Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.

Re:Not surprised

[Anonymous Coward]

I'm really surprised that mine is the first comment to mention F-Droid. [f-droid.org]
Why does anyone install an app on Android that didn't come from F-Droid?

Re:What alternative could be built?

[stephanruby]

Oh, and block apps from writing to most of the external SD card, but they can do whatever they want to the internal one. Guess Google doesn't like privacy or SD cards.

That's just incorrect. For the internal memory, an app can't overwrite another app's private data, it can't even read it without special interfaces (assuming a non-rooted device). An external SD card on the other hand is deemed insecure by definition since it can easily be pulled out and placed into another device. So an external SD card was chosen as an easy way to store, share, and manage media files between different applications.

Games are underspecified

[tepples]

Why does anyone install an app on Android that didn't come from F-Droid?

I can think of two reasons. One is that someone might be using a hand me down Android device from the first year that AT&T sold Android phones, and these devices support only Google Play Store, not Unknown sources. But though I have a cousin whom this affects, I imagine few others are still on a Galaxy S 1 Captivate. A more common reason to use non-free Android apps is that free software has shown itself to be poor at producing compelling original video games. Free software works when there's a clear spec, which is true of libraries and productivity apps. But apart from maybe roguelikes, games are less specified up front unless it's a clone of an existing game, such as Aisleriot, Frozen Bubble, or StepMania. A non-free game's developer can afford to put more time into creating both the spec and the implementation.

Re:What alternative could be built?

[Zaelath]

Mmmm, Android moved "unacceptable" into "not unusual" at the same time and said a lot more apps "require no special permissions", despite needing Device ID, GPS, and storage access. You know. For a torch app.

Re:Laziness

[dgatwood]

Code recycling is one thing, but not understanding what that code does when you put it into a production app or not following best practices is another. As Android gains popularity as a platform to develop for, we're going to lose quality as the new folks jumping onto the band wagon don't care how their apps work or look beyond the end goal. This mentality is already popping up with Android Wear developers who cram as much information as they can on the screen and claim that design guidelines are "just recommendations."

The exact same thing happens on every other platform, though perhaps to varying degrees. I refer to it as the Stack Overflow effect. One developer who doesn't know the right way to do something posts a question. Then, a developer who also doesn't know the right way to do it posts how he or she did it. Then ten thousand developers who don't know the right way to do it copy the code without understanding what it does or why it's the wrong way to do it. By the time somebody notices it, signs up for the site, builds up enough reputation points to point out the serious flaw in the code, and actually gets a correction, those developers have moved on, and the bad code is in shipping apps. Those developers, of course, think that they've found the answer, so there's no reason for them to ever revisit the page in question, thus ensuring that the flaw never gets fixed.

Case in point, there's a scary big number of posts from people telling developers how to turn off SSL chain validation so that they can use self-signed certs, and a scary small number of posts reminding developers that they'd better not even think about shipping it without removing that code, and bordering on zero posts explaining how to replace the SSL chain validation with a proper check so that their app will actually be moderately secure with that self-signed cert even if it does ship. The result is that those ten thousand developers end up (statistically) finding the wrong way far more often than the right way.

Of course, it's not entirely fair to blame this problem solely on sites like Stack Overflow for limiting people's ability to comment on other people's answers unless they have a certain amount of reputation (a policy that is, IMO, dangerous as h***), and for treating everybody's upvotes and downvotes equally regardless of the reputation of the voter. A fair amount of blame has to be placed on the companies that create the technology itself. As I told one of my former coworkers, "The advantage of making it easier to write software is that more people write software. The disadvantage of making it easier to write software is that... more people write software." Ease of programming is a two-edged sword, and particularly when you're forced to run other people's software without any sort of actual code review, you'd like it to have been as hard as possible for the developer to write that software, to ensure that only people with a certain level of competence will even make the attempt—sort of a "You must be this tall to ride the ride" bar.

To put it another way, complying with or not complying with design guidelines are the least of app developers' problems. I'd be happy if all the developers just learned not to point the gun at other people's feet and pull the trigger without at least making sure it's not loaded, but for some reason, everybody seems to be hell-bent on removing the safeties that would confuse them in their attempts to do so. Some degree of opaqueness and some lack of documentation have historically been safety checks against complete idiots writing software. Yes, I'm wearing my UNIX curmudgeon hat when I say that, but you have to admit that the easier programming has become, the lower the average quality of code has seemed to be. I know correlation is not causation, but the only plausible alternative is that everyone is trying to make programming easier because the average developer is getting dumber and can't handle the hard stuff, which while p

Re:Not surprised

[Dutch Gun]

How many reasons would you like? F-Droid has about a thousand apps to the Play store's 1.2 million. You have to install it through side channels. Relatively few in the mainstream have heard of it. None of the apps that people's friends or favorite websites are talking about are available on it. A quick peek at some of the new apps listed on the front page reveal these potential blockbusters:

* A guessing game: try to guess a number between 1 and 100 in under eight tries
* A ROT-13 encoder/decoder
* An ASCII/Hex/Ocal/Binary converter
* Swimming distance calculator
* TI graphing calculator emulator (no ROMs included)

It surprises you that people aren't flocking to this in droves? Look, nothing against F-Droid. It's cool that people are doing this, but let's keep our expectations grounded in reality.

Re:Laziness

[Lennie]

Crappy developers usually means: uneducated developers.

They can get simple things done without understanding the whole system. That deliver something that sort of works. This makes them cheap labor.

Why do we need cheap labor, because of competition and a race to the bottom driven by consumer buying decisions.

In a talk by Gabe Newell from Valve said that a free game got you 10x more users and 3x more profit (they for example get some money from people selling items inside the game). Not that they use cheap labor, they actually do the exact opposite. But it is just to illustrate how price is important.

So free like the above is a profitable model, free and ad-supported might actually not be as profitable. I don't know how much money companies get for selling personal information. I assume it is more than the ads.

So how do you solve that.

I see a few possible ways:
- education
- create good open source libraries that prevent most of the bad things and cheap developers want to use.

Now comes the kicker:

Do you think HTML5-apps without any permissions by default on phones would be a better model ? :-)
That would be a model similar to Javascript-code running in the browser on the desktop where the user is asked to allow access to the camera when needed.

Actually, I do, but then again I actually do use a FirefoxOS phone to see what it is like.

A lot of the time the hardware is bit underpowered so it can be sold in countries that currently still have a large number of feature phones or people not willing/able to pay for more expensive hardware.

But still pretty impressive what they can get out of that cheaper hardware.

Re: What alternative could be built?

[johanw]

"Android apps by default work off the internal SD card. It's actually a separate partition that's mounted at the same place as old phones used for external SD cards. You can't change the default to use an external card."

Depends on the phone. I have a cheapass Android phone with only 4GB of internal memory, but it let me choose (out of the box, no root-only tricks here) wether I want the internal memory or the physical microsd card mounted as /sdcard0 or /sdcard1. The phone switches them if you like (and that is very reccommended with this little internal memory).