'Suspicious' Android wallpaper app nabs user data An Android wallpaper application that collected data from users' phones and uploaded it to a site in China was downloaded "millions of times", according to mobile security firm Lookout. Kevin MaHaffey, chief technology officer at Lookout, used Jackeey Wallpaper as an example of the wider risk faced by smartphone users during a …
If you ever need to install useless applications, why would you carry on installing after noticing the piriviliges required?
I understand that ease of use is important but taking clueless beings as lowest common denominator is certainly not the way to go forward. A little bit common sense and responsibility should be required instead of policing the marketplace.
I have a Desire, and one of the things that struck me when I first installed an App was that the "this app needs access to the following" page was a good idea. This was followed a few seconds later by the thought "Why does this app need access to this? And that? And that thing?"
There should be at least an option to have checkboxes next to each item so you can say something like "Yes, I don't mind this using my GPS, Yes it can use wi-fi but No, I don't want it using mobile data.". I wonder how much data is consumed by apps that really don't need to download or upload data, but do because that is what the developer decided it should do (for whatever reason).
The other thing Android needs is an in-built task killer - multitasking is great but many human users feel uneasy with anything they can't "switch off" on request.
“Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”
How about they don't have any effing right to collect jacks**t without prior consent from the individual downloader?
While programs can say what permissions they require, there's currently to my knowledge no way that developers can say *why* they need those permissions.
A lot of apps require a network connection for adverts. If there was an "advertisement API" that programs could use which had those permissions, implementable by third party ad networks, then a lot of programs would no longer require that permission and you could be more confident that your stuffisn't leaking onto the interwebs....
The 'Advertisement' permission is a good idea, but it would require that Android ships with each advertisers APIs, or that I install them manually, automatically making it fail because I'm not going to do that.
I think tick-boxes are the way to go for each permission. The Internet permission could have a 3rd option: enable, disable, prompt, whereby it prompts, with the requested hostname, IP address and reverse lookup of that IP address. You then confirm that you want to allow that connection, just once, or permanently.
That could get extremely ugly for a 'user experience' perspective though.
"If there is no control and vetting of apps then stay away from the platform."
You mean like Windows, Linux, Mac and pretty much every platform going?
Google and Apple do vet the apps that appear on their market places but there will always be a chance something nasty slips through. Unlike Apple, Android gives a warning when installing every app about what it is allowed to access.
Of course I'm forgetting that Steve Jobs is actually the second coming of Jesus and can fix an iphone 4's reception with just a touch of his hand...
iPhone apps have to ask the user for permission (either explicitly or implicitly) to access various things at runtime. It's not accurate to say that no warning is presented to iPhone users.
Applications that try to access the location get a pop-up box saying "This application is trying to access location services" and then it's up to the user to allow or deny it. If you allow it, you grant permission for all future launches. But the more common approach is that taken to sending an email or getting contact details from the address book — the only mechanism to get at those details is to use a supplied Apple dialogue. To get a contact, for example, you have to ask the OS to request that the user pick a contact, the user picks one using the standard interface, the program gets the name of that single contact back. So the user still knows exactly what's going on and grants permission.
I think there was one occasion where somebody figured out how to get the user's phone number on the iPhone using some sort of API quirk. That was a mistake on Apple's part and has been fixed. The usual prohibitions on illegal APIs act as the rest of the barrier.
That all being said, these are the main points I take from the story:
– a wallpaper app can get 3 million downloads on Android; and
– Android is doing so well that people are starting to care about malware for it.
I care less every day about Apple versus Google (other than where one side is misrepresented).
No you aren't. Remember about a month ago, when Apple had to pull 3 or 4 apps after several people had suspicious charges on their itunes accounts? Apple users tend to have short memories, so you have probably forgotten already. Why didn't the guards at the gates of your walled garden catch those initially? Or the flashlight app with hidden tethering?
. . . again.
The app's on Android tell you what they want access to, if an app that puports to simply be wallpapers wants access to all of your contacts and the ability to use data services (to upload), why the hell would you install it ?
It's not an OS vulnerability, it's a problem with a malicious developer (potentially) and gullible users.
but it still raises a more serious question...
Google rushed to remove a benign proof of concept app they claimed was dangerous, so why haven't they moved to remove this app that is clearly malicious (stealing personal details and uploading them to a server in China without getting explicit permission is not the actions of someone trustworthy).
