×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

8% of Android Apps Are Leaking Private Information

samzenpus posted more than 3 years ago | from the sieve-phone dept.

Android 159

kai_hiwatari writes "Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th. The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages."

Sorry! There are no comments related to the filter you selected.

Misleading Title (-1)

Anonymous Coward | more than 3 years ago | (#36830642)

11,000 apps was the study sample, not the total of android apps. This is MUCH less than 8% of the android market. Dislike.

Margin of error (3, Informative)

tepples (727027) | more than 3 years ago | (#36830724)

Assume that the 11,000 app sample is representative of a category of apps on Android Market, and 8 percent of apps in the sample have detectable spyware. In that case, it's far more likely than not that the prevalence of spyware across all apps in that category is at least 5 percent. So do you dislike statistical methods in general, or do you dislike the claim that the sample is representative?

Re:Misleading Title (0)

Anonymous Coward | more than 3 years ago | (#36830738)

Someone doesn't know how statistical samples work. (Hint: it's not the authors of the study.)

Re:Misleading Title (1)

ThisIsSaei (2397758) | more than 3 years ago | (#36830744)

>Implying that the sample was random.

Compared to... (4, Insightful)

mederbil (1756400) | more than 3 years ago | (#36830660)

...100% of your Facebook apps! Nothing to worry about here, folks.

Re:Compared to... (3, Interesting)

TubeSteak (669689) | more than 3 years ago | (#36831282)

Compared to 100% of your Facebook apps! Nothing to worry about here, folks.

Data leakage is one thing, unwanted text messages (premium SMS services are big money) is another story entirely.

Re:Compared to... (-1)

Anonymous Coward | more than 3 years ago | (#36831860)

And dripping douchebaggry on the street with white earphone?

Re:Compared to... (1)

drb226 (1938360) | more than 3 years ago | (#36832176)

11 / 10,000 = 0.11% - If you have any common sense when you download an app, you can probably be way more than 99.89% confident that it won't send unwanted texts. 8% sending private info to a server is troublesome, but again, reputable apps probably don't have this issue; slashdotters of all people should be pretty confident about their ability to discern the scamminess of an app.

...and... (3, Insightful)

msauve (701917) | more than 3 years ago | (#36831302)

what exactly is an "unauthorized server?" Given that Android enforces constraints (permissions [android.com] ) when you install an app, are they claiming that there are apps which can get Internet access without explicitly being granted permissions by the user when installed?

Re:...and... (2, Interesting)

dudpixel (1429789) | more than 3 years ago | (#36831498)

maybe it is misleading. Maybe it technically is authorized by your definition.

However, note that ALL apps with ads need internet access, and yet the internet access gives them access to the whole internet, not just the ad server.

This always concerns me when its simple apps that really dont need internet access other than to display ads. How would I know what the app is doing?

I'm normally against the walled garden approach but Google's complete hands-off thing is really starting to get serious. Its almost like they dont care about their own platform? Like they've disowned the market and they're only interested in the Google search box.

I dont think this approach will work for Google in the long term. Why do people spend more on the App Store? Maybe its because they trust it more...

Re:...and... (2)

msauve (701917) | more than 3 years ago | (#36831682)

How does any of that differ from apps on a PC, which all have unlimited Internet access? Is there some reason a phone is more sensitive? I've got more personal/confidential info on my PC than I do on my phone.

Without knowing exactly what is being sent to these "unauthorized servers," this is just a red herring.

Re:...and... (1)

AvitarX (172628) | more than 3 years ago | (#36831906)

It's a lot easier to charge me money on the phone (sms), fortunately that is a different permission.

As is data access (though a lot need sd card access for cache I assume)

Re:...and... (0)

Anonymous Coward | more than 3 years ago | (#36832146)

Without knowing exactly what is being sent to these "unauthorized servers," this is just a red herring.

Bullshit! A red herring is something that is misleading and has relevance. You admit that you don't know what information is being sent. Without knowing that, you can't make that judgment. Don't be a cock on the internet, it never goes away.

Re:...and... (1)

Anonymous Coward | more than 3 years ago | (#36832342)

How does any of that differ from apps on a PC, which all have unlimited Internet access? Is there some reason a phone is more sensitive? I've got more personal/confidential info on my PC than I do on my phone.

