Why Users Don't Trust Mobile Apps

snydeq writes "Fatal Exception's Neil McAllister writes of the growing unease among consumers around mobile data privacy, and how this distrust will impact mobile app development. 'When every week seems to bring another news story about a data breach resulting in the theft of customer data, customers are growing increasingly jealous of their privacy. Given the unique nature of the data to be found on smartphones, it's only natural that they have begun to view mobile apps with a skeptical eye. If you're developing apps that use customers' mobile data, you need to do more than recognize these realities. You need to develop a policy that places secure, ethical, and appropriate handling of user data at the core of your application development process.'"

Wow

[0123456]

It's almost as though downloading random apps from the Internet to run on a device you use for personal information might be a bad idea.

Re:

[chemicaldave]

Lets be honest, there's no accountability on the part of mobile app developers. Before you download an Android app it asks for permission to use certain features, but the developers aren't required to say how they'll use those features, or what they'll do with it. The markets that distribute these apps should be obligated to compel developers into disclosing what their apps do with your information.

Re:

[Zumbs]

But they actually have to say that they use those features. This allows a user to make a much more informed choice of installation than I get on my Windows 7 computer. If an app needs access to something, I do not think that it should, I just pass it up. So single player game + internet access = no-no.

Re:

[h4rr4r]

The average schmo has access to google so lets check. Lo and Behold:
http://www.womenwithdroids.com/2011/03/deciphering-permissions-read-phone-state-and-identity/ [womenwithdroids.com]

An article written to explain just this to the average Dick and Jane.

Re:

[Missing.Matter]

That website sounds like a support group for women with a disease called droids.

You have no choice if you want to use it

[traindirector]

Lets be honest, there's no accountability on the part of mobile app developers. Before you download an Android app it asks for permission to use certain features, but the developers aren't required to say how they'll use those features, or what they'll do with it.

And what's worse is that despite having a fairly granular permissions system, the end user is totally denied any ability to selectively remove permissions. Want to remove Internet access from an application that doesn't need it? Tough luck--Google knows what's best for you.

And then they try to say they don't add this because 90% of users wouldn't use it. So? Bury it deep down in a menu somewhere that only people that really care will find it. The fact is it would be simple, but Google just doesn't want the

Re:

[h4rr4r]

All that would change is free apps would check if you gave it the permissions it wanted and if not tell you to enable them. I suspect paid apps would as well, many of those still sell data if they can.

Google is still an advertiser first and foremost. Microsoft nor Apple will pass up this "free" money either.

Re:

[traindirector]

All that would change is free apps would check if you gave it the permissions it wanted and if not tell you to enable them. I suspect paid apps would as well, many of those still sell data if they can.

If an app told me it needed a permission when I tried to use that permission, that would be a great improvement. Then I would have some more information on which to make the decision of whether to grant it.

If an app on start-up complained about every permission it didn't have with no explanation as to why it needed it, that would be great as well, as I would instantly know it's an app I don't want.

Re:

[Zan Lynx]

Why would the app even know?

"I'd like a network socket please."
"Sorry, the user is not connected to the network."

"I'd like the Contact List please."
"Sure! Here it is, all 0 contacts."

"I'd like to send a text message."
"Ok! Message sent." (to /dev/null!)

These things could be done by custom ROMs and I'd be surprised if they're not already being done by somebody.

Re:

[h4rr4r]

Because then you refuse to run when you can't connect to the network, No contacts is also a dead give away. What you really need is to fake access to a very slow network connection, one that corrupts data too. Contact lists and stuff like that would need to also be fake not empty.

This would take lots of development on top of the standard, not sure any rom does this.

Re:

[Zebedeu]

Because then you refuse to run when you can't connect to the network

Yes, but then the user at least has the chance to get suspicious. "Why does this solitaire game require network so badly that it won't even let me play a game?"