I would agree to 'untrustworthy'. But the behaviour is the sort of thing I'd expect from the Chinese State, and given what looks - to me anyway - like the largely successful indoctrination of its subjects, and particularly, perhaps, of those allowed to conduct business legally, I wouldn't necessarily ascribe malicious intent to this. More the distorted ethics of a brainwashed region.
I would have though that phone platforms would ask the user, at least the first time, whether they wanted the app to access other things on the phone? I know on my Symbian phone, for example, an FTP app has to get permission to access local files and folders.
Doesn't Android have anything similar?
Sure this will turn into a flamewar, but this does highlight the need for a closely observed and regulated marketplace when it comes to phones. Either that or someone will invariably produce a virus and malware protection programme to run on the phones to keep that vast majority of the normal, non geeky phone using public safe from their own technological shortcomings. Android will take over the market (I don't think that there is any question of that) but the hardware will have to run security just to make using it safe. Joy.
And, it's not like this is a minor issue, when phones are doing everything a computer does (loosely) but combine payment systems (already running in some parts of the world) and also tonnes of personal info that is in general unprotected, it's only a matter of time before the first big F'up happens. Be interesting to see who accepts the blame.
I for one am happy with Apple's take on how to control their market, it may not be perfect (far from it) but I do feel secure.
I guess that's enough "feeling secure", and as Apple, like every other international company can be trusted implicitly we have nothing to worry about.
Personally I don't trust any operating system that I haven't installed and locked down myself. To be honest, I don't entirely trust those that I do either, there are a lot of very clever hackers out there.
What the Android OS needs is the smart phone equivalent of a firewall. Everything blocked from making any connection to anything unless explicitly given permission to do so. The user should also be able to log any data sent to and from the phone. If data is encrypted before transmission then the user should be able to see that data prior to encryption. Any practice that tries to bypass such features should be considered rogue.
Yes users/consumers are still going to blindly trust applications, but developers are less likely to publish data stealing applications if it was a legal requirement that all output from those apps be open to monitoring by the user.
Some people are too stupid for their own good.
Ever time you download an Android application, it shows the security policy for this application. This wallpaper application will have stated that it reads your phonebook, it reads your user information, it reads other stuff, it needs network connectivity etc etc etc...
If they want to live in nicey nicey land, get an iPhone. However really these people shouldn't be allowed to touch ANY technology as they are clearly too stupid.
So you read every little EULA, disclaimer and small print that passes in front of you. Gee, what an exciting life you must lead.
Personally, I like to get on with my life, therefore, I like certain devices and platforms to just work. Generally, Apple achieves this (new OS issues and design flaw on the 4G accepted), at the cost of certain freedoms. For my needs from a phone, this is a fair trade. On a desktop, it is not, ergo, I use a PC, not a Mac.
Calling people 'stupid' because they don't have a technical understanding (or even a need to be such), or choose a platform that you don't like for whatever reason is the sort of thing I'd expect from the narrow minded. Surely, you aren't that, you appear to be very well read (at least with regards to security disclaimers, EULA etc etc).....
Roints off for the farcical comparison, by the way. A EULA is a legal form with all the length and relevance to daily life implicit in such a thing. A permissions list should be easily readable and take one screen. If they have any resemblance to each other, the coders need to be spoken to sharply.
As Snow Crash put it, guns have come to paradise, But people are not making the mental switch yet that anytime you have something that you can put things into, some of it may be shoddy, malicious, or just utter crap. ... Wait, when did I start talking about internet postings? >_> <_< >_>
It's perfectly possible to make a much better phish, a social networking aggregator app, for example. Pick one: 1) Walled garden. Relatively little worrying about security with the occasional slipthrough. 2) Wide open. Think about security or get burned worse than if you are. 3) Take away the ability to add functionality to a phone.
there's no governing in android apps. developer are not required to publish their source codes. thereby, no one can know for sure what the app does. it wont pop up 'hey, i got your mobile no. now im gonna send it to my master'. no. it does so in the background, acts as it wanna do something legit, but instead adds some more data to it. this is easily done, especially with rooted devices. can be done with jailbroken iphones too. this is not a theory. any experienced programmer know how to do it.
Yet more proof that Android is well and truly the domain of the geek. My boss just bought himself a Desire and the first time he installed an app it flashed up that it needed internet access to which he showed me it and said "Whats this?". Your average punter has no idea on these kinda things and will happily click yes willy nilly. As someone else said theres no explanation as to WHY they need the access requested and until you actually install and use an app that may well not be clear. Even the message it did give wasn't that clear to a non techy and there was some confusion as to whether you were granting access to download the app or for the app itself to then use the internet.