The main difference is that on your PC, you don't have a phone Carrier who prevents you from installing or altering your firewall, hosts file, iptables, etc. The only way to do it on most smartphones is to root it or install a custom ROM, which is not a great idea from a security standpoint. The Carriers need to give people enough access to superuser functions so they can install such apps, without having to give root to everything on the device.

Re:...and... (0)

Anonymous Coward | more than 3 years ago | (#36831734)

Its almost like they dont care about their own platform?

Microsoft used the same strategy on Windows and it worked for them. Why don't you create a Trusted Apps Store if you think it'd be better?

If you don't trust the app, don't install it. It's that simple. I have my freedom, you have your safety, everybody is happy.

Re:...and... (0)

node 3 (115640) | more than 3 years ago | (#36832046)

Its almost like they dont care about their own platform?

Microsoft used the same strategy on Windows and it worked for them.

Microsoft very much cares about their platform, and have taken many actions to protect it. Where did you get the idea that they feel and have done otherwise?

Why don't you create a Trusted Apps Store if you think it'd be better?

What kind of silliness is this? It's very clear from the countless stories like this that Apple's App Store model is more secure than Google's model. There's no need to make such a store, it already exists.

If you don't trust the app, don't install it. It's that simple. I have my freedom, you have your safety, everybody is happy.

And how, exactly, are people supposed to know whether to trust an app? With something like Apple's App Store, consumers have a much higher level of trust and confidence in the quality, reliability, and trustworthiness of the apps than they do with the Google Marketplace.

Re:Compared to... (1)

AmberBlackCat (829689) | more than 3 years ago | (#36831312)

So Facebook apps destroy privacy. However, that does not change the point that some Android apps are doing the same thing.

Re:Compared to... (1)

RazorSharp (1418697) | more than 3 years ago | (#36831510)

So Facebook apps destroy privacy. However, that does not change the point that some Android apps are doing the same thing.

I agree. The big question now is whether Google will ban the 800+ apps from their marketplace. If they turn a blind eye to these revelations, then they're no better than Facebook and we can expect more app developers to datamine in the future. Personally, I have faith in Google to do the right thing, but we shall see. The last thing they want is for these data to justify Apple's stringent approval process.

Re:Compared to... (0)

node 3 (115640) | more than 3 years ago | (#36832012)

The last thing they want is for these data to justify Apple's stringent approval process.

How was Apple's method ever not justified? It's not like they were ever forcing people to do anything. People have been voluntarily buying iOS devices for quite some time now, and outside of a few nerd circles, you never hear people complain about the App Store model.

What this story does, however, if further validate Apple's model. While it never had to be justified because it's a reasonable system and entirely voluntary, it did remain to be seen whether it was based on sound reasoning. This story (and the many before it) provide evidence to back up Apple's claims. Even if Google pulls these apps (and, even further, utilized their "kill switch", as they have done before (which draws no ire, although even the mere *existence* of Apple's "kill switch", which they never used, was a huge issue here on Slashdot a few years ago)), the mere fact that these apps got through in the first place and in such great numbers shows Apple's system provides some of the benefits they claim it does.

Is it just me? (-1)

Anonymous Coward | more than 3 years ago | (#36830676)

Isn't that a fairly good rate? and only 11 of them send unwanted SMSs? That's what.. like 100x better than the Windows ecosystem... which isn't saying anything, of course.

Poor security/subterfuge/sloppy coding (5, Funny)

justsomecomputerguy (545196) | more than 3 years ago | (#36830696)

Vendor: "I'm shocked, SHOCKED to find information being leaked here!" Waiter: "Here's your mined data sir..." Vendor: "Thank you"

Re:Poor security/subterfuge/sloppy coding (2)

narkosys (110639) | more than 3 years ago | (#36831290)

+1 Casablanca reference.

Permissions (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36830698)

I think a finer control over permissions for applications is required. Some applications ask for something like "ability to make calls", so that feature X works. If you don't care about feature X you should be allowed to deny such permission.

Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".

Re:Permissions (0)

Anonymous Coward | more than 3 years ago | (#36830756)

Some of the custom ROMs have that function built in. Cyangenmod or Liberty being one of them. Which I think Google should include.