What you really need is to fake access to a very slow network connection, one that corrupts data too

That would result in the same problem. The rogue app would simply fail if it couldn't communicate properly with its server.
For all solutions you can think off, there will be a check which will be possible to make from within the app.

I think the best way to do ensure security is to do it like old J2ME did it: every time an app needs to do something wh

Re:

[h4rr4r]

Sure, but we want a check that fails based on probably real life scenarios not the user killed your permissions.

Cyanogenmod 7.1

[traindirector]

These things could be done by custom ROMs and I'd be surprised if they're not already being done by somebody.

It's not in any ROMs yet, but a patch is being considered for inclusion in Cyanogenmod 7.1 [cyanogenmod.com] [javascript required]. Here's the related issue thread [google.com].

It will be great if this is included in custom ROMs, but I strongly feel one shouldn't need to void the device warranty for this simple, important, easy-to-implement feature. Google has no (good) reason for failing to include this in AOSP, and this is becoming more apparent by the day.

Re:

[h4rr4r]

Yes they do have a good (for them) reason. Google is an advertiser, this will hurt them.

What we really need is a law stating that this does not void the warranty. A Moss Magnuson act for phones.

Re:

[nschubach]

Cyanogen is working on it or has a solution. I have not followed it as close as the main issue because Cyanogen is something very few have (relative to the core Android build) http://code.google.com/p/cyanogenmod/issues/detail?id=2814 [google.com]

Re:

[Draek]

And then they try to say they don't add this because 90% of users wouldn't use it. So? Bury it deep down in a menu somewhere that only people that really care will find it. The fact is it would be simple, but Google just doesn't want the user to have this power over her device.

No, Google merely knows that people bitch much less when they can't do something on their device than when they can, but in a manner that's not entirely straightforward at first. Weirdly enough.

Compare and contrast OSX with Linux for a clear example.

Re:

[traindirector]

I suspect that selective permission removal is the main reason why most developers avoid Blackberrys. It's an equally capable platform as any other smartphone

Is it really? I haven't tried to develop for it, but something tells me that's not the case.

I mean, you can't make your app rely on ads (Internet permission you can simply turn off), etc.

Sure you can. You can include pre-selected ads in your APK. With updates, you can move them in and out of rotation. What you can't do it collect, exploit, and sell users' personal information. This isn't about advertising in any traditional sense--it's about selling knowledge of you and your activities, which is quite different.

I think Google did this to strike a balance between users and developers.

Maybe that's how they see it, but there is no balance here. Giving all the power to the de

Re:

[slapout]

Several developers do. But what's to keep them from lying?

Re:

[traindirector]

But what's to keep them from lying?

The ability to remove permissions you aren't comfortable with.

Except, oh wait, they decided users shouldn't have that ability.

Re:

[gfxguy]

Yup... I think about what the application does and what it needs to know. I wanted a CNN app, for example, and the app created by the folks at CNN wants to read my phone's identity. Why? There's an app created by the android team, and all it asked for was net access... guess which one I installed.

I wanted a dictionary... Dictionary.com's app wanted to track my location... I found another dictionary app that just wanted net access. Guess which one I installed.

I've only had a "smart" phone for about a mon

Re:Wow

[tripleevenfall]

The thing is, they CAN'T be upfront about how free apps get converted into revenue. All these "markets" (facebook, etc.) revolve around harvesting consumer data.

People don't want their information harvested, and will say "No" to that if confronted honestly.

But that blows the trend we've seen in recent years where you can use software for free that we used to walk into a store and buy in a box for $50.

Will we go back to the $50 model, or will people surrender privacy in exchange for "free"?

Re:

[Cwix]

I have a hard time imagining alot of these places actually make 50 dollars per person. Some maybe, most.. I'd hazard a guess of no. So because I'm going to guess that ad based revenue might only be 5 or 10 dollars a person per program, I'd be glad to purchase most of the software I needed for 15. Developers get a little bit extra, and I don't have my private data scraped and sold off to the highest bidder. Win-win in my book.

