×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

More Than 25% of Android Apps Know Too Much About You

Soulskill posted about 2 years ago | from the but-they-always-forget-my-birthday dept.

Privacy 277

CowboyRobot writes "A pair of reports by Juniper and Bit9 confirm the suspicion that many apps are spying on users. '26 percent of Android apps in Google Play can access personal data, such as contacts and email, and 42 percent, GPS location data... 31 percent of the apps access phone calls or phone numbers, and 9 percent employ permissions that could cost the user money, such as incurring premium SMS text message charges... nearly 7 percent of free apps can access address books, 2.6 percent, can send text messages without the user knowing, 6.4 percent can make calls, and 5.5 percent have access to the device's camera.' The main issue seems to be with poor development practices. Only in a minority of cases is there malicious intent. The Juniper report and the Bit9 report are both available online."

Sorry! There are no comments related to the filter you selected.

Know too much? (1)

Anonymous Coward | about 2 years ago | (#41852595)

Or know too little?

Oh wait, that's the users and designers.

Re:Know too much? (1)

Anonymous Coward | about 2 years ago | (#41852863)

It's alright, anyone paranoid enough about android security threats should really be more worried about finding the wireless hidden cameras installed all around them [amazon.com] . If you've stayed at a hotel, odds are good someone's seen you nude.

Re:Know too much? (4, Funny)

Applekid (993327) | about 2 years ago | (#41853199)

If you've stayed at a hotel, odds are good someone's seen you nude.

In that case, I'm glad I'm ugly as sin, and hope I've blinded them. :)

If only! (5, Funny)

Joehonkie (665142) | about 2 years ago | (#41852603)

If only there were some way for me to tell which permissions an app will use when I install it!

Re:If only! (5, Insightful)

Anonymous Coward | about 2 years ago | (#41852629)

If only there were some way to know what permissions the app really needed to do its job!

If only you didn't have to slog through 15 different flashlight apps before you find one that doesn't want access to your address book!

Re:If only! (0, Flamebait)

PoopManners (2764379) | about 2 years ago | (#41852703)

It's a problem with Android, basically. Poop.

Re:If only! (5, Insightful)

Anonymous Coward | about 2 years ago | (#41852745)

Disagree. It's a problem with humanity. Android does a good job of warning you that your flashlight app will send your contact list to the universe.

Re:If only! (1)

endinyal (2700219) | about 2 years ago | (#41853213)

Way to go!! Blame the user and not the inadequacies of an insecure platform!!

Re:If only! (1)

tepples (727027) | about 2 years ago | (#41852757)

In what way do you find the permission issue better with any specific mobile operating system other than Android?

Re:If only! (5, Informative)

berj (754323) | about 2 years ago | (#41852859)

On iOS I can choose *after* installation to allow or disallow certain activities.

So.. for example.. I can allow an application access to my calendar but not to my contacts or photos.

If a GPS application wants access to my contacts and location I can let it.. but if it asks for access to my photos and bluetooth sharing I can disallow it.

It's quite nice, actually.

Android is a "take it or leave it" system. Which I suppose is great for the app developers.. but not so much for users.

Re:If only! (4, Informative)

h4rr4r (612664) | about 2 years ago | (#41852941)

There are aftermarket ROMs that do that. CM is one.

There are tools that actually do one better, they let you give apps fake data. Let that stupid game have a GPS, one that shows you out in the Atlantic.

Re:If only! (3, Informative)

Minderbinder106 (663468) | about 2 years ago | (#41853193)

CM was one. CM7 had this feature but it was taken out for CM9/CM10. It's too bad, it was a great feature.

Re:If only! (-1)

Anonymous Coward | about 2 years ago | (#41852981)

I guess. How long until you have apps in the iOS ecosystem checking for access to the address book or being able to send an sms and, if that fails, the application erroring out with some BS message that'll fool 30% of users saying "Sorry, this application needs access to your address book in order to confirm that you are not illegally using this software in an emulator."

Re:If only! (1)

SternisheFan (2529412) | about 2 years ago | (#41852985)

Android 4.2 has better security, still, I want full control over 'permissions' without having to root my device. Below I've pasted from Computerworld's story/blog by J.R. Raphael:

"Accompanying the system is a new and improved app permissions screen --the screen that shows up anytime you install an app from outside of the Play Store. The new Android 4.2-level screen is cleaned up and far easier to read than what we've seen in the pas And last but not least, Android 4.2 has an added behind-the-scenes feature that alerts you anytime an app attempts to send a text message that could cost you money. If an app tries to send an SMS to a known fee-collecting short code --a number that'd automatically bill your carrier when it receives a message --the system jumps in and alerts you to the action. You can then opt to allow or deny the process." http://m.blogs.computerworld.com/android/21259/android-42-security?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26tbo%3Dd%26site%3D%26source%3Dhp%26q%3Dandroid%2B4.2%2Bpermissions%26oq%3Dandroid%2B4.2%2Bpermissions%26gs_l%3Dmobile-gws-hp.12...20503.38452.0.40420.25.21.0.4.4.0.395.3872.0j16j3j2.21.0.les%253B..0.0...1ac.1.9qZIAZUfHXE [computerworld.com]

Re:If only! (-1, Flamebait)

CanHasDIY (1672858) | about 2 years ago | (#41853001)

On iOS I can choose *after* installation to allow or disallow certain activities.

