymous Coward
              Anonymous Coward

              Re: Almost every app I consider for installation

              @ Doug S

              Quote: "But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!".

              Not really Googles fault (apart from them caving to pressure), they wanted to have proper permissions management in Android from day one, but developers (of the services they were typing to attract, like FB etc) didn't want to play ball, and refused to write apps for the then new Android platform if the users could just switch on/off permissions as they (the user) wanted.

              So initial Android came with the horrible 'all in advance' model.

              Android is big enough now (by far) to force through what Google originally wanted, and I think with all the various issues the existing process has, I don't think anybody else (FB etc) can really object in anyway without making themselves look like the issue (which of course is exactly what they were/are anyway!).

            2. fidodogbreath Silver badge
              Holmes

              Re: Almost every app I consider for installation

              But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!

              Because Android is, and always has been, a user-tracking and ad-delivery system. Which should surprise exactly no one, since Google is, and always has been, a user-tracking and ad-delivery company.

              Oh, and don't discount that 'innocuous' network permission as a tracking tool. Since GPS creeps people out, many, many apps now request "View WiFi connections" instead. That returns a list (with signal strength) of all APs within range of the phone. They can cross-correlate that info to a database of AP locations, which in turn will geo-locate the device almost as precisely as GPS (at least in urban areas).

        2. fuzzie

          Re: Almost every app I consider for installation

          Now if only the permissions model was narrow enough. As I understand, and admittedly I'm not an Android developer, required permissions are auto-determined at build time by looking at the dependencies of a project. Given the interconnectedness of services and APIs, you easily end up requiring silly permissions, because some little corner of a library somewhere might need it in specific circumstances...which, of course, may well be totally irrelevant to your app.

          My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated.

          1. Anonymous Coward
            Anonymous Coward

            Re: Almost every app I consider for installation

            " a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."

            That would be good wouldn't it, as would various other possible improvements.

            I seem to remember something like that in later versions of Symbian, but it was a long time ago so I could be wrong.

            Oh well, stuff's progressed since then. Not sure which way though.

          2. Daniel 18

            Re: Almost every app I consider for installation

            "My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."

            --------------

            Unfortunately, this becomes less and less useful as malware migrates, and all you see is some anonymous commodity cloud server in the url.

            1. oneeye

              Re: Almost every app I consider for installation

              Hi,

              You might go have a look at no-root firewall apps in playstore. There are many to choose from now, and Lostnet has a geo blocking function. You can fire up these when using apps that are suspect. Or run it all the time.

              Now, for those who don't think it's a big deal about this keyboard app, then I suggest looking at how few permissions other well known keyboard apps ask for. Almost all are about half the amount.

    2. asdf Silver badge

      Re: Almost every app I consider for installation

      Cyanogenmod Privacy Guard is great for this purpose but alas after market rom.

    3. oiseau

      Re: Almost every app I consider for installation

      I once had one of these smartphone things and was appalled to see what practically anything I downloaded to install pretended to access on it. Phone records, camera, log files, etc.

      So I got rid of it.

      As I see it, the truth of the matter is that a *very* small fraction of users even *know* about permissions and fewer *have the knowledge* to act upon them.

      Even fewer decide against installing based on the permissions these freeware malware impose.

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Suggestion for stories like this...

      Yeah really. The correct call is to buy a Windows Phone or Blackberry as an investment. It will probably end up being the last model either make and much like the Kin you can probably ebay it in several years as a nerd joke gift for a good amount of cash. A lack of scarcity in the wild certain won't be an issue considering both's unit numbers are now down pretty much to what they give away to employees.

      1. Unicornpiss Silver badge
        Meh

        The real solution..

        Is to pay attention to the permissions being requested by what you're installing, and the reputation and reviews of the publisher, but the same type of people that would get suspicious that someone asked for their house key and social security number on a first date can't be bothered to pay attention to what they're doing on their phone, tablet, etc. Maybe it's because our brains are wired by evolution to not think that something as innocuous as a feather touch on a phone display can set in motion an immense chain of events and repercussions. Of course anyone that has drunk texted their friends or lovers has likely come to understand this in the light of day.