Re:

[Cwix]

If there cant be a happy medium where I get to keep my privacy, and the developers get fair compensation, then I'm not interested. I'm not the only one either, more and more people are not interested.

Re:

[AliasMarlowe]

If there cant be a happy medium where I get to keep my privacy, and the developers get fair compensation, then I'm not interested. I'm not the only one either, more and more people are not interested.

Have you tried Privacy Blocker [android.com]? It claims to be able to strip code for certain accesses from apps. I have not tried it, so don't know whether they're just blowing foam or not.

Re:Wow

[h4rr4r]

I take the third option.

I don't pay for the linux kernel, so far Mr. Torvalds has not stolen nor leaked my Credit Card data. I buy Crossover from Codeweavers, the folks who make Wine just to support Wine. I use Wine instead though, and still Alexandre Julliard has not sold my private details to scammers and advertisers.

I could go on, but you see where I am going. You are putting forward a false dichotomy. None of the above come in a $50 box and still my information is not sold to every scumbag with a marketing degree.

Re:

[tripleevenfall]

Well, as soon as we get the Year of Linux on the Desktop out of the way I'm sure the whole world will adopt this model.

(insert obligatory snoot about "It's been on MY desktop since 199x!") :)

Re:

[h4rr4r]

Obligatory snoot about "It's been on MY desktop since 199x!

I suggested as an alternative, not as the only choice. If you want to go another route then go for it, but pay cash and/or privacy your choice.

That reminds me, GOG has witcher without DRM, better go see if it runs in wine.

Re:

[Tetsujin]

Well, as soon as we get the Year of Linux on the Desktop out of the way I'm sure the whole world will adopt this model.

(insert obligatory snoot about "It's been on MY desktop since 199x!") :)

You must be really happy - you posted a really standard troll, and anticipated the easily-predictable response. Wow, you've really got an amazing understanding of Slashdot.

Free has no Credit Card Number

[Kamiza Ikioi]

People paid for the Playstation Network. They walked into a store and paid a LOT more than $50 for a box. I don't hear any of them lauding the uber awesome privacy of pay-vs-free.

Free doesn't include your credit card number. How's that for privacy?

Re:

[tlhIngan]

Do you really think half the users even know what all the technobabble you're asking for even means? The reality based on what I've seen and heard from others is that if you're upfront about what you do with data and permissions people get spooked and don't want the app even if it's harmless, but if you don't say a word about it then people don't even give it a second thought and happily download the app.

It's partly why the Android model isn't that great, either. It's good to enumerate and require the servi

Re:

[nschubach]

What if you had the ability to select permissions? (or globally deny everything permission to your contacts, etc.)

Google has stated that it does not intent to allow user control of privacy. It expects the application developers to determine what they need and "only take one cookie"

There have been countless posts on the issue tracker, but the primary one they keep pointing to is marked: WorkingAsIntended [google.com]

Some folks in the thread have written letters to their representatives, others mostly complain in the th

Re:

[jedidiah]

> It's almost as though downloading random apps from the Internet to run on a device you use for personal information might be a bad idea. ...except mobile apps (at least on the iThing) are supposed to be "curated".

It's not just data on the phone, Watson

[trifish]

People might worry about their data stored in their mobile phones, but what worries me more is that they forget about the built-in microphones and cameras.

Android permissions

[traindirector]

Android already has a great permissions system by which an application is granted permission to access functions of the phone and the Internet connection on a fairly granular level.

However, even though they have already implemented this system that could allow the user to control what an application can do on her device, Google has chosen to restrict the end user from obtaining greater privacy and security by restricting an application's permissions. Through the user interface, one must either grant all permissions to an application or choose not to install the application--a single permissions cannot be removed.