Re:Permissions (1)

queBurro (1499731) | more than 3 years ago | (#36832276)

"LBE Privacy Guard"? (I guess there are others too) it's an app you can install, but you have to be rooted to install it. Phones ought to have a "Root and accept the responsibility" button.

The hashed phone number (2)

tepples (727027) | more than 3 years ago | (#36830848)

Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity".

The IMEI doesn't ensure the user's identity, just that of the handset. Pull out the SIM and put it in another handset (assuming AT&T, the only U.S. nationwide provider for which this actually works and which isn't an acquisition target), and the subscriber's identity follows the SIM (hence the name Subscriber Identity Module).

They still have access to the phone number, why not fine-grain it

Yeah, why not? To ensure the user's identity, perhaps the OS should make available the hashed phone number: the application can make sure the subscriber hasn't changed but not use it to make voice calls or send text messages.

Re:The hashed phone number (2)

nzac (1822298) | more than 3 years ago | (#36830998)

Don’t know how large phone numbers get in your country but rainbow tabling phone numbers seems rather trivial for anyone with a reasonable amount money. They can can probably guess the first part which leaves only about 10 digits (7 where I live) of combinations to try and if they are given away in sequence way less. Anyone know how long that would take with a modern GPU.

You would probably have to make the method standard so you could not use unknown salt either.

Re:The hashed phone number (0)

Anonymous Coward | more than 3 years ago | (#36831102)

less time than it took you to post this.

Re:The hashed phone number (0)

Anonymous Coward | more than 3 years ago | (#36831216)

Money? As a test I just generated 100,000 md5's of 10 digit phone numbers in 8min using one core of a 1.83GHz core2 processor. Doing some rough calculations, with an i7 using all 4 cores + 4HT's, you should be able to generate a rainbow table for all 10B phone numbers just under 2mo.

Re:The hashed phone number (0)

Anonymous Coward | more than 3 years ago | (#36831258)

Put it on your GPU. It won't even take days.

Re:The hashed phone number (1)

Anonymous Coward | more than 3 years ago | (#36831300)

And your algorithm was slow -- you probably recalculated the entire hash from the start for each number, for starters.
Fix that, and now consider using a GPU. You'll have your table in minutes.

You simply don't use md5 as a key derivation function if you know what's good for you. Nor SHA-1 or SHA-256 for that matter. You use bcrypt or scrypt or something else designed to be much more expensive than your standard hash algorithms.

Re:The hashed phone number (1)

nzac (1822298) | more than 3 years ago | (#36831334)

Thinking about it I checked to see there was another only locally know number on SIM to hash it with but I could not see one on the wikipedia page.

If someone had have anticipated this they could have a stuck a sudo random key of reasonable length with no relation to the phone number to be hashed with the phone number and then providing a hash becomes a very good idea. But right now its a 33-34 bit key (someone might correct me) that can be hacked offline. And with openCL this is a few min and if its a short hash it might almost fit into 16GB memory (its more but not magnitudes more again could be wrong).

Re:The hashed phone number (0)

Anonymous Coward | more than 3 years ago | (#36831204)

As an android developer, believe me, I wish this was in there.

It's stupid to have to request those permissions just to get some kind of a unique device id.

Re:The hashed phone number (1)

tepples (727027) | more than 3 years ago | (#36831606)

If web applications and applications for PCs don't need a unique device ID, why do applications for Android-powered devices?

Re:Permissions (2, Interesting)

Anonymous Coward | more than 3 years ago | (#36830866)

Better yet, how about doing the intelligent thing and providing a UNIQUE identifier per APPLICATION. Not using the IMEI, but instead generate a UUID for each application to use as its unique id. Use a hash of some hardware value (like the IMEI) and the applications signature ( I assume apps have their own UUIDs in Android for identifying applications uniquely ).

Then they can uniquely identify a specific device has a specific app installed, they also won't be able to tell (if implemented properly) by using that information which applications you also have installed. Vender A sells me 3 apps, and it gets 3 unique IDs back for my device from all of them, meaning I no longer have to worry about sharing of that information resulting in a profile of me.

Pretty much every reason you come up with for wanting to uniquely ID a phone revolves around targeted marketing, so lets just end that ...

Oh wait ... Android ... Google ... hrm, yea, they aren't going to go for that one are they?