        There is a great deal of freedom and flexibility with the Android platform, but you do have to consider the decisions you make, and a decent freeware AV isn't a terrible idea either. Some people may be better off in the walled garden, at least until more security is built in by default.

        1. Fatman Silver badge

          Re: The real solution..

          <quote>Of course anyone that has drunk texted their friends or lovers has likely come to understand this regret it in the light of day.</quote>

          FTFY

      2. Timbo

        Re: Suggestion for stories like this...

        "Yeah really. The correct call is to buy a Windows Phone or Blackberry as an investment."

        I did something like once - I bought an Apple Newton.

        Trouble is: I don't know how much of a return I'll get on it now. Probably about -100% ;-(

    2. DougS Silver badge

      Re: Suggestion for stories like this...

      And silly AC is ignoring that many Android users paid a fat wad for devices they can't expand with SD memory and has no removable battery. Or was the Galaxy S6 just a figment of my imagination? And it wasn't the only one.

      What people like you ignore is that not everyone cares about those features as much as you do. I remember in the early days of Android when one of the touted features that Apple was missing was an FM radio. Many Android phones still include that feature, and Apple still doesn't, but I have yet to every personally meet ANYONE who uses their phone to listen to FM radio. Sure, if you want an FM radio or SD card or removable battery Android is your only choice. But don't act like these are features that everyone wants. I'd prefer not to have my performance go in the toilet since the SD interface sucks so bad compared to properly designed internal storage, thanks.

      1. Unicornpiss Silver badge

        Re: Suggestion for stories like this...

        I have used the FM radio before, though sparingly. I wouldn't call it a deal breaker by any means if it isn't there, though it seems silly to not have an app to use it if the feature is already on a chip in the phone. I would miss my IR remote though. If you buy a decent quality SD card, performance is fine. If you buy the cheapest one you can find, it won't be. A removable battery is nice, but the deal breaker for me is if the device doesn't have an SD card slot. I like storing my media on an SD card. You can preach all you want about cloud backups, but if something happens to my phone, I can just pull the card and there's my stuff, or swap the card into my next phone like a SIM, and again, there's all my stuff.

        Though even if there was no card slot, I would still prefer an Android device personally. I just like the flexibility and the UI better. I've never cared for Apple's UI design on their phones. And I don't have to use the frustrationware that is iTunes.

      2. Anonymous Coward
        Anonymous Coward

        Re: Suggestion for stories like this...

        "or SD card or removable battery Android is your only choice"

        Or you can buy a Windows Phone. My Lumia 640 has both.

        But back to Apps (and obviously being a WP user I'm hardly qualified to talk about those as there are so few on WP ;)). It seems to me that no one cares about the origin of apps, who the authors are or anything. On a Linux PC, if I was installing something, I'd be checking out the website or open source repositories or professional reviews. It seems nobody cares that the authors are unknown and can't be contacted. it seems that average joe (or janet) user just thinks apps are created in the ether somewhere by pixies and can be installed without a care. No wonder things often end badly.

  5. Anonymous Coward
    Anonymous Coward

    No worries, its not like Android has a huge share of the phone market....

    * Oh wait 80%? Ouch! I wonder how many shoppers even realize that Google is behind Android, or that M$ makes serious $ from it too. But what's the alternative? That, or post a pile of money to Apple...

    * How many consumers are aware that the Play Store is full of this sh1t? If I didn't follow these articles, I could have easily assumed, that Google would never be dumb enough to let this happen.

    * Do we see any warnings in the mass media? No its just glorified plugging of the Play store all day long, and how neat this app is, or this other one.

    * Its all very well to talk about educating users. But whose going to do it, the government? F@ck that! There needs to be accountability and responsibility here. Google should be fined megabucks for letting these apps slip through. Blaming users is just so unjust....

    * Its also increasingly tricky to find a real-world store that offers a non-Android dumb phone from a few years ago. There just isn't choice anymore. Its the same with Smart TV's. No basic models around anymore.

