Re: Security!=privacy
FF22, your point about the difference between security and privacy is well taken (and well said, by the way), but I think both you and the analyst both make a fundamental error in attribution: why is PayPal gathering the info they do? Yes, they might be pulling it to compare against past transactions as a fraud prevention method. Conversely, they might have some legacy code from the beta testing phase of app development. The why of it is important for a number of reasons as it has implications for where weaknesses might be in the app itself (flaws might be left in simply because no-one is paying attention to the code) or what kind of data might be leaked in the event of a successful attack (PayPal is a prime target). While I would not expect my fellow commentards to dig through EULA of these apps or to contact the app publishers, it would seem the researcher had an missed opportunity there. The flaws mentioned in the other apps were certainly that: flaws.
At the very least, one take-away should be that apps should only gather and transmit the data needed to do what they are intended to do. The more bloat that is added in, the greater the chances of flaws creeping into the mix. Also the more power the app will use, which in a mobile device can add up. The people who run the app (customers, for want of a better term) should know what info is collected, sent and retained by the app maker and have a reason of why this is done. Finally, the owner of the device on which an app is run should be able to control access rights for the app. This last should be pinned on the OS makers. Google's offering is particularly bad in this area, but I notice that the only hint as to what manufacturer's device was looked at by the analysis seemed to be Apple.
Biting the hand that feeds IT