Re:Permissions (1)

MakinBacon (1476701) | more than 3 years ago | (#36831012)

Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".

The upshot of this would just be that developers would make apps that refuse to run unless you give them all the permissions they want. I'm imagining something along the lines of (pseudo-code incoming):

try{

obtainfeature();

} catch (FeatureNotGrantedException) {

showErrorDialog();

endProgream();

}

Re:Permissions (1)

nschubach (922175) | more than 3 years ago | (#36831428)

I have a friend who wrote an app that detects if you installed one of the many adblock software packages, tells you to buy the pay version and refuses to run if that's installed. The capability to scan what apps are installed in your phone is part of the API.

Re:Permissions (0)

Anonymous Coward | more than 3 years ago | (#36832388)

I have a friend who wrote an app that detects if you installed one of the many adblock software packages, tells you to buy the pay version and refuses to run if that's installed. The capability to scan what apps are installed in your phone is part of the API.

Which is why if I want to use an app without the ads, I just turn off my data connection.

Re:Permissions (5, Informative)

elashish14 (1302231) | more than 3 years ago | (#36831106)

I remember someone had a /. sig with a link to a feature request for Android that users could simply choose which permissions they want to allow an app to have at installation. I think this was the link: http://code.google.com/p/android/issues/detail?id=3778 [google.com] . It seems to have a lot of support, but apparently we need more!

I also found this one too: http://androinica.com/2011/05/cyanogenmod-nightlies-secures-android/ [androinica.com] . I didn't read the link in much depth, but apparently it can do just what you describe if you root and install Cyanogenmod

Re:Permissions (1)

nschubach (922175) | more than 3 years ago | (#36831432)

This sig? ;)

Re:Permissions (1)

dargaud (518470) | more than 3 years ago | (#36831870)

Yes, there should be an advanced permissions tab where you can: allow / deny / randomize the data used by the apps. If I want to use a dead pixel tester (random example) than wants internet access, phone call access and GPS access, I'm sorry but NO, I'm not installing it. But in most cases the app would still be useful without the GPS position or other minor features. And 'randomizing' is for when the app refuses to work with the service denied.

Re:Permissions (1)

alostpacket (1972110) | more than 3 years ago | (#36831124)

This is unlikely all about permissions though. While I definitely agree with your point, this may very well be the same LogCat leak "uncovered" by lookout at DefCon of last year. Basicly what happens is lazy devs are writing personal info into the debug log. Other apps could read this with an innocous sounding "read logs" permission. It was a reader here at Slashdot who actually pointed it out to me (I write a guide for new users about Android permissions).

Of course, there may be more to it. And certainly part of it will be about companies "leaking" info to ad agencies -- but that isn't much of a "leak" when users agree to it. It's still a shady business, (especially the methodology used), but Android has a limit to what it can protect when a user agrees to give out personal details.

Anyways, here's the video of the lookout presentation:

Video from DefCon (need to login/download):

http://vimeo.com/14980971 [vimeo.com]

And a simple work-around for devs not wanting to leak data. [alostpacket.com]

Re:Permissions (1)

uofitorn (804157) | more than 3 years ago | (#36831676)

but that isn't much of a "leak" when users agree to it.

But that's the point! With such course-grained controls users will accept most anything. Don't tell me you never downloaded a simple app that required "Read all SD card contents" or whatever it's called.

Re:Permissions (1)

alostpacket (1972110) | more than 3 years ago | (#36831744)

Sure I have, and I said I agree with having more fine grained controls. But it's not that simple. There are downsides to that as well. Let me ask you this: how many applications have you downloaded to your computer that can access the hard drive?

Re:Permissions (1)

JAlexoi (1085785) | more than 3 years ago | (#36831424)

Really? The real phone number is pretty much the most unreliable piece of information you can get from the phone identity. I've seen wrong numbers, no numbers, garbage data and so on stored in the field.

Blackberry (0)

Anonymous Coward | more than 3 years ago | (#36831970)

Some applications ask for something like "ability to make calls", so that feature X works. If you don't care about feature X you should be allowed to deny such permission.

Blackberry works this way.
Apps request the permissions they want, but the user can choose to deny access to different areas of the phone (these selections are app-specific).