There is a small argument to be made that this makes things easier for developers, but how hard is it to gracefully handle not having certain permissions? For many features like GPS and Internet connectivity, Android could simply respond as if they are turned off if permission is denied. Some members of the Android development team have tried to spin the lack of user permission settings as a benefit to the user with the argument that "if users can disable permissions arbitrarily, then developers will have no incentive to minimize the amount of permissions they declare their applications need, and the average user will be less secure". This is the only somewhat rational explanation I have gleaned from there responses, and while there might be a small bit of merit to that and certain developers might really believe that, I think on the whole it is misguided.

I believe Google's real goal is to make sure the user has no control over permissions, only a binary install / not install, because they're an advertising company with an interest in your data being sold. They continually ignore this permissions issue even though they have acknowledged it is among the top Android security complaints [google.com].

Re:

[tripleevenfall]

For what it's worth, Blackberry has a much more granular permissions system.

But it doesn't seem to base its revenue model on the same things.

Re:

[h4rr4r]

That and it has a terrible OS, horrible user interface and in general sucks.

Heck the OS is so bad they bought QNX, just so they could have an OS that did not suck.

As to their revenue model, I believe they base that on selling your private information to dictators and despots instead of advertisers.

Re:

[traindirector]

As to their revenue model, I believe they base that on selling your private information to dictators and despots instead of advertisers.

In that case it's not selling. It's simply the price of doing business in India, China, Pakistan, the U.S., etc.

Permission Blocker

[traindirector]

Has anyone written an app for android that let's the user set permissions?

One exists: Permission Blocker [android-hilfe.de]. Though it likely still has bugs and there hasn't been an update from the developer for a while.

I've tried it personally, and it works as described, although it doesn't seem to read packages XML perfectly (it failed to list the permissions for Firefox, though all other applications on the test device listed their permissions, which could be disabled). It requires root access and a reboot after each change. Denying some permissions forces applications to Force Close because the

Big deal

[tripleevenfall]

I see this as having a huge impact for the market for apps and what kinds of apps can be developed.

The situation is developing where users don't want to give apps access to anything on the phone other than the data pipe, except for maybe a mapping application or something with an obvious need. This is really going to limit where apps can go.Because of the sins of Apple (and others), people don't trust the platform as much as they used to.

Instead of being a device we voluntarily turned over information to in order to expand its role in our life, we are starting to see it as something that needs to be reigned in, controlled, watched like a hawk.

Formerly people happily used Windows and IE to bring the internet into their lives. Now these are items you don't trust, you run several other programs on top to police them, etc.

It's really a shame that this greed for personal information to sell has set back the role that palmtop tech may otherwise have headed toward in our lives.

Re:

[tripleevenfall]

Personally, I was on the brink with smartphones anyway. I have owned blackberry, android, and iphone devices. Most recently, an iphone.

The privacy issues combined with the huge data plan expense, bandwidth caps - and the fact that most of the time I'm near PCs anyway - these things just made it feel like there are better things I can do with that $30-40 a month.

The fact that I was able to go back to a dumbphone while selling my iphone online for what I paid for it, 6 months later, was helpful too.

Re:Smartphone

[TaoPhoenix]

Burn the Contract Break Fee and then do a prepaid plan.

The point of a Smart Phone is the features and the "boring" apps like the calculator, and the nicer rendering in Safari. I despised my dumbphone with a passion - I don't call anyone much.

"Apps" themselves are brilliant - people often only have 7 must-use features and don't need $80 programs to cruise through their day.

Also Apple made the entire industry wake up and pay attention to UI for once.

Which U.S. prepaid smartphone carrier?

[tepples]

Burn the Contract Break Fee and then do a prepaid plan.

Which U.S. prepaid smartphone carrier do you recommend? I looked at Verizon's prepaid plans, and some of them were more expensive than contract plans. Is the Samsung Intercept on Virgin Mobile USA any good?

Re:

[nabsltd]

I looked at Verizon's prepaid plans, and some of them were more expensive than contract plans.

You cannot get an unlimited data plan with any of Verizon's "pay for what you use" prepaid plans. Since you must have a unlimited data plan for any smart phone (if you want data at all), you effectively can't have a smart phone on a true prepaid plan on Verizon.