So.. for example.. I can allow an application access to my calendar but not to my contacts or photos.

How do you know that, by the time you disable the permission, the app hasn't already uploaded your info to their servers?

Android is a "take it or leave it" system. Which I suppose is great for the app developers.. but not so much for users.

Except, with Android, I can root my phone and do whatever the heck I want with it.

Is Apple still bricking jailbroken iShinys?

Re:If only! (3, Informative)

berj (754323) | about 2 years ago | (#41853065)

On iOS I can choose *after* installation to allow or disallow certain activities.

So.. for example.. I can allow an application access to my calendar but not to my contacts or photos.

How do you know that, by the time you disable the permission, the app hasn't already uploaded your info to their servers?

because (sensibly) by default apps have no such permission. I get asked if I want to allow the action the very first time.

Android is a "take it or leave it" system. Which I suppose is great for the app developers.. but not so much for users.

Except, with Android, I can root my phone and do whatever the heck I want with it.

And what about those of us that don't want to bother with such things? I don't build my own computers. I don't jailbreak my iDevices.. I don't tinker with my car.. I don't mod my fridge. If I have to immediately start hacking my device in order to get the security I want then it's not really much good to me.

Re:If only! (1)

h4rr4r (612664) | about 2 years ago | (#41853089)

Fine don't do those things, but then you are probably on the wrong website. You can stay, but don't be surprised when people tend to think those things are the norm. For many here they are.

Re:If only! (1)

Anonymous Coward | about 2 years ago | (#41853181)

On iOS I can choose *after* installation to allow or disallow certain activities.

So.. for example.. I can allow an application access to my calendar but not to my contacts or photos.

How do you know that, by the time you disable the permission, the app hasn't already uploaded your info to their servers?

Android is a "take it or leave it" system. Which I suppose is great for the app developers.. but not so much for users.

Except, with Android, I can root my phone and do whatever the heck I want with it.

Is Apple still bricking jailbroken iShinys?

1. By default no app has access to your info unless you approve it at runtime. If the app queries the data store (either before permission has been granted or after permission has been refused) iOS / OS X just returns nil/NULL
2. Apple has never deliberately bricked jailbroken devices although some jailbreaks have not worked with upgrades and have "bricked" the iDevice. Of course, it's nearly impossible to permanently brick an iDevice as you can always revert to official iOS.

Re:If only! (5, Interesting)

h4rr4r (612664) | about 2 years ago | (#41852731)

You don't. Torch, Done.

What Google should do is let me search for apps by permissions. I also wish they would let me never see a freemium app again. I have zero interest in them.

Re:If only! (4, Interesting)

TheGratefulNet (143330) | about 2 years ago | (#41852887)

permissions are vague. I can't know what the hell they plan to do!

what I'd want is a watcher that gives pop-ups or some notification and STOPS THE APP until I let it thru. very very fine grained permit/deny and also a lot of all info that is captured and sent.

until the apps are more transparent (they are anything but, now!) I refuse to run most android 'store' apps or anything else.

the whole market is fucked up; the protection model is bullshit and there's no audit ability for users to feel confident that this or that app is not doing funny shit behind the owner's back.

the permissions model is quite stupid by design. another google design failure, designed by engineers and not designed FOR users who are non-tech and simply want to know what the app is DOING.

there also isn't a standard default firewall on unrooted android. again, I have no trust in android when I have to go around it and root it just to have a firewall and user filters or ACL's.

the whole model needs a serious rewrite. not saying the apple model is any better, but android is quite immature in how it DOES NOT protect the user or give them any real info to go on. the only thing you have now is 'trust us' and, well, I just don't!

vista annoyed users with the popups but I do think that some level of that is needed, here. WHEN an app tries to do things that fit some trigger, show me! show me what and when and where. keep logs of it. let me query the logs and study how good or bad this app is. let me run it in 'hobble mode' so that it, by default, does not get access to anything. let me trust it over time and relax restrictions as it gets my trust.

the whole model is all wrong. sorry, but it seems no one was thinking of the users, here. and users are getting screwed by not having true visibility into the (often) evils that 'flashlight apps' do.

