Fifth of Android Apps Expose Private Data

WrongSizeGlass writes "CNET is reporting that a fifth of Android apps expose private data. The Android market threat report details the security issues uncovered. Dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mail and text messages, phone call information, and device location. 5% of the apps were found to have the ability to make calls, and 2% can send text messages, without the mobile user doing anything."

Notifications

[TyFoN]

And you are notified when installing in red letters exactly what the application has access to.
News flash: 100% of your pc applications have access to your file system!

Re:well well

[Petron]

It still looks bad.

As stated over and over here, you get warned in *BOLD RED LETTERS* "this app will want access to..." before you install. according to the article's posting, iPhone doesn't warn you.

there has been quite a few apps I declined to install because... why does a little game want access to my call history? [Cancel Install]

Re:bogus interpretation

[ZenDragon]

While I am not going to spread the FUD and agree with wholly with the statements of vulnerability, I would have to ask why ANY app would need "Full Call Permissions" in the first place? Furthermore, why would android allow that at all? Theres no reason why any of these apps need some of the access that they are requesting. For example; why does Dictionary.com request "Phone Calls" access? Im not one to cry foul without proof, but I do believe there does need to be some oversight in the Android market to prevent apps from requesting unnecessary access.

Re:Operative words

[DJRumpy]

Some of these seem alarming to me:

Directly call phone numbers?
Why does the maps app need access to the phone state and identity?
Why would it it need to modify SD Card contents (caching?)
Why would it need to record audio?

If these are typical of prompts seen by an everyday computer user, they wouldn't understand the implications, and they would click 'ok'. We see this every day in computing.

• Services that cost you money: directly call phone numbers
• Storage: modify/delete SD card contents
• Phone calls: read phone state and identity
• Hardware controls: record audio

Re:Operative words

[Pojut]

So now you're pissed that it doesn't work like Vista-era security by asking if you want allow or not? Make up your mind, people! Sheesh!

Re:Operative words

[droopycom]

The differences between Android and iPhone are: (AFAIK)

- There are much less of these APIs on the iPhone than Android (eg: I dont think there is any API to access your email from an iPhone App, or make phone call or SMS without user confirmation)

- Android's user confirmation is at install, while iPhone's user confirmation is when the app try to use a particular API for the first time (eg: when it tries to use location) And the app can keep running even if the user denies it the right to use a specific service.

All in all, the iPhone security scheme is much more conservative, with the side effect that you cant do as many things in an iPhone app as you could in an Android App. For example, you could probably write an android app to could automatically navigate phone menus (eg: "For billing press 1" kind of things) while this is probably not possible for iPhone.

Apple is betting that their conservative approach will be more appealing for users if they dont have articles like this one coming out. Google is betting that their open approach will be more appealing to developers, but if more article like this come out, Android will become like windows security wise. It does not matter if it is true, or if it is a matter of user giving permissions, its all a matter of perception.

Very limited risk

[bgspence]

So any app that want's to access sensitive or private information or incur expensive charges must be designed to include features that might require permissions to convince users to OK those security rights. That limits potentially malicious apps to the category of useful apps as opposed to lighter flames or fart apps.

Users look at granting permissions with as much detail a they do clicking through license terms. They just don't bother to download the sources, check each line of each file for potential bugs or maliciousness, and build the apps from the downloaded and vetted source. Most simply assume the permissions granted will be used for the stated or implied feature requirements. Most normal software use is based on trust. The user trusts that the developer uses the powers granted in a trustworthy manner.

Android developers are always trustworthy. Thats why we rarely have malware, viruses or security exploits based on the developer misleading users. Steve Jobs lives in that alternative universe where some software developers might be tempted to misuse the permissions users click through. I live in that somewhat paranoid universe, too. I don't want to grant permissions to big name corporations who limit their ethics to "Don't be Evil." Evil is a line in the sand way beyond "Nasty" or merely "Bad". It probably includes lots of "Illegal" or "Unethical".