Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

New submitter Brett W (3715683) writes The security researchers that first published the 'Heartbleed' vulnerabilities in OpenSSL have spent the last few months auditing the Top 50 downloaded Android apps for vulnerabilities and have found issues with at least half of them. Many send user data to ad networks without consent, potentially without the publisher or even the app developer being aware of it. Quite a few also send private data across the network in plain text. The full study is due out later this week.

Laziness

[Anonymous Coward]

Code recycling is one thing, but not understanding what that code does when you put it into a production app or not following best practices is another. As Android gains popularity as a platform to develop for, we're going to lose quality as the new folks jumping onto the band wagon don't care how their apps work or look beyond the end goal. This mentality is already popping up with Android Wear developers who cram as much information as they can on the screen and claim that design guidelines are "just recommendations."

All software is full of bugs

[Tony Isaac]

It doesn't matter if it is Windows, Mac, iOS, Android, or Linux, all software is full of bugs.

For that matter, all of everything constructed by human beings...is full of defects, or potential defects, or security vulnerabilities. Your house, for example. You have a lock on your front door, but it takes a thief just a few seconds to kick the door in. Or your car...a thief can break into it in seconds, even if you have electronic theft protection. I'd call those "security vulnerabilities."

It's the nature of all human creations, software or hardware, electronic or mechanical.

So what do we do? We improve security until it becomes "just secure enough" that we can live with the risks, and move on.

Re:What alternative could be built?

[Anonymous Coward]

Fine grained permissions. Try denying an app access to your contacts in Android. Good luck.

Code Academies

[Fnord666]

This is the sort of thing that you can expect when you put developers through a whirlwind coding course. They learn to use library after library without understanding the ramifications of their use. Need an ad network? Slap in a library. Need geolocation? Slap in a library. What you end up with are flashlight applications that want permission to read the low level system log. Then again, that's coding in the instant gratification world that we live and develop in today.

Re:Laziness

[AuMatar]

Design guidelines are just recommendations. Frequently bad ones. A developer should design the best UI he can, not follow what Google says regardless of whether it fits. And most developer guidelines, Google and Apple both, are crap.

The problem is that the whole app movement has brought in a whole slew of crappy developers who's idea of coding is to search stack overflow or git for stuff to copy paste. They don't read it, don't understand how to use it right, and expect it to magically work. Worse half of the people writing that code fall into the same category, so its the blind reading the blind. If you pick a library off of github and assume it will work, you deserve what you get. Unfortunately your users don't.

These people have been around for a while (they used to be "web developers" and program by copy pasting big chunks of javascript). The problem is that on a phone they can do more damage. In a world where the number of quality programmers is fixed and far less than the demand for programmers, how do you fix it? Making it easier to program actually hurts, you end up with those crappy coders trying to do even more. Maybe its time to raise the barriers to entry for a while.

Ignorance is bliss

[WaffleMonster]

TFA is being much nicer than Google and many app vendors deserve.

The whole ecosystem system is engineered to reward bad behavior /w complete lack of usable access controls speaking for itself.

They need only do the minimum required to keep all hell from breaking loose and too many people bailing on the platform as a result.

Re:All software is full of bugs

[jmv]

Software on Internet-connected devices is a bit different from your examples though. No matter how insecure cars are, it would be really hard for me to steal a million cars in one night, let alone without being caught. Yet, it's common to see millions of computers/phones being hacked in a very short period of time. And the risk to the person responsible is much lower.

Re:Not surprised

[stephanruby]

Why does anyone install an app on Android that didn't come from F-Droid?

Aside from the fact that I don't like any of the games [f-droid.org] F-Droid has to offer.

It's because...

Wait for it, wait for it...

...I don't really care. Believe it or not, but not everyone is as privacy conscious as you are.

Load of ignorant crap

[janoc]

The entire article is harping on 3rd-party ad network libraries stealing personal data and phoning tracking info home. As these are libraries and developers are re-using open source libraries, then it follows that "Open source is no free lunch" and is stealing your data. What a majestic leap in logic!

They conflate open source libraries with various ad-network code stealing personal data, basically trying to portrait open source code as being responsible for it. Never mind that the ad-network code is almost never open source.

Granted, OSS is certainly not bug-free, but the spyware has little to do with it.

What a load of ...