    * Many flavors of Android phone sold across the world (outside EU./ US), come with tracking enabled out of the store with invasive apps already installed. WTF??? Vendors should be lined up and shot for this...

    1. DougS Silver badge

      Re: No worries, its not like Android has a huge share of the phone market....

      What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time. Until there is some Android malware that causes real consequences for a lot of users the problem will be ignored. Look how many years Windows malware (and DOS malware before it) was around before it really got the kind of attention required for Microsoft to do something about it. It wasn't until stuff like Code Red, I.Love.You and so on all hit over a short period of time and caused a lot of problems that people took notice, and bad publicity forced Microsoft to act.

      The same will be true of Google (and Android OEMs who are part of the problem as far as not updating Android) Until it becomes a big problem, they will mostly ignore it because it isn't hurting them financially. I'm not sure why you think Google should be "fined megabucks" because of apps in the Play Store. Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?

      1. Anonymous Coward
        Anonymous Coward

        "I see stories about Android malware in places like Cnet all the time"

        Good for you! But its warnings to the masses I'm talking about. Not sites you and I read. We don't need to read every warning anyway as our defences are already up. Its the average person in the street who needs this info, and urgently... In fact the most ignorant of all, are the staff working in stores selling this stuff. Talk about clueless...

      2. Voyna i Mor Silver badge

        Re: No worries, its not like Android has a huge share of the phone market....

        "I see stories about Android malware in places like Cnet all the time. "

        For mass media, think Facebook and the Daily Mail website. And to my mind, both of those are malware.

      3. Someone Else Silver badge
        Thumb Down

        @ DougS -- Re: No worries, its not like Android has a huge share of the phone market....

        Boy talk about red herrings!

        What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time.

        Uhh, Dougie...for the record Cnet != Mass Media. Call me back when NBC does an in-depth story in the Nightly News, or this becomes a story on 60 Minutes.

        Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?

        The mind just boggles at the density of that remark.

    2. Chris 125

      Re: No worries, its not like Android has a huge share of the phone market....

      Wow, so you're upset that people are backing Google and Microsoft by buying Android, but then note that the alternative to giving them money is to give Apple money. You know that's how business works right? You give people money for a product or service, and the ones with the most successful product or service get more money.

      I don't think there's any confusion that Google are behind Android, I also don't believe most phone buyers give a crap. They probably don't even buy a phone - they get it free on contract, and the network handles the payment for the phone. So as far as they can see, they've paid Google/Microsoft/Apple absolutely nothing.

      The Google Play Store is also not "full of this shit".It's got some malicious apps, the majority are not.

  6. Paratrooping Parrot
    Boffin

    Permissions

    I had deleted many Android software because they had permission creep. They had a few permissions, and then added more. Another set of software that I refused to update was a calculator that seemed to need access to the phone. It used to be excellent until they decided to team up with a phone answering company that basically hijacks your phone when it rings.

    I have increasingly had to delete software. Probably one of the most useful software I have installed on my Android mobile is No Root Firewall. It has stopped me from getting adverts for many installed software. :)

  7. Mike Flugennock
    Facepalm

    Why have 50 million people downloaded it?

    Uhhmm... because you can't fix stupid?

    1. wolfetone Silver badge

      Re: Why have 50 million people downloaded it?

      "Uhhmm... because you can't fix stupid?"

      Is that not what the Darwin awards are for?

      1. Steve the Cynic Silver badge

        Re: Why have 50 million people downloaded it?

        "Is that not what the Darwin awards are for?"

        They are only for *fatal* stupid. And even they don't *fix* stupid.

        Side note: Many of the incidents that lead to people being shortlisted for the Darwin Awards are linked to an apparently innocuous molecule sometimes called methylcarbinol.

        You or I know it by its full "scientific" (i.e. IUPAC systematic) name, ethanol. A distressingly large fraction of DA winners (and even runners-up and mere Honourable Mentions) were drunk to a lesser or, more frequently, greater extent.

  8. Christian Berger Silver badge

    That's yet another point caused by needless complexity

    Android has a "security system" limiting access rights for applications, but in reality that's useless as people just install stuff anyhow.