As soon as Android gets this capability, I'll happily switch.
But as it stands, I don't trust app developers enough to not abuse the lax security available on Android.

Re:Blackberry (1)

HJED (1304957) | more than 3 years ago | (#36832426)

Most apps are a ad based and require Internet access. Google would lose a lot of devs if it did this

Block their 'net access (1)

DMUTPeregrine (612791) | more than 3 years ago | (#36830748)

LBE Privacy guard, Droid wall, or just a ADB terminal and iptables can stop leaks like this by denying net access to any app that you don't want to give it to.

Re:Block their 'net access (1)

Anonymous Coward | more than 3 years ago | (#36830840)

How do you know when to deny net access?

An app that needs net access for it's main function can also behave maliciously.

Re:Block their 'net access (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36830872)

as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ....I know, I know.. but doing infosec configs on phone is still a more arcane deal than computers, plus I really don't want to have to root my android phone, to be able to trust it in the first place.

Perhaps if app permissions weren't 'set it and forget it', if the OS allowed us to go back and revoke perms directly from the GUI.

Re:Block their 'net access (2)

0123456 (636235) | more than 3 years ago | (#36831252)

as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ...

That's why I have a dumb phone that just makes phone calls and sends text messages and laugh whenever people talk about their phone being infected with malware.

Requires rooting (4, Insightful)

tepples (727027) | more than 3 years ago | (#36830880)

LBE Privacy guard, Droid wall, or just a ADB terminal and iptables

Which requires 1. phones to have a security vulnerability that allows rooting, 2. users to know how to root a phone, 3. users to somehow learn that they should install a firewall on their phones, and 4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).

Re:Block their 'net access (1)

artor3 (1344997) | more than 3 years ago | (#36830938)

Or just don't install apps that are asking for privileges they shouldn't need. If an app claiming to be an Angry Birds addon wants permission to access my contacts list or the ability make phone calls, I'm going to be suspicious.

300,000 children will starve to death this week (-1)

Anonymous Coward | more than 3 years ago | (#36830762)

100% of them. several million in the next couple of months. nobody's fault? nothing can be done? not in with 'stuff that matters' like bombs away, fear every day? for each of the creators' innocents harmed in any way....

turns out that each of us is responsible for one another in every sense. failure by lack of conscience is not what we were designed for. do the math. read the teepeeleaks etchings, before they disappear, again. thanks so much.

Re:300,000 children will starve to death this week (0)

Anonymous Coward | more than 3 years ago | (#36830790)

Cool story bro.

iPhone apps are just as bad... (4, Interesting)

Anonymous Coward | more than 3 years ago | (#36830782)

If you use the firewall program that you can download with Cydia, you will find that a majority of iPhone apps connect to ad sites, statistic sites, behavioral targeting sites, and many domains that have zero to do what what the app does. The end user has zero control of what an app can do, and any app can happily slurp your contacts and anything available to it and hand it over to whatever site it feels like, and only people who have JB-ed their phone would know.

Android, it is more obvious because you don't have to jailbreak it to see the programs phoning home.

For example, take some of the photo editing apps on the iPhone. If you look at them, they appear to just uplaod your photo to a website and do the core editing via that as opposed to the application doing much. So, that private photo you decide to use a 99 cent app to make humorous? It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

For the tl;dr crowd, iPhone apps are just as nasty, but they hide it better, being impossible to trace unless one jailbreaks their device.

Re:iPhone apps are just as bad... (2)

Microlith (54737) | more than 3 years ago | (#36831246)

It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

You'd have to look at the EULA (do they even present an EULA?) to see what rights they grab for themselves. Even then, you still own the copyright on the image. I doubt an EULA that stated "by using our service you transfer copyright of all images uploaded to us" would be considered conscionable.

Re:iPhone apps are just as bad... (2)

Lehk228 (705449) | more than 3 years ago | (#36831292)

It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

I suggest you refrain from participating when you have no fucking clue what you are talking about

Re:iPhone apps are just as bad... (1)

vipvop (34876) | more than 3 years ago | (#36831784)

Yep this comment pretty much sums it up nicely, along with the one above about the EULA.