Re:If only! (1)

h4rr4r (612664) | about 2 years ago | (#41852925)

How are they vague? They have plain english descriptions.
Torch:
Hardware controls: Take pictures and videos
System Tools: prevent phone from sleeping.

If you can't read plain english you don't need a smartphone. A user who can't do that will just OK anything it ever asks for watcher or not.

Why do you need a firewall if you don't leave ports open willy nilly?

Re:If only! (1)

Anonymous Coward | about 2 years ago | (#41852947)

> what I'd want is a watcher that gives pop-ups or some notification and STOPS THE APP until I let it thru. very very fine grained permit/deny and also a lot of all info that is captured and sent.

That only works for the tiniest subset of users. Most users would simply learn to click on absolutely any pop up and confirm. Dancing pigs problem, blah blah blah. Security cannot depend on an informed user when in fact most users are uninformed and technically ignorant. Not that there's anything wrong with being uninformed and technically ignorant, it's a fucking phone that people try to use to get tasks done.

Re:If only! (1)

CastrTroy (595695) | about 2 years ago | (#41853209)

I would like the ability to send fake data to apps. I should be able to configure apps so that when they ask for my contact data, they get a fake list. The apps think they are working, but they aren't. Same goes with access to the SD Card. They think they are getting direct access to the SD card, but really they would just get their own little dedicated subfolder. Everything that they have access to should be able to be swapped out with a fake version. This combined with a network firewall (possibly allowing and disallowing different protocols, hosts, and ports from specific apps) would make it quite a bit easier to control what applications have access to.

Re:If only! (1)

h4rr4r (612664) | about 2 years ago | (#41853313)

That ability already exists with apps and in some roms.

Adding it to AOSP would be neat though.

Re:If only! (2)

agentgonzo (1026204) | about 2 years ago | (#41852851)

Given Android will now (I think - I've got an iPhone so can't be sure.... ssshhhhhhhh! Don't tell anyone) tell you what permissions the app will access, why isn't there the ability to just configure android to refuse to pass those details on to the app at the OS level?

I know I'm going into dangerous territory here by praising Facebook for their security (ssshhhhh!!!!) but when you add 'apps' to facebook, it will tell you what it is wanting to access but facebook gives you the ability to deny access to this information from the app. I would have thought it shouldn't be too hard for android to do this at the API level (and just return null or 'denied' or something) so that you can still pick which flashlight app you want to use, but tell the OS not to pass your address book onto it even if the app wants your details

Re:If only! (1)

Simon Brooke (45012) | about 2 years ago | (#41852957)

If only you were able to selectively revoke permissions you thought an application didn't need!

I mean, when I install an app, I'd like to be shown a list of permissions it wants, just as I am now, and then I'd like to go through that list and toggle some off... and if the app can still run without those things, it should install anyway (and not do the things I've told it not to do). Surely that ain't rocket science!

Re:If only! (4, Interesting)

rvw (755107) | about 2 years ago | (#41852705)

If only there were some way for me to tell which permissions an app will use when I install it!

I've created one Hello World app, just to see how it works. I've followed directions, didn't do anything to snoop around. The result is that it needs Phone ID somehow. I suspect that many app programmers do nothing to snoop around, but automatically request more permissions than actually needed, probably because the programming IDE does this automatically.

Re:If only! (1)

jareth-0205 (525594) | about 2 years ago | (#41852871)

I've created one Hello World app, just to see how it works. I've followed directions, didn't do anything to snoop around. The result is that it needs Phone ID somehow. I suspect that many app programmers do nothing to snoop around, but automatically request more permissions than actually needed, probably because the programming IDE does this automatically.

Can you not just use the ANDROID_ID which doesn't require any permissions?

Re:If only! (1)

rvw (755107) | about 2 years ago | (#41853061)

I've created one Hello World app, just to see how it works. I've followed directions, didn't do anything to snoop around. The result is that it needs Phone ID somehow. I suspect that many app programmers do nothing to snoop around, but automatically request more permissions than actually needed, probably because the programming IDE does this automatically.

Can you not just use the ANDROID_ID which doesn't require any permissions?

Yes! Well to be honest I wouldn't know - but I suppose you do. This app does nothing but display the text Hello World. So it doesn't need any permissions. Still the app requests them. I'm an unexperienced android app developer, don't know this alternative, and I suppose I'm not the only one.

Re:If only! (3, Interesting)

Syphonius (11602) | about 2 years ago | (#41853143)

Then you may have done it wrong (or whatever example you followed was wrong). The default IDE (Eclipse with the ADK plugin) does not generate permissions into the manifest. They all go in manually. If your Hello, World required extra permissions then they were most likely added by accident or you are using some uncommon IDE/plugin.