The "prepay for a month of up to X minutes" plans are really just like the contract plans without the contract, so you can get unlimited data with those. Even if they are less money, you'd have to pay about $350 more for the smart phone without a c

Re:

[gfxguy]

My Virgin Mobile plan is $25/month for unlimited data and text messages, and 300 minutes call time (you can pay more to get more call time, but I don't talk on the phone for more than a couple of hours a month).

I have the LG Optimus V.

Re:

[TaoPhoenix]

AT&T GoPhone.

You even get a free Meatloaf Commercial to watch!
http://www.youtube.com/watch?v=o5YMVO7-8ns [youtube.com]

I'm not sure about the terms ("unlimited talk and text") in the ad mean, but I just paid for $100 in minutes. The point of the $100 pack is that they have the longest expiration (I want to say a year but I forget.)

The point was that since it was an iPhone and I was already on AT&T anyway, I just gambled that the fewest hassles would be staying in carrier. The "store" rep at the mall warned that we

Near PC != near Internet

[tepples]

and the fact that most of the time I'm near PCs anyway

When I'm on the bus to or from work, I'm near a PC (my laptop), but this PC doesn't have Internet access. Some people subscribe to mobile broadband for exactly this use case.

Re:

[tripleevenfall]

By "sold for what I paid for it" I mean I conducted a transaction whereupon someone paid me an amount of currency that was roughly the same as the amount of currency I paid the carrier to give me the phone in the first place.

ETF included or not?

[tepples]

the amount of currency I paid the carrier to give me the phone in the first place.

That would be $200 to start the contract and $350 to terminate it early. Are you including the ETF in the effective price of the phone or not?

Re:

[tripleevenfall]

I didn't terminate it early. I switched to a dumbphone. Removing the data plan does not void the contract.

Re:

[tepples]

I buy my phones outright and use prepaid plans. I have a smartphone but only pay for data when I want or need it. I pay $10 per year to keep my phone active.

Which U.S. carrier[1] offers such a prepaid plan? And do you buy your phones outright from the carrier or elsewhere? If from the carrier, are its phones locked down like AT&T Android phones, where a customer has to register with AT&T as a developer in order to get the ADB drivers that will let the customer sideload?

[1] I'm assuming U.S. because it's the biggest developed market that uses a currency whose symbol is $.

Re:

[h4rr4r]

T-mobile I think has a data only when you want it plan. I know they sell uncrippled phones outright as well.

AT&T-Mobile

[tepples]

T-mobile

I don't want to rely on a plan that AT&T will more likely than not cease to offer once it completes its acquisition of T-Mobile USA.

Re:

[h4rr4r]

I totally agree, I just wanted to answer your question.

I would rather stick with verizon at this point than risk that T-mobile will become AT&T. I would really consider moving to a regional carrier rather than AT&T if it came down to it.

Re:

[Kuukai]

I don't think so. Everyone I know regularly uses all sorts of Android apps that require permissions they don't need. Last I checked you can't even find a free Japanese input program or even an emulator on the marketplace that doesn't require internet access. And at least one of these isn't much more than a privacy-invasive wrapper of gpl code. There was that article a while back about how the vast majority of apps send back user information, and with this as the norm there's often nothing a user can do

Re:

[tripleevenfall]

Exactly - there's no benefit to a company in developing a nice, free, safe application. Either they need ad revenue, or people have to start paying for software again.

Re:

[Cajun Hell]

Exactly - there's no benefit to a company in developing a nice, free, safe application. Either they need ad revenue, or people have to start paying for software again.

Or people have to stop thinking of "companies" as where you get commodity software. How much do you pay for a kernel these days? (Or a media player or web browser or text editor or file manger?) These things are worth a lot but it wouldn't even occur to me to buy them; you don't get these things from "companies," you get them from the repos

Re:

[h4rr4r]

So port it yourself or pay someone to do it.