Re:iPhone apps are just as bad... (5, Insightful)

bonch (38532) | more than 3 years ago | (#36831514)

This study looked at 10,000 Android apps. Your claim is that iPhone apps are "just as bad," which implies that you also studied 10,000 iPhone apps and that 800 were found to be leaking private data. Could you provide the link to your study, or is all you have an anonymously posted anecdote about running Cydia on your single phone without any examples given of the apps you're describing?

That's obvious (4, Insightful)

gr8_phk (621180) | more than 3 years ago | (#36830784)

When simple one-player games and such say they require full internet access I think "that may be for ads". When they require access to contacts, SD card, etc... That usually means don't install it. Unfortunately most of the apps I've looked at require full internet access AND access to contacts and don't get installed as a result.

Re:That's obvious (0)

Anonymous Coward | more than 3 years ago | (#36831098)

The latest Cyanogen includes the ability to revoke privileges. You need access to my contacts? Sandboxed fake contacts okay? Cool.

Multiplayer metagames and assets on SD (1)

tepples (727027) | more than 3 years ago | (#36831658)

When simple one-player games and such say they require full internet access I think "that may be for ads".

Not all games whose action is single-player are purely single-player; many include a multiplayer metagame. This includes the ability to upload scores or other achievements to a server, to download other players' achievements for comparison, and to verify that other players' achievements were earned through legit play.

When they require access to contacts, SD card, etc... That usually means don't install it.

As for contacts, I agree with you, but a lot of programs require access to the SD card because the device's internal storage is too small to hold all data (meshes, textures, sound, etc.) that pertains to the game.

Re:That's obvious (1)

dotancohen (1015143) | more than 3 years ago | (#36832170)

Do you tell that to the app devs? So that they might understand why they are losing sales?

And the iPad absorbs the leakage... (0)

Kraftwerk (629978) | more than 3 years ago | (#36830806)

The iPad3, now with wings!

Re:And the iPad absorbs the leakage... (1)

Bodhammer (559311) | more than 3 years ago | (#36831376)

What about the deodorant with those wings? I want it also to smell like unicorns, fairies, and butterflies all farting together in a cornucopia of joy!

Define 'unauthorized' (0)

Anonymous Coward | more than 3 years ago | (#36830818)

What is an 'unauthorized' server? Is the server unauthorized by the app writer or by the end user or both? This is important information which is missing from the article. More worrisome in a link in TFA [darkreading.com] is the other attack vectors which are going to be discussed: drive-by downloading, etc. There's a video on the author's site at http://www.dasient.com/resources/video/?v=15 [dasient.com] but I haven't watched it.

BUT IT'S LINUX !! DAMN YOU !! IT'S LINUX !! (0, Funny)

Anonymous Coward | more than 3 years ago | (#36830884)

It must be okay because we are open source, free as in beer and free as in 60s' sex !! WE ARE THE WORLD !! So what if some chinese have my info ?? It's not like they can even say my name without me cracking up !!

In this day and age, it's worth it, I say !! Live and let them have their cake !!

Yours,
Ben Vereen

Re:BUT IT'S LINUX !! DAMN YOU !! IT'S LINUX !! (0)

Anonymous Coward | more than 3 years ago | (#36831368)

Actually, the open source apps tend NOT to pull this kind of cheap stunt.

The Apple solution (0, Troll)

mjwx (966435) | more than 3 years ago | (#36830978)

says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server

Perhaps Google should follow Apple's lead here and simply change the EULA to give permission for application writers [iphonehacks.com] to access personal information and location [consumerist.com] .

That would certainly get rid of the "unauthorised" part of that statement.

Re:The Apple solution (1)

jrumney (197329) | more than 3 years ago | (#36831264)

The other part of the solution is to run a closed market, and be picky about what apps you allow. If the developers of security software have nothing to sell on your platform, they won't go blabbing about the security holes to try to sell their product.

Re:The Apple solution (2)

mjwx (966435) | more than 3 years ago | (#36831408)

The other part of the solution is to run a closed market, and be picky about what apps you allow. If the developers of security software have nothing to sell on your platform, they won't go blabbing about the security holes to try to sell their product.

Yeah, because a vulnerability in the inbuilt PDF reader will never be exploited...

So lets all stick our heads in the wondrous sand of a walled garden and pretend that security holes dont exist because we aren't allowing security experts to say anything.