Re:If only! (1)

blogan (84463) | about 2 years ago | (#41853225)

What was the target SDK level? Older levels were always given access to phone ID, but in newer levels, it had to be specifically requested. For backwards compatibility, older apps targeted to the older levels would request that permission. Solution would be to have a newer target level, but not necessarily change the minSDK level.

Re:If only! (0)

Anonymous Coward | about 2 years ago | (#41853301)

You need the phone ID if you use an old SDK. This has been fixed though if you ask for a recent version.

Re:If only! (1)

TheRaven64 (641858) | about 2 years ago | (#41852721)

Okay, so if I'm looking for an app, how do I search Google Play saying I want to find one that doesn't require the permission to access my address book or the contents of my SD card? You get shown the permissions right before you download an app, but you don't ever get told why an application needs these permissions.

Re:If only! (4, Informative)

h4rr4r (612664) | about 2 years ago | (#41852747)

Actually a lot of decent apps have a why in the description of the app.

If it does not seem like it should need it and they fail to explain it don't install it.

Still better than on the PC, where any application can read any of your files.

Re:If only! (1)

e065c8515d206cb0e190 (1785896) | about 2 years ago | (#41852879)

Still better than on the PC, where any application can read any of your files.

Maybe you should blame it on your OS.

Re:If only! (1)

h4rr4r (612664) | about 2 years ago | (#41852973)

What OS are you using?

Short of using SELINUX or apparmor, which I do use this is the normal behavior. Windows will allow any application running as a user to access that users data, OSX is the same.

Android permission rationales (1)

tepples (727027) | about 2 years ago | (#41852845)

You get shown the permissions right before you download an app, but you don't ever get told why an application needs these permissions.

Ideally an application's description would contain something like a privacy policy that describes what it does with each permission. For example:

  • Internet: Used to synchronize data with other devices on which you have installed this application.
  • Internet: Used to submit high scores.
  • Internet: Used to complete installation over Wi-Fi (500 MB download).
  • Internet: Used to download messages from sponsors that keep this application free.
  • SD card: Used to export and import your data for use with offline PC applications.
  • SD card: Used to store large data on pre-4.0 phones.
  • Phone state: Used to delay large syncs until Wi-Fi becomes available, to save you money on your data plan.
  • Phone state: Used to pause the game/video/music when you receive an incoming call.

I've already seen several applications on Google Play whose descriptions have permission rationales like this near the end.

Re:If only! (1)

Scutter (18425) | about 2 years ago | (#41852833)

If only there were some way to selectively allow or deny permissions to an app instead of the all-or-nothing approach currently employed.

Re:If only! (1)

TimeOut42 (314783) | about 2 years ago | (#41853067)

That is just plain silly. How many support calls do you think they dev would get when a paranoid user denies access to the internet for a twitter client. Come on, this is nothing but FUD; all operating systems access stuff; most mobile OS will tell you what it is going to do. If you don't like the permissions it is request, then don't install the app.

Most of your 'free' software, even the apps that don't use the internet, are ad-supported, which does need the internet. If you don't like that, then purchase the full app or again, don't install it.

Finally, I have to agree with the statement in the article that many of the permissions that are used are just poor development practices. For example; maybe the dev was testing storing data on the SD card, decided not to do it, but failed to remove the permissions from the manifest. The app would show that it still needs access to the SD card, but the program never actually uses.

Another way to help protect yourself; don't always run as root -- amazing how many of the people here complain about the permissions, then essentially give every app full permissions to their phone. These are the same people that use the same password on every site and run their PC OS as root too.

Re:If only! (1)

h4rr4r (612664) | about 2 years ago | (#41853113)

Who gives every app root?
Is there even a common android su that does not ask the user?

Re:If only! (1)

CanHasDIY (1672858) | about 2 years ago | (#41853131)

If only there were some way to selectively allow or deny permissions to an app instead of the all-or-nothing approach currently employed on a non-rooted phone.

FTFY. If your phone is rooted, use Permissions.

Privacy apps - LBE (4, Informative)

rvw (755107) | about 2 years ago | (#41852613)

I've installed LBE Privacy control and it blocks unnecessary permissions for many apps. Why does a keyboard need internet access? The only thing I'm concerned about... What does LBE know, and what does it share?

Re:Privacy apps - LBE (1)

Anonymous Coward | about 2 years ago | (#41852711)

LBE Privacy Guard requires a rooted phone. That's nice for geeks but it's not a solution for everyone.

Re:Privacy apps - LBE (0)

Anonymous Coward | about 2 years ago | (#41852867)

I personally swear by LBE Privacy Guard, as I use it on all my Android devices.