The FOSS community adapt to the app store model?
Are you fucking insane? They invented it. An app store is just a shiny frontend to a rather poorly done repository.

Re:

[jedidiah]

...the real problem here being the fact that those that run "app stores" are jack*ss control freaks and they set up their terms of service specifically to keep Free Software out.

So you immediately lose the software do-gooder crowd that might provide software for free without it being some scam.

What you are left with are varying degrees of amoral scum.

Re:

[Kuukai]

I honestly wasn't aware of that because I haven't tried yet. What restrictions are at play in Google's marketplace?

Re:

[h4rr4r]

The only one I can find is the entry fee. There is lots of GPL software available in the market.

There are three stores on my Archos 43

[tepples]

in many cases this software exists and is free, it's just not ported

How easy would it be to port a substantial application from Windows to Android? As I understand it, a lot of the toolkits on which an application relies might themselves not be ported.

or in the store

There are three stores on my Archos 43 Internet Tablet: AppsLib, which came with it; Android Market, which I installed with ArcTools; and Amazon Appstore, which I installed by downloading its .apk. The stores have different criteria for inclusion and different overheads on each developer's part. Which store are you referring t

Re:

[h4rr4r]

He surely means from linux to android. From windows to android would be such a huge changes as to practically be a total rewrite of all but the most basic applications. Even from linux to android it will at the very least have to be ported to java or invoked with java and use the NDK.

Re:

[Kuukai]

Additionally there are Android apps (for instance OpenWNN, which handles the Japanese input I mentioned), that already exist, that are free, and are included with some distributions but not available on the Market as anything but "enhanced" bloatware. Yes when I have some time I'll be happy to distribute it myself (I already said "do it yourself" is an option), my point is that this hasn't been done, instead there are multiple repackagings.

Re:

[h4rr4r]

I suggest you then sell the GPL code and a non-privacy invasive wrapper. Then you can make a $1 each and provide a needed service.

Re:

[slapout]

I don't think you can blame Android for the fact that most sdcards come preformatted for fat32.

Re:

[slapout]

I can understand being given the choice. But I can also understand them not wanting a situation where a customer gets upset because they can't take the card from their phone and plug it into their Windows machine and access their files.

Which real Linux file system for Windows?

[tepples]

This is all caused by the fact that android uses fat32 for the sdcard instead of a real linux filesystem.

Which in turn is caused by the fact that Windows out of the box is incapable of mounting "a real linux filesystem" on the USB flash drive that an Android device emulates.

Re:

[gfxguy]

Really? I didn't know that... many applications ask for permission to write to the SD card, so I assumed that ones that don't can't.

Re:

[mangu]

It's really a shame that this greed for personal information to sell has set back the role that palmtop tech may otherwise have headed toward in our lives.

It's not only palmtop tech that has been affected. Back in 1994 I read an article in a magazine about comet Shoemaker-Levy 9 [wikipedia.org]. I found the author's email and wrote him with some questions, he promptly answered me. These days I doubt my email would have got past his anti-spam.

Shazam! This makes me one Angry Bird!

[Maxo-Texas]

I'm just a Cube Runner and I don't have a degree in Physics but I don't want some stranger to Take Me to My Car by reading my location file.

Yelp! I'm going to have Words with Friends and dance the Fandango if they have been sharing my information. I may use Device Locater but I don't want others to. Siri ously. They can build their own Empire and Tunein to their own location data but not mine!

How about this?

[killmenow]

"If you're developing apps that use customers' mobile data..."

How about not writing mobile apps that store user's data?

Very few apps need to store user data. Companies aren't using the data because the apps need it. Their ad stream needs it. Which reminds me: if you're not paying for a product/service (google, facebook, slashdot, reddit, etc.) you're not the customer...you're the product.

Re:

[h4rr4r]

Which reminds me: if you're not paying for a product/service (google, facebook, slashdot, reddit, etc.) you're not the customer...you're the product.