    Instead of useless security measures we should have mandatory code reviews. In the case of a "keyboard app" that shouldn't even be difficult, as such an app surely has less than a screen full of code.

    Since the distinction between good and bad is often a question of opinion, we need multiple sources providing code reviews. Ideally we'd even have a whole dialogue about code and code patches. For this to happen code needs to be much simpler and therefore better written than what we currently have.

    1. DougS Silver badge

      Re: That's yet another point caused by needless complexity

      So you want Google to wall up their garden with higher walls than Apple? Even Apple doesn't require submission of source code, which is what it sounds like you're suggesting. I'm sure app writers will be totally comfortable giving up their source code to Google, one of the world's largest software companies...

      1. P. Lee Silver badge

        Re: That's yet another point caused by needless complexity

        >So you want Google to wall up their garden with higher walls than Apple?

        I think what might be desirable to el reg's audience are FLOSS repos for android.

        You can keep your trivia apps, I just want vlc or mplayer, amarok firefox, kmail etc on a phone.

        I trust those guys more than I trust google.

        Alternatively a system of shims between apps and resources: a GPS fuzzer/usage verifier, a camera/mic use verifier, a contact data filter.

        1. Ken Hagan Gold badge

          Re: That's yet another point caused by needless complexity

          "You can keep your trivia apps, I just want vlc or mplayer, amarok firefox, kmail etc on a phone. I trust those guys more than I trust google."

          That would be Ubuntu Phone then. I haven't used any version of x-buntu for a few years now, because I think there are better distros for just about any given purpose, but I'd trust their phone offering well ahead of anything else I've seen on the market.

          Then again, perhaps running UP and sticking to the official repos is about as limiting and no safer than running Android and sticking to the Google-branded apps. In both cases you are intentionally cutting yourself off from all the third parties simply because you can't tell which ones are trustworthy.

        2. Gene Cash Silver badge

          Re: That's yet another point caused by needless complexity

          > I think what might be desirable to el reg's audience are FLOSS repos for android.

          You mean like F-Droid?

          1. DropBear Silver badge

            Re: That's yet another point caused by needless complexity

            "You mean like F-Droid?"

            Yup. And if you're missing the pretty pictures to see what the app looks like at a glance (which F-droid apparently considers to plebeian a thing to do) there''s always a chance its more handsome mirror Flossdroid can help...

        3. kwhitefoot

          Re: That's yet another point caused by needless complexity

          VLC is in the play store.

      2. Christian Berger Silver badge

        Re: That's yet another point caused by needless complexity

        What I want is a place where I can get some information on if someone looked at the code, or at least some information on the license of it. F-droid for example only accepts software where the source code is public... and they even warn you about software you might consider malware.

        The big point is that _I_ need to be in control of _my_ hardware, not some company, not some app-store, but me. And this is currently impossible as Android is far to complex.

  9. smartypants

    Complicated permissions system + humans != security

    In just the same way that ordinary people (my mum, billionaire leaders of tech services, IT professionals included) don't or can't have a personal password policy which ensures security, the same people when faced with a multitude of questions when installing something will just press 'ok'.

    It's precisely the same thing that goes on when we click the "I have read the terms and conditions".

    Each time some failure of security results, there's lots of helpful advice on these threads about what people should do.

    But they're as likely to do it as the pope is likely to convert to islam. So it does beg the question why we keep on building a tech world which doesn't work well with the way humans actually are, rather than some mythical alternative where we study password policy 8 hours a night and read all the legal small-print before ticking a box.

    1. harmjschoonhoven

      Re: Complicated permissions system + humans != security

      But they're as likely to do it as the pope is likely to convert to islam. Pope Sylvester II came close to that after his visit to Córdoba.

      1. Marshalltown

        Re: Complicated permissions system + humans != security

        "Close," as the saying goes, "only counts in Horseshoes and hand grenades."

  10. Mystic Megabyte Silver badge
    Stop

    Anybody here installed Firefox?