The question I guess is should you really have to worry about such things on a phone or should it be safe to use without fear that an errant yes click will expose your contacts to the world? Perhaps with much clearer user guidance then fair enough
I'll stick with Jobs and his app police for the time being thanks all the same.
Android apps list the privileges they require when installing. As has been said, you can review those, decide you don't like the look of them and not install. You can also email the developer to ask what the privileges are for. So, no real story here.
This is a story: http://www.wired.com/gadgetlab/2010/07/apple-approves-pulls-flashlight-app-with-hidden-tethering-mode/
iPhone apps do not list their capabilities. Apple scrutineers do not inspect the app source so can't spot hidden functionality in advance. Apple users can't tell what an app will actually do when they install.
Which is more alarming?
Not at the poor 4 million users, who, being users, don't really understand permissions policies very well, and frankly - it's a DAMNED PHONE, they shouldn't need to worry about such things...
No, I'm laughing at the comments that say "well, those 4 million people are just too dumb, and this proves they should have stayed with other phones."
4 million is a lot of people...an awfully large segment of the Android population (especially as it was only one app - that we KNOW of yet). But that's not enough for the anti-iPhone crowd to admit that perhaps, maybe, there is some validity to having all apps approved...
So the question is: how many Android users would have to be infected, how many times, before the Andbois admit that having an end-user electronic device without any checks on apps is a bad idea...
"But that's not enough for the anti-iPhone crowd to admit that perhaps, maybe, there is some validity to having all apps approved..."
There is validity in it, nobody is saying that, but it comes at a cost. Just as being truely safe in the real world would require locking yourself in your house and never coming out, and even still you're at a small risk.
In the case of Android, and Android supporters like myself, we prefer that risk over the idea of not being allowed outside to play.
Apple user's swing the other way, and would rather stay inside, that is fine too. The two brands give you and I the choice to use the products we prefer. I have no problem that you chose Apple, but you apparently have a problem that I chose Android.
That would be your problem though, so I shall leave you with it.
Quite a few mobile apps make use of analytic systems like http://www.flurry.com/ to keep tabs of where and when users are running the application, and that is the only reason they need to connect to the internet.
Even though Android informs the user that such an app is allowed to connect to the internet, he is left in the dark as to the actual purpose of that connection. And without a detailed review of the source code, he (nor Google) can have real confidence in what is going on.
It's easy to say don't install any app like that, but the single most useful utility I've found for Android uses Flurry, according to an e-mail I received from the developer.
download pointless fluff and you will get burned.
No programmer in his right mind makes a free "wallpaper application" for the sheer balls to the wall thrill of making a program that can change your wallpaper. It's exactly the sort of thing you make as a trojan horse. Dazzle users with some worthless crap to misdirect them while the program performs it's actual purpose.
No doubt these same people wonder why they have no money left having downloaded "free" ringtones from a service that probably didn't mention it charges £45 a month.
access your data connection
seduce your wife
transmit your GPS location
empty your bank account
write to your file system
shoot your dog
log into your user account
piss on your chips
change your passwords
shave one of your eyebrows
Do you wish to continue?
Average Punter: uhhhhhh; yes, because I NEED a My Little Pony wallpaper...
regarding removed post
I feel the post should be put back on not to offend people but i believe every single reply shows a natural form of repellent to racism and that it wont be tolerated here (bar arctic fox but he might of being droll)
probably more to the point I for one am horribly curios as to what they posted !!!!
in this case i think the commentards have reacted on the whole well showing that any type of racism just isnt tolerated therefore self moderating.
*pirates for challenging the power !! ;)
This story only made such a big splash due to the Lookout lot originally coming out with a scaremongering claim that the apps in question were stealing browsing and SMS history along with a load of other stuff and sending it to China. Turned out to be rather inaccurate - the apps developer responded saying that the app did indeed collect your subscriber identifier and phone number in order to allow a favourites system within the app that could resume after wiping your device (a feature that his users had in fact asked for) but it's never gone near browsing or SMS history.
Lookout were then later forced to admit that no, the app didn't collect browsing or SMS history at all. And the fact that Lookout are a security firm that produce an Android app that claims to protect against malware and viruses (sorry, what viruses?) should not be lost on people.
Lookout got what they wanted - a big steaming load of FUD, people have now heard of them and downloaded their app to protect against the evil Chinese hax0rs, and a load of tech blogs have been rightfully thoroughly embarrased for not checking their facts before joining in the hysteria.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