So who exactly is the customer of Debian? Wine? XFCE? LibreOffice?

That wide brush might be useful for painting a house, but what you are trying to do now requires a little more detail work.

Re:

[Draek]

But even if you are paying for a product/service (cable TV, movies, portable devices with 'exclusive' stores, etc) you may still be the product rather than the customer, it just may be harder to realize at first.

Subsidized by privacy invasions

[TaoPhoenix]

Old & Busted: Shareware
New Hotness: Low Orbit Privacy Cannons

Why are we simultaneously whining about threats to national security and purposely tricking users into leaking sensitive info?

Re:

[geekoid]

I don't know who the 'we' is you talk about. I do know that the Feds are taking this seriously and have a committee to study it. The first meeting is next week.

Re:

[Attila Dimedici]

OOh, they have a committee to study it, now that's what I call taking it seriously. Will it be like Obama's blue ribbon panel to study the deficit? You know, the one whose suggestions he ignored? BTW, this is in no way unique to Obama, when some problem that politicians don't want to tackle becomes of concern to voters, they generally appoint a committee to "study it". Then when the committee releases their findings, the politicians will try to ignore them.

Re:

[TaoPhoenix]

... In May 2011. Really.

It's WWII's Loose Lips Sink Ships problem, except this time we think the enemy is Terrorists.

These data sharing patterns were emerging some seven years ago, just after the trauma of the Dot Com Bust wore off.

For priorities, compare their response to privacy leaks by sneaky corps to their response to wikileaks when their own backyard was leaked. Will that meeting address the Sony disaster?

I know /. is tracking me

[ackthpt]

Why shouldn't everyone else?

Who is in control?

[kent_eh]

Is it possible that people are discovering that life isn't all roses and sunshine inside the walled garden?

Perhaps people actually like to be able to have some amount of control over the things that bought and paid for?

I wasn't sure this day would ever come. I think I'll go and celebrate with a nice walk to a neighborhood restaurant.
Seriously, I'm pleased if this is really what is happening.

No they aren't (more concerned about privacy)

[SuperKendall]

When every week seems to bring another news story about a data breach resulting in the theft of customer data, customers are growing increasingly jealous of their privacy

Project much? As long as you aren't losing CC data, people are as unconcerned as they ever were. The rapid growth of Facebook is exhibit A, and enough to close that argument down.

Not that app makers should not strive to protect a users privacy anyway, but it's a very small (yet vocal) minority of people that are attempting to paint this a

Sunshine solves all.

[kurt555gs]

Makes a good point for GPL licensed software, now doesn't it?

Re:

[The Moof]

Nah. An open source app can collect just as much data as a closed source one. Average users won't do a code review (and, honestly, most tech savvy users won't either). Even with a code review, I'm sure that some programmers can get creative with the methods so they aren't so easily detected.

Give the users control.

[egburr]

How about the smartphone OS developers providing more granular control to the users to allow/restrict apps' access to specific functions?

Re:

[tepples]

What would motivate an end user to learn how to operate such granular controls?

People trush FF Plugins

[rsilvergun]

and they trust the app store. You just need a trusted central authority reviewing everything. My Firefox Plugin [mozilla.org] has a binary component in it to make the MP3s, so every time I submit a new version it takes a week or two to show up on Mozilla's site, but the awesome thing is they review it for me so that my users don't worry I'm trying to pull a fast one.

Re:

[thePowerOfGrayskull]

I agree, but there's a difference of scale here; and add that there's no source code available to the reviewers for most apps. There is only so much that they can do when they have thousands of apps and updates to get through every day.

Not only privacy

[wcrowe]

Not only is privacy an issue, there is the fact that the app may be nonexistent when you go to use it.

Well, let's see a device that can....

[gestalt_n_pepper]

1) Report your location
2) Perform any financial transaction
3) Scan UPC and other computer codes
4) Has a camera, sometimes front and back
5) Can pick up sound and conversation

and... (Drumroll please) report all this back to a central authority anonymously. The ghost of Stalin must be green with envy. And the best thing is, the people actually pay for this themselves!