    I backed out of installing Firefox when it asked me for my grandma's maiden name (slight exaggeration). Seriously, I thought that I had been hacked and shut down the phone.

    1. AlexV
      Go

      Re: Anybody here installed Firefox?

      Yes, it's a good browser. Plus, add-ons, which is even better. I would think it would require all those permissions to provide the web APIs to allow access to them. Firefox itself probably doesn't care about your GPS location (for example), but provides it as an API so that web pages like mapping services can access it. People like having web pages that run like apps. Almost as much as they like apps that run like web pages. Firefox would always ask you before granting permission for any site to use those APIs.

    2. oneeye

      Re: Anybody here installed Firefox?

      Firefox is a fabulous browser! Once you learn how to add some add-ons to harden it, that makes it a whole lot safer than many others. I use (ublock origin) ad blocker , (Self Destructing Cookies) , (Https everywhere) a (restart button) and from settings, a (Quit button) So much customization can be done with Firefox Android. Take the time to learn how to use it, you won't be sorry. And finally, one of my favorite features, it loads tabs in the background, like when I'm in my gmail app, I click links and they don't open the browser automatically. They are directed to the browser so when I finally open it, they are all there waiting on me. This is enabled in the settings. And it works for any link, clicked in any other apps.

  11. paulc

    still there in Google Play...

    doesn't appear to have been taken down at all

  12. jzl

    Obvious really

    Never trust software with "Flash" in the title.

  13. ukgnome Silver badge

    And meanwhile......

    Does this apple taste sweeter to you?

  14. Alumoi
    WTF?

    Keyboard app

    I can understand wanting to get rid of the sammy or google keyboard, but why look further than Hacker's keyboard?

    1. Anonymous Coward
      Anonymous Coward

      Re: Keyboard app

      And how well known is Hacker's keyboard compared to Flash Keyboard?

      A quick look on the play store, and there seems to be various Hacker's keyboards, none of them very popular (by number of downloads).

      Search generically on the store for 'kerboards', and the first Hacker's keyboard entry is at least 5 pages down the screen, (with the Flash one being about 2 screens down). So not something your average user is going to stumble on.

      Not saying it's not a good keyboard, just how are people not going to 'look further than Hacker's keyboard?' if hardy anyone seems to have heard of it or be using it in the first place?

      1. Alumoi

        Re: Keyboard app

        Here you go:

        https://f-droid.org/repository/browse/?fdfilter=keyboard&fdid=org.pocketworkstation.pckeyboard&fdpage=2

  15. Anonymous Coward
    FAIL

    Wow I'm stunned....

    ..that this has just been noticed.

    1st hit in Google Play for search term "Torch"

    Camera

    take pictures and videos

    Other

    receive data from Internet

    change system display settings

    modify system settings

    full network access

    prevent device from sleeping

    view network connections

    control flashlight

    People just blindly accept anything.

  16. En_croute

    Most users don't know what all the warning lights on their car dash means, yet alone a permissions statement/request from an Android OS/App.

    1. Brenda McViking
      Joke

      My car lit up a little light and told me to "check engine"

      So I did.

      It's still there, under the bonnet. Silly car.

  17. ATeal

    Two things

    1) When I first got my first ever Android phone, the HTC desire HD, looking at angry-bird's permission list saddened me, and make me look for firewalling, behold droid wall!

    2) Recently Google changed their keyboard AND THE F*CKING LAYOUT, surely keyboard layout is sacred! But no they changed it, the new one also had some fun new permissions. I installed it and now prevent it from updating. I thought this was about that!

  18. Rimpel

    Gmail requires microphone permission

    slightly OT... On my phone I recently denied all apps access to the Microphone (running Cyanogen OS). Viewing mail in the gmail app works as normal but while composing a msg I get the following message every 30s or so:

    "This app won't work propertly unless you allow Google Play services' request to access the following: - Microphone. To continue, open settings, then Permissions and allow all listed items. [Cancel] [Open Settings]"

    wtf??

    1. David Nash Silver badge

      Re: Gmail requires microphone permission

      "wtf??"

      My guess is that it's so you can compose an email by dictating it to the phone.