Wearing my tinfoil hat, I do have a concern about a free product from China that requires root and handles all the vital security info on a device.

Re:Privacy apps - LBE (1)

h4rr4r (612664) | about 2 years ago | (#41853007)

So then install CyanogenMod. It has this sort of functionality by default.

Re:Privacy apps - LBE (1)

rvw (755107) | about 2 years ago | (#41853019)

I personally swear by LBE Privacy Guard, as I use it on all my Android devices.

Wearing my tinfoil hat, I do have a concern about a free product from China that requires root and handles all the vital security info on a device.

Same here! I really like this app. I've tried several of these privacy apps, and most are a hassle to work with. This one is easy and user friendly. I trust it in limiting other apps, and I see many notifications in the status bar about apps trying to get certain info. But do they have a hidden agenda somehow? Then again, what will it bring them, needing root access, and then a user who knows what to do. It's not that hundreds of millions of people will install this app, like the Facebook app. But if they want to snoop, they have a really nice target group: pro users!

Re:Privacy apps - LBE (1)

blogan (84463) | about 2 years ago | (#41852759)

The keyboard might be pulling down certain language dictionaries,hence the need for Internet access.

Re:Privacy apps - LBE (1)

h4rr4r (612664) | about 2 years ago | (#41852781)

The developer should say that in the description then.

You should still be suspicious since he could just lie. If it needs new dictionaries it should get them via an application update.

Re:Privacy apps - LBE (0)

Anonymous Coward | about 2 years ago | (#41852827)

> If it needs new dictionaries it should get them via an application update.

Conversely I'd prefer it if an alternative keyboard didn't come as a 45MB package including every dictionary it could feasibly include for a hundred languages I don't speak, but instead came as a light 800KB download and lets me pull down the languages I'd like from its settings page. For which it would need Internet access.

Language packs as applications (1)

tepples (727027) | about 2 years ago | (#41852959)

Then perhaps the developer should submit each dictionary as a separate application. The user would install the specific language's dictionary as an application, and if that application detects that the IME is not present, it would direct the user to install the IME from Google Play Store using a market intent [stackoverflow.com] .

Re:Privacy apps - LBE (1)

h4rr4r (612664) | about 2 years ago | (#41853049)

Oh noes 45MB! of my 32GB of storage. How ever will we manage. It would take seconds to download that information over LTE, seconds!

Or maybe market intents and separate play market apps for each dictionary would work just fine.

Partitioned storage (1)

tepples (727027) | about 2 years ago | (#41853207)

Oh noes 45MB! of my 32GB of storage.

Phones running Android 2.x (FroYo or Gingerbread) are likely to be partitioned with 512 MB for apps and the rest for SD card. Only by 4.x (Ice Cream Sandwich) did Android phones switch to MTP for PC file transfers so that they don't need a separate partition that can be unmounted while the phone is connected to the PC.

It would take seconds to download that information over LTE, seconds!

LTE is for burst transfers, not for sustained transfers. Assuming a cap of 5 GB per month, a 45 MB download takes up about 6 hours of your cap (45 / 5000 * 30 * 24 = 6.48).

Re:Privacy apps - LBE (0)

Anonymous Coward | about 2 years ago | (#41853041)

So you should burn the space [on a space limited device] for every possible language dictionary for a keyboard just so it only pulls them when doing a full update?
No, how it's done is selecting additional dictionaries in settings and the app would download just those ones.
Thus it would need internet access.

Re:Privacy apps - LBE (1)

h4rr4r (612664) | about 2 years ago | (#41853073)

What 100MB max? Oh noes!

Or here in good design land we keep those dictionaries in separate apps and use the google market to get them.

Rationale for Internet permission on IME (1)

tepples (727027) | about 2 years ago | (#41852875)

Why does a keyboard need internet access?

An input method might need Internet access to download autocorrection dictionaries for multiple languages, or to download messages from sponsors to keep the application free for you to use.

Re:Privacy apps - LBE (1)

TimeOut42 (314783) | about 2 years ago | (#41853015)

Excellent, run your phone rooted so when you do sideload a malicious app it will have full access to your phone.

Re:Privacy apps - LBE (1)

h4rr4r (612664) | about 2 years ago | (#41853129)

After it asks for su. How about you just don't approve it?

Or maybe leave root off unless you need it at that moment.

Only If you Allow Them? (1)

mrpacmanjel (38218) | about 2 years ago | (#41852627)

I have an S3 and downloaded a few apps. Before installation you're told what permissions the app wants on your device.

E.g. the Facebook app seems to want every permission it can get it's grubby hands on thus I've chosen not to install it.

Unless app developers are using workarounds.