Re:The Apple solution (2)

JAlexoi (1085785) | more than 3 years ago | (#36831442)

And you're better off with remote PDF security bugs that can result in total takeover of you device. And it will all be hushed up to maintain the mantra that "Macs don't get malware and viruses"...

Big turn off... (0)

Anonymous Coward | more than 3 years ago | (#36830980)

I was really excited about Android, and tried to buy my kids an Android tablet last Christmas (nothing worth buying). But the data leaking, malware, etc. has flat turned me off the platform. My next phone will likely be WP7 (was a windows dev) or iOS if they bring out cheaper off contract models.

Re:Big turn off... (1)

green1 (322787) | more than 3 years ago | (#36831314)

And what makes you think either of those platforms are any better?

At least on Android you always see what permissions an app is requesting before you install it. The same is not true on iOS

Re:Big turn off... (0)

Anonymous Coward | more than 3 years ago | (#36831588)

Do you really think that such problems won't affect a windows or an ios phone? This article on the iPhone [research-live.com] from 2010 claims that, of the 57 most popular free apps, 67% were transmitting the Unique Device ID to a remote server. So much for the "walled garden" approach...

If your kids are young enough to be sharing a tablet, why wouldn't you just install age appropriate games and apps for them and then turn off network access? Problem solved. Unless you're a Microsoft shill.

Have we learned nothing... (5, Insightful)

Trufagus (1803250) | more than 3 years ago | (#36831072)

Wow! CTO of company that makes money selling security software for Android says that Android has security problems!

If you think you can get honest and objective info about this problem from the CTO of a company that is in the business of selling solutions to the problem, then you should not be allowed to use the Internet.

I'm not saying that there isn't a problem - I'm just saying that this is so obviously the wrong source that it is no better then an advertisement.

Re:Have we learned nothing... (3, Interesting)

godrik (1287354) | more than 3 years ago | (#36831190)

Well, I do believe them without any problem. Half the application I tried to install on my phone ask for ridiculously high permissions. I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?

I would love the operating system to allow you to report fake information to some application. The application want access to your contact list? sure give it an empty list. It wants to know your GPS location. Sure, give a fixed user-defined location (in the middle of the ocean if possible).

Re:Have we learned nothing... (2)

Elbereth (58257) | more than 3 years ago | (#36831270)

Maybe the Tetris game has a social aspect, where high scores are collected and posted on the internet, along with a geographical tag, like "New York, USA". It could be that the high scores are even customized for your location, so that you can compete against all the other New Yorkers playing that game. Some people would think that was the greatest thing in the entire world, I'm sure. For the more cynical among us, it's difficult to believe that social gaming is anything more than a big scam, but not everyone cares so much about their privacy. One man's privacy invasion is another man's social game, I guess.

Re:Have we learned nothing... (1)

adamofgreyskull (640712) | more than 3 years ago | (#36831356)

This is the greatest thing in the entire world. It means I can move to a sparsely populated backwater country and not feel like I suck quite so much! Couple that with a game like Audiosurf [wikipedia.org] that procedurally generates levels based on music and I can be the BEST! (At Todd Rundgren's Utopia Theme (In New Zealand)) ;)

Re:Have we learned nothing... (1)

nschubach (922175) | more than 3 years ago | (#36831494)

Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.

HTTP tunnel (2)

tepples (727027) | more than 3 years ago | (#36831674)

Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.

And run an open HTTP tunnel on someapplicationpage.com. You see, a device can't always enforce a privacy policy.

Territorial licensing (1)

tepples (727027) | more than 3 years ago | (#36831688)

I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?

Internet? Upload high scores, as Elbereth mentioned. GPS? To keep you from playing in another country where a different company has the exclusive license for the Tetris brand. But contact list? Don't know; that would raise my suspicion.

Re:Have we learned nothing... (2)

Solandri (704621) | more than 3 years ago | (#36831910)

I just installed DroidWall [android.com] , which is a basic firewall for Android. You need to be rooted, and the UI isn't the greatest. But it lets you control which apps have permission to access the Internet (and you can choose WiFi and 3G/4G permissions separately if you so desire). What good is having my GPS location and contact list if you're unable to report it back home (Mr. Anderson)!