What next, a site that compiles all personal information of all suspected subversives, er, "friends" and the people those "friends" are connected

Re:

[nschubach]

5) Can pick up sound and conversation

Except for your first one, which happens even with a dumbphone as cell towers will log your location, all of the other things are optional features that you don't have to use if you don't want to.

http://www.zdnet.com/news/fbi-taps-cell-phone-mic-as-eavesdropping-tool/150467 [zdnet.com]
How do I not use that feature?

On what basis?

[thePowerOfGrayskull]

On what basis does he think that consumers are starting to care more about privacy? A few comments on some apps?

In reality... the awareness simply isn't there. The all-or-nothing approach taken by Android doesn't help much: because you have to grant every requested permission or deny the app entirely, android installer is simply another form of windows UAC: it encourages people to click 'yes' without considering the consequences. You might have some vocal minority speaking out against excessive permissi

Like... Google itself?

[joh]

Since I learned that AdMob sends my location data tagged with the Unique Device ID of my phone to Google, I'm very much wondering if even Google has actually realized that there may be problems with that approach. WP7 sends the very same data that the iPhone saves into its local database right home to Microsoft, also with the Unique Device ID.

It's not just the apps, really.

Sigh. Citation please.

[gilgongo]

TFA has no evidence what-so-evar to back up its claim that people don't trust mobile apps any more or less than they do any other type of app (hell, even freakin' MS Office asks if you want to supply "anonymous data" to Redmond). Well, unless they're saying that "prominent lawmakers" == consumers.

This is just some random journo opinion. You'd have thought it would have maybe fired up Surveymonkey or something for some attempt at a citation.

Re:

[Cajun Hell]

You don't just need a network firewall; with the modern mobile platforms you really need an API / IPC firewall. And it should come with optional honeypots too.

Re:

[traindirector]

Google does. Applications need to specifically be granted permissions to access data services.

Except you can't remove internet permission from something that requests it, even though that would be so simple it hurts . You know what I call that? Google fail.

Sure, it's better than Apple, but what kind of a bar is that? It is still far from good, and would be so simple to fix

Re:

[h4rr4r]

You can, it just is not idiot easy. There are firewalls for android, and iptables is available as well.

Re:

[traindirector]

It requires a root-able, rooted device running a compatible kernel. Why should you have to turn to a bunch of guys you don't know on a forum somewhere to provide such a basic and important feature?

What does it say about the state of mobile security when it is rational to trust people on an android fan forum to build your software more than you trust a company that has a lot to lose and should have a strong sense of responsibility?

Re:

[h4rr4r]

You don't have to go trusing them. It is a linux kernel, compile your own.
You don't even need root to do that, just the ability to flash a kernel onto the device.

What does it say about the state of mobile security when it is rational to trust people on an android fan forum to build your software more than you trust a company that has a lot to lose and should have a strong sense of responsibility?

That it is exactly the same as the desktop?
 

Re:

[traindirector]

You don't have to go trusing them. It is a linux kernel, compile your own.
You don't even need root to do that, just the ability to flash a kernel onto the device.

You shouldn't need to void your warranty for this protection.

That it is exactly the same as the desktop?

I will give you that. Although it is much easier for an application to extract your personal information on a phone.

I can tell you would argue that we shouldn't expect more from companies, and I agree.

But shouldn't we demand it anyway, especially when it is possible and would be so easy for them to do?

Re:

[h4rr4r]

I completely agree with all your points. There are a couple options here to get what you want; Use "FREE" software, sunshine being the best disinfectant, or use regulations.

Otherwise it is foolish to expect any other outcome.

Re:

[h4rr4r]

Rooting does not present another issue if you do it correctly. Root the phone then flash the OS back on without the apps you do not want.

I would just recommend going right to CM7 if your phone is supported though.