Funnily enough it is no surprise that many of the "free" apps seem to want the most permissions.

Re:Only If you Allow Them? (1)

rvw (755107) | about 2 years ago | (#41852725)

I have an S3 and downloaded a few apps. Before installation you're told what permissions the app wants on your device.

E.g. the Facebook app seems to want every permission it can get it's grubby hands on thus I've chosen not to install it.

Unless app developers are using workarounds.

Funnily enough it is no surprise that many of the "free" apps seem to want the most permissions.

For facebook I use Firefox. Works great although maybe a bit less fluent, and no worries that it will upload my contact list.

Re:Only If you Allow Them? (0)

Anonymous Coward | about 2 years ago | (#41852791)

Honestly, why do you care? Facebook just wants those permission for it's features. Mark zuckerburg isn't rubbing his hands together mumbling "mrpacmanjel, I have you now!"

The whole concept of this article is flaimbait. 25% of android apps don't know shit about me, I've got maybe 30 apps out of hundreds of thousands. Minuscule.

Re:Only If you Allow Them? (1)

bickerdyke (670000) | about 2 years ago | (#41852903)

Funnily enough it is no surprise that many of the "free" apps seem to want the most permissions.

I never was surprised by that because ad-financed apps need the most dangerous permission: unlimited internet access.

Fine grained options (2)

photonic (584757) | about 2 years ago | (#41852633)

They should add more fine-grained permission, so that for example an application would only require 'access to add-server' instead of full network access. And please make some clear policy that gets enforced, i.e. applications that do ask more permissions than they need get banned until the problem is fixed.

Re:Fine grained options (0, Informative)

Anonymous Coward | about 2 years ago | (#41852685)

So what you want is an iPhone right?

Re:Fine grained options (1)

h4rr4r (612664) | about 2 years ago | (#41852767)

Not if he wants to know what his apps are doing.

iPhone has no mechanism for that at all.

Re:Fine grained options (0)

Anonymous Coward | about 2 years ago | (#41853009)

The only way to catch things going on with an iPhone is to install Firewall IP and PMP, then watch the dialogs pop up. You will be surprised at how many tracking/behaviorial monitoring/ad slinging/"experience enhancement" sites most apps connect to routinely.

I encountered an app that would do statistics on a picture. Said app actually uploaded the picture to a website, then pulled values back from that instead of calculating from the app itself.

iOS 6 guarding the contacts and photos is a step up. However, the only thing protecting iOS 6 is Apple's brutal and rigorous gatekeeping. If that slips, it will be a field day for exploiters.

It would be nice if Google would start a tier of their Play Store and actively vet some apps. Android has some semblance of security, and with an active gatekeeper, could be very secure.

Re:Fine grained options (1)

tuppe666 (904118) | about 2 years ago | (#41852789)

So what you want is an iPhone right?

Apps the send details about you include Facebook, Twitter, Foursquare, Instagram and LinkedIn heard of any of these!

Re:Fine grained options (1)

errandum (2014454) | about 2 years ago | (#41852893)

The difference is, if an iPhone does that, there is nothing you can do, since it might be happening behind your back.

If you see your flashlight app uses the internet or GPS, you can skip it.

Re:Fine grained options (2)

tepples (727027) | about 2 years ago | (#41852897)

No. An iPhone would cost $297 extra for a developer certificate that covers the three-year life of the device, and that's assuming that I switch to a Mac on my next computer purchase.

iPhone apps just sue you (0)

gelfling (6534) | about 2 years ago | (#41852665)

for using iPhone apps.

Re:iPhone apps just sue you (1)

rvw (755107) | about 2 years ago | (#41852923)

for using iPhone apps.

Iphone apps just use you

FTFY! ;-)

You know nothing, Jon Snow (1)

MatrixCubed (583402) | about 2 years ago | (#41852717)

It's unfortunate that apps' knowledge of you is granted with a nebulous single-screen laundry list and OK button, similar to the click-through EULAs of what seems to be a bygone era.

Yesterday's legal violation is today's privacy violation.

Re:You know nothing, Jon Snow (1)

h4rr4r (612664) | about 2 years ago | (#41852805)

Each one has a nice explanation next to it, like so:

Hardware Controls: Take pictures and Videos

System Tools: prevent phone from sleeping.

If you cannot be bothered to read the simple english explanations you are beyond all help.