      I never would but some might want to.

      1. oneeye

        Re: Gmail requires microphone permission

        Almost all keyboards have the mic. Icon to do just that, dictation. It works great too! So this permission is required, but in MM 6.0 you could disable this permission.

  19. viscount

    "Pentest estimates that the app has been installed on more devices than WhatsApp"

    Surely not?

    1. Boothy
      Coat

      I keep getting messages that are apparently from WhatsApp telling me I have have deferred messages waiting for me to read.

      One of these days I must get round to signing up for an account to see what they are about!

  20. FuzzyWuzzys Silver badge
    Facepalm

    Oh come on!!

    Get the rights you might like up front, then you don't have to ask to be "upgraded" to better privs later on!

    If you work in backroom server tech circles this is the oldest developer trick in the book and usually the first trick you learn to say no to when you first start in backroom tech!

  21. Sorry, you cannot reuse an old handle.

    Why is calling China dodgy

    The developer is based in Hong Kong (see website) so I'd say that it's not to far a stretch to "call" China for some server-based analytics.

    What I would actually find strange is for such an app to "call" the USA or the Netherlands instead!

  22. This post has been deleted by its author

  23. john devoy

    what a crock

    What do they mean they don't think its intentional? Do they think pixies changed the code while the devs were sleeping, of course it's all intentional. What they mean is it's blatant malware stealing data but they don't want to offend the Chinese.

  24. A Ghost
    Unhappy

    I was given an Android phone

    It's supposed to be a good one. I had it demoed for me and it certainly has some nice features.

    It's still in the draw. I won't be using it.

    Reason?

    Crap like this.

    No mobiles, no tablets, no internet enabled on any computers except for an old beater with dual boot XP/Linux. And the XP is only for testing some stuff - it won't have internet enabled by default.

    I realise I am in the minority, but I really don't need a phone/tablet etc. as I don't have any friends. Everything I need to do I can do on an air-gapped computer, and Linux is actually a real treat to use for surfing as it is a much richer experience compared to the bloat of a hi-jacked windows machine.

    People keep asking me if I have Whatsapp or wtf the latest fad is, and I say 'no, I don't have a mobile phone/tablet'. They then shuffle slowly sideways muttering excuses to get away from the weirdo. Fine. If people can't conduct business by going through channels other than these security nightmares, then they won't do business with me. Their loss.

    And I'm not a Luddite. I embrace technology. But it has all turned into 'hippy-hell' when it should have been 'hippy-heaven'. I pray that this is some kind of bubble and that it will burst. But my greatest fear is that this is the future, forever, now.

    Whatever happened to ethical hackers? The internet is going through another wild-west phase, this time far nastier and more nefarious than that which went before.

    Stop the spinning globe in the upper top corner. I want to get off.

  25. DasWezel
    Facepalm

    App Permissions

    ... Are why I spent some appreciable time on my replacement phone last night looking for a simple flashlight widget.

    No stupid fully-blown app, no ads, no stupid strobe effects, just a simple widget to toggle the camera flash LED. Preferably without claiming to be the "brightest" app too.

    Considering the LED toggle seems to be the Android equivalent of Hello World, trying to find one that wasn't full of crap was decidedly trying.

  26. Jake Maverick

    how could the 'hands' be anymore sinister....? really? guessing most likely 'security services' if there's been no immediate exploitation for financial gain....

  27. Mahhn

    That's easy. Firewall logs on your home wireless connection (free firewall set up on an old PC, that everything runs through). Skip looking at the device and just sniff the traffic :)

  28. razorfishsl

    Massive YAWN here.........

    There is a multitude of helpful application in china for mobile AND computers

    Windows Translation apps that translate to multiple languages as you mouse over, or as you type.......

    Yep type in your user name & password an off it goes to the central server tools for a translation....

    Then we have 'QQ' as always , ever so helpful ... in providing remote access to your computer or business systems to ANYONE, just fire QQ up and give anyone a remote session.

    oh... and watch those babies SPAM adverts all over your system, maybe 30GB of bandwidth per 150 users a DAY!!!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019