Re:Have we learned nothing... (2)

kregg (1619907) | more than 3 years ago | (#36832010)

All applications with ads ask for those permissions. They don't want to advertise something you can't buy in your own country.

If you don't want that then buy an application with no ads - simple.

Re:Have we learned nothing... (0)

Anonymous Coward | more than 3 years ago | (#36831346)

So someone who doesn't do security for a living would be a better source for this information?

Round numbers... (0)

Anonymous Coward | more than 3 years ago | (#36831248)

All round numbers are false.

Exactly 10,000 and exactly 800? Come on.

Only 8% ?!?!? (1)

NicknamesAreStupid (1040118) | more than 3 years ago | (#36831336)

No wonder most apps don't make money.

Re:Only 8% ?!?!? (1)

drb226 (1938360) | more than 3 years ago | (#36832198)

So that's why iPhone apps are so lucrative...

Worthless article (0)

Anonymous Coward | more than 3 years ago | (#36831532)

What a worthless article. They give some pretty fucking specific numbers but they don't even bother to let us know which apps are the offenders.

At some point... (1)

cavePrisoner (1184997) | more than 3 years ago | (#36831846)

At some point, don't they have all the information about us? Given all the security breaches in everything we do, you would think that the market of this information would eventually be saturated. What more do these people want to know? The size of my johnson?

Seriously, I'm looking for somebody that understands what's going on to explain this to me. What use is all of this information?

sac longchamp (-1)

Anonymous Coward | more than 3 years ago | (#36831896)

http://www.saclongchampfr.com
2. http://www.longchamp-sac.com

What is fashion? It is the usual fashion into a unique trend. sac longchamp [saclongchampfr.com] is special, longchamp pas cher [saclongchampfr.com] has avant-garde design, superior quality. Whether you want to go on a trip or attend a small party, sacs longchamp pas cher [saclongchampfr.com] would be your perfect companion.

The sac longchamp [longchamp-sac.com] are attracting numerous people’s eyes.When you wear them,your elegant temperament and confident character will appear immediately.Welcome to our longchamp sac [longchamp-sac.com] store,we promise you will find the appalling price for sacs longchamp pas cher bags [longchamp-sac.com] . When it comes to luxury and beautiful,no other brand could compare with discount sac longchamp.It seems that they are your indispensible accessory to your bags collection.

Low! (0)

Anonymous Coward | more than 3 years ago | (#36831996)

8% is low. Positive article gets negative spin.

Gianmarco Lorenzi (0)

Anonymous Coward | more than 3 years ago | (#36832026)

The Gianmarco Lorenzi [gianmarcolorenzi-gl.com] is a famous brand and produced with high quality .the woman worn this high heel shoes will attract men’s attention if you want a nice leg please buy the product the Gianmarco Lorenzi Shoes [gianmarcolorenzi-gl.com] ,by the way now we will give you a low price to owe this beautiful shoes.don’t let go this good opportunity.The Gianmarco Lorenzi Pumps [gianmarcolorenzi-gl.com] is waiting for you

This beautiful Gianmarco Lorenzi Shoes [gianmarcolorenzis.net] can make you looks highlight in the summer, it can make you like a young gils, furthermore Gianmarco Lorenzi [gianmarcolorenzis.net] is a big brand so the quality makes this shoes popular to women, and now the Gianmarco Lorenzi Pumps [gianmarcolorenzis.net] is on sale so you don’t let go this good chance to buy it.

You can protect yourself better (2)

aaaurgh (455697) | more than 3 years ago | (#36832132)

I use the LBE Security app which allows me to more closely control what I want an app to have access to, it's a bit like a permissions based firewall - you can block specific permissions on each app. It does result in the odd FC if you tighten it down too far on everything but it's usually possible to find a workable combination. e.g. permit an app to access the phone id. (which it expects to always have access to and which causes it to FC if not) but then block it's access to the network (which cannot always be expected to be available)... so what if it knows the id. if it cannot report it.

I easily belive that (1)

drolli (522659) | more than 3 years ago | (#36832200)

There are many apps which require excessive permissions without any reasonable explanation. Many of these appear as close-to-identical apps to shotgun better. I am surprised its only 8%.

affordable and efficient domain names (-1)

Anonymous Coward | more than 3 years ago | (#36832532)

http://bill.e-yug.com/domainchecker.php

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?