Re:You know nothing, Jon Snow (2)

GIL_Dude (850471) | about 2 years ago | (#41853191)

You make it sound simple. It does, indeed, look simple. But when an app wants to "Read Phone State" - is that so that it can quickly get out of the way when the phone rings or is it so that it can send your phone number (and the numbers of the people who call you) to a remote server? Some actions that it could take by acting on "Phone State" data would be things users would want, other thing it could do would be things users definitely don't want. For example, a game I saw on TWiT.tv's show "All About Android" called "Flow Free" requires this:

READ PHONE STATE AND IDENTITY
Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

So is it going to store my phone number in a database somewhere? Is it simply going to avoid trying to send data if a phone call is active? We, as users, have no way of knowing. And, if they made the permissions even more granular, we would never be able to successfully wade through all of them. I need someone smarter than me to fix the design. But the design as it exists today is largely useless.

Re:You know nothing, Jon Snow (1)

h4rr4r (612664) | about 2 years ago | (#41853283)

You bitch that this is not granular enough and that more granularity would be too hard. So you are pretty much fucked. No amount of design can fix your disinterest.

Welcome to life.

But why does the application need this permission? (1)

tepples (727027) | about 2 years ago | (#41853223)

But why does a particular application need to 'take pictures and videos' if it's not primarily a camera application or to 'prevent phone from sleeping'? Better yet, why does the application need 'full Internet access'?

Re:But why does the application need this permissi (1)

h4rr4r (612664) | about 2 years ago | (#41853267)

How do you think you get access to the flash?
How much clearer can prevent phone from sleeping?

Torch does not need full internet access.

Connection between video and flash (1)

tepples (727027) | about 2 years ago | (#41853305)

How do you think you get access to the flash?

I didn't immediately see the connection between "take pictures and videos" and use of the flash. Perhaps Android should introduce a finer-grained permission "operate camera flash", and have "take pictures and videos" imply this.

Re:You know nothing, Jon Snow (1)

tuppe666 (904118) | about 2 years ago | (#41852895)

It's unfortunate that apps' knowledge of you is granted with a nebulous single-screen laundry list and OK button, similar to the click-through EULAs of what seems to be a bygone era.

Yesterday's legal violation is today's privacy violation.

Its nothing like an EULA which is many pages of legal mumbo-jumbo and is resigned to restrict your rights they are even stop class-action lawsuits. That is very different from a small list that identifies the access right of the program. I agree this method is less than perfect , but it is nothing like the draconian EULA.

What we need is name and shame (3, Interesting)

e065c8515d206cb0e190 (1785896) | about 2 years ago | (#41852753)

We need a website listing apps and what persmissions they require vs use.

Developers will start paying attention when their apps are publicly shamed.

Re:What we need is name and shame (0)

Anonymous Coward | about 2 years ago | (#41853145)

Already done. In fact Google even put it together for us! Check it out. [google.com]

Lets Mention Apple (4, Informative)

tuppe666 (904118) | about 2 years ago | (#41852755)

Lets have a little balance

http://www.huffingtonpost.com/2012/02/15/iphone-privacy-app-path-facebook-twitter-apple_n_1279497.html?ref=mostpopular [huffingtonpost.com]

Facebook, Twitter, Foursquare, Instagram all send email addresses and phone numbers to their local servers.

The whole thing blew up and ended up with US congressmen sending letters to Tim Cook. This was feburary this year

"This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts."

Butterfield and Waxman then quote parts of Apple’s iOS developer website which states that Apple provides a comprehensive collection of tools and frameworks for storing, accessing and sharing data. It is then questioned whether Apple requires apps to request user permission before transmitting data about a user."

Re:Lets Mention Apple (0)

Anonymous Coward | about 2 years ago | (#41853077)

Yes, because the four apps in your link are equivalent in scope to the 100,000 apps mentioned for Android....

I wish for optional capabilities (1)

blogan (84463) | about 2 years ago | (#41852773)

I wish I could use "optional" permissions. If the user doesn't want to give me access to something, that's fine. But if you want to integrate a whiz-bang feature that requires SMS, you either scare off people or have to make a separate app.

Re:I wish for optional capabilities (1)

h4rr4r (612664) | about 2 years ago | (#41852821)

Some ROMs allow users to disable certain permissions.

I would love to see that in AOSP. If an app needs advertising to survive and the user blocks networking it can check for that and just refuse to run until the user enables it. That is the best of both worlds, you can get the permissions you need and I can decide if you really need them.

You have no idea on iPhone Apps (1)

Anonymous Coward | about 2 years ago | (#41852829)

You really don't. I trust andriod better this way.,

Yeah (3, Interesting)

errandum (2014454) | about 2 years ago | (#41852835)

That study is irrelevant. Most of those apps don't know that because they need to, but because they are free and the averts do.

Do the same study on payed apps. For example, GPS location access is not present on any of the games I bought so far.

I just got an android and it's plain scary. (4, Insightful)

Jartan (219704) | about 2 years ago | (#41852927)

The way things are setup on stock android is a nightmare. The supposed "Walled Garden" doesn't even exist. Android doesn't have malware/viruses because "legit" apps can walk right in and do whatever they want. Want to steal all your users contacts and use them for spam? There's a built-in API for that.

I was trying to download a widget for screen brightness and 99% of the free ones wanted internet access permissions. It was just absolutely atrocious.

The only redeeming feature is how easy it is to root and fix.

Re:I just got an android and it's plain scary. (1)

godrik (1287354) | about 2 years ago | (#41853023)

I know I will be criticized for that, but if you want one, you can write one! It is not hard to make a widget for android. Of course, there might already be an OSS app to do that. Look in the list of fdroid.

Re:I just got an android and it's plain scary. (1)

Hatta (162192) | about 2 years ago | (#41853155)

Like usual, everything is better when it's open source [f-droid.org] .

Re:I just got an android and it's plain scary. (1)

h4rr4r (612664) | about 2 years ago | (#41853177)

Or you could just not install any applications that ask for those permissions is that so hard?

99% of the brightness widgets want internet access? Sounds like you just found a new winning idea. Make one that does not.

Re:I just got an android and it's plain scary. (0)

Anonymous Coward | about 2 years ago | (#41853281)

Free apps tends to want to show you ads. And for that they need internet.

Android tells you this so you can choose not to install them.

But I guess you want the free, but not pay with the viewing of ads.

A name for this (1)

Inf0phreak (627499) | about 2 years ago | (#41852929)

I really like the name that phk (of FreeBSD and Varnish fame) came up with for permissions required for apps like that: chernobyl bits.

It has a really nice ominous and "this is wrong and you shouldn't do it" ring to it.

Versus desktops? (2)

Eric Coleman (833730) | about 2 years ago | (#41852933)

That operating systems like iOS and Android even give someone the ability to see that certain permissions are required, and by the compliment, that there are permissions that are not required, is a step in a good direction. That granularity feature is absent in desktop applications--essentially all permissions are granted by default. For all I know pkunzip could have been keeping track of all those file_id.diz it encountered in order to build a profile of me, then dialing some BBS to upload the statistics to. That might seem implausible, but since there was no central authoritative repository to download pkunzip, it came from a BBS. That BBS could have replaced it with its own custom version for tracking.

The larger point is that desktop programs could have been doing for years what people are worried about with tablet and phone applications.

That said, it still creeps me out to see a solitaire game needing access to my address book. Maybe this is a case of "out of sight, out of mind."

Re:Versus desktops? (1)

godrik (1287354) | about 2 years ago | (#41853071)

I typically run untrusted applications on my machine under a different user account (firefox is one of them) which can not access anything in from my "real" user account. It is easy to set up!

Possible vs. easy (1)

tepples (727027) | about 2 years ago | (#41853255)

But how easy is it, under operating systems that come on home PCs sold in retail stores, to set up applications under multiple user accounts to display windows on the same screen? Secure won't get used unless secure is easy.

I'm going to start carrying 2 phones (3, Interesting)

TheGratefulNet (143330) | about 2 years ago | (#41852987)

one that is the smartphone (portable computer) and that will not have sms, cell service, address book, etc. rooted and firewalled and monitored.

2nd phone would be a dumb phone that has no networking at all in it, simply just to send and receive voice calls.

until there is a hard boundary (enforced, like a true barrier) between the soft apps and things that can cost you money (dialing out, stealing your contact list or local data), it just does not seem worth it to bundle all your stuff into one box.

sure, its convenient but the trust model is not good enough.

more and more, I just leave the smartphone home and use it as a wifi only device. at least I know that no sms BS is coming thru and no outgoing calls or wan connects could ever happen that would be costly or info-leaking.

seriously, I'm demotivated to invest more of my personal info on a box that I have less and less control over.

Re:I'm going to start carrying 2 phones (1)

tepples (727027) | about 2 years ago | (#41853273)

That sounds like what I've chosen to do: carry an Android PDA and a prepaid dumbphone. I pay per year what a lot of smartphone customers pay per month.

Bizzare headline (0)

Anonymous Coward | about 2 years ago | (#41853047)

100% of smartphone apps know nothing about me, except the ones that I've made myself.

DroidWall (5, Informative)

brouiller (1934318) | about 2 years ago | (#41853057)

I root all of my Android devices and install the DroidWall app. It allows me to block network access to any app regardless of whether you give them permissions when installing. It's allowed me to download and use many apps that I would otherwise not have used because they wanted network access. It even lets you decide if you want to block the app on WiFi, cell data, or both.

erp.h. (-1, Offtopic)

Anonymous Coward | about 2 years ago | (#41853149)

quuareled on BSD machines 40,000 coming bought the farm...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?