Study: Be Mindful of Your Android App Permissions
While iPhone users are busy worrying about Apple's latest admission that it can share your precise location with its partners, Android users are being warned to keep an eye on the permissions of the apps they download.
A new report claims that as much as a fifth of all Android applications allow a third-party application access to sensitive or private information. CNet reports that a recent report from security firm SMobile Systems says five percent of 48,000 downloadable apps in the Android marketplace can place calls to any number without the user doing anything and 3 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges.
SMobile Systems' report says 5,783 applications in the Market request three or more notable permissions with notable permissions being ones that grant access to personal identifying information, location or service that could be used maliciously. Twenty-nine applications were found to request the exact same permissions as known spyware (and have been categorized and detected as such by SM), eight applications explicitly request a specific permission that would allow the device to brick itself, or render it absolutely unusable.
"Just because it's coming from a known location like the Android market or the Apple App store doesn't mean you can assume that the app isn't malicious or that there is a proper vetting process," Dan Hoffman, Chief Technology Officer at SMobile Systems, is quoted as saying.
Spyware is becoming more of a problem as the smartphone market continues to grow at a rapid rate. With these kinds of devices becoming more affordable and all kinds of people developing applications, it's hardly surprising that some people are developing apps to harvest information on the sly.
Check out the report for yourself here (pdf warning).
[Updated at 09:15 PT to better reflect the SMobile report and to include comments from Google] Google's Jay Nancarrow has refuted the claims made by SMobile Systems, highlighting the fact that Android users must give an app permission to access any and all information. Nancarrow also states that all devs must go through billing background checks to confirm their identities and any apps deemed to be malicious are removed.
"This report does not signal any security issues in Android. It falsely suggests that Android users don’t have control over which apps access their data. Not only must each Android app gets users’ permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious."
SMobile Systems concedes the vast majority of apps developed for Android are safe, but goes on to warn that users have no way of knowing if an app is only doing what it's supposed to.
It seems the biggest problem SMobile Systems has is that a lot of people just click 'accept' when Android notifies them of the access certain applications require.
"The fact remains that there is no means available for a user to know for sure that the app the user just downloaded is doing only what the user sees it doing. One must look at the permissions requested to determine what the applications true capabilities might be."
- $99 Xbox Live Family Plan Coming in November
- ThinkGeek in Trouble for Selling Unicorn Meat
- Arctic's New Keyboard is 12-mm Tall
- Microsoft Does Want Core Games, FPS for Kinect
- Clever Clock Design Uses Batteries as Hands
- The Supposedly Unbreakable Touch Screen
- SanDisk WORM Stores Your Mug for 100 Years
- Motorola Droid X Confirmed for July
- Guys Hit Craigslist for E3 ''Missed Connections''
- Concept Stereo Spells Out Your Audio
- Magic Ball Visualizes Power Consumption
- iPad Thieves Target NYC Apple Store
- iPhone 4 vs. Android, Plus Early Review Round Up
- Google Launches Google Voice, Gets Sued
- Iwata: Sales Low Due To Boring Games
- Microsoft: $150 Kinect Pricetag a Placeholder
- Holding iPhone 4 With Your Hand Blocks Reception
- Early Adopters Report Problems With iPhone 4 LCD
- The Xbox Remote that Controlls 1000 Devices
The fault is of Google for not properly supervising the Android marketplace, and then of the customer for not reading the damn EULA before installing unknown software.
Rain maker makes rain...
Much better analist of the situation.
http://www.informationweek.com/new [...] d_IWK_News
It amazes me how every 1/2 assed online tech writer just repeats the crap they read somewhere else.
^+1
In other news, Windows computers are boring and every one of them comes with millions of viruses pre-installed. I swear, I saw it in a commercial made my Apple, a completely independent third party company with no vested interest in portraying Windows PCs in a negative light.
Seriously, this is now like the 20th website I've seen this same "report" (read: advertisement). Its from a company that makes anti-malware software for android (among other OS's). Of course they are going to say that android apps are all malware. How long does it really take to realize this? It amazes me to see people discussing this like its a legitimate report.
Jane,
I'm with the Google Communications team. This report does not signal any security issues in Android. It falsely suggests that Android users don’t have control over which apps access their data. Not only must each Android app gets users’ permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious.
I would appreciate it if you would update your article. You will also probably be curious to note the changes that have been made to the CNET article you cite.
Jay Nancarrow
Google Communications
Thanks Jane!!!
I guess.... there is no smartphone that is safe.. unless we stay with the one that nobody use it...lol
Though some common sense definitively help.. but to be honest.. quite a few app did do a good job to make us believe it is real... like the famous Bank of America app for Android...
Why give the stats to Android and then later mention Apple w/o giving their stats? Sounds bias here...
Rain maker makes rain...Much better analist of the situation.http://www.informationweek.com/new [...] d_IWK_NewsIt amazes me how every 1/2 assed online tech writer just repeats the crap they read somewhere else.
hmm... thanks for providing the story from another side (google).
However, just like I do not believe everything Apple said... I do not believe 100% what Google says too.
Just like the article you have point out... even the author said
"The doubling of malware and spyware in the last six months is significant," he said. "
No matter it is 1 out of five or not... the danger is definitively there.
People just need to stay on the common sense more and well.. download and pray...
Why give the stats to Android and then later mention Apple w/o giving their stats? Sounds bias here...
Remember ... Apple has a "big brother" there... "nobody are suppose to steal your information.... unless is from me!!"...
lol
At first I though this was going to be something about spyware and such but its info that every android user knows since when you install an app it tells you what parts of the OS it has access to and what it will be able to do! Wave secure can send "hidden" text messages, does that make it malware? Umm no, its one of the best android security apps out there!
I had a Droid, but when its calling people that are on my friend's contact list on the same plan...and every simple game I install has access to things like my contact list...I start to take issue. I'm sorry but its Verizon or Google's fault, but that phone I can tell you has some major issues with security.
Next up: Tinfoil underwear and carbon credits
Lol. Let's see the same study done on the AppStore... oh wait, no one has the balls to do that... they'd have a law suit faster than they could say Frozen Yogurt.
Boh,
I think this is still nice compared to Facebook or even Apple (with their new "auto-proclamed" right to pick-up and share info on where you are using your Eye-Phone (big brother?)...
Pro apple bias again.
After realizing even on Anand's site they are afraid of showing iStuff in a bad light, removing it from comparison fotos, not to demonstraty how badly they suck (contrast, for example) I am not surprised.
PS
http://www.dula.tv/blog/wp-content [...] s-ipad.png
@ kartu 06/24/2010 11:39 AM
))))) Thats funny, vvvv funny. best post
hahahahaha
10+
and is true
hahahahaha
Amazing though how a "report" about a security risk is being brushed away by some apparent Droid fans. Apparently Apple fanboys are beaten into submission and don't use this opportunity to bash Android. At the same time all this defensive attitude is fun to watch too. (Now if it would read "Apple" instead of Android ... )
Repeat or not, it's something to be aware of on probably every system, but the magnitude should make people think about where they place their trust. I've been thinking this many times, what if a "developer" decides to snoop out your online banking data and what else sensitive you're doing on your phone ... .
I had a Droid, but when its calling people that are on my friend's contact list on the same plan...and every simple game I install has access to things like my contact list...I start to take issue. I'm sorry but its Verizon or Google's fault, but that phone I can tell you has some major issues with security.
just watch what apps you download... read what there accessing before u install. this happens on all mobile apps. google is just the first to actually warn you what there accessing
I hate to sound like some college frat douche, but ARTICLE FAIL!
Jane,I'm with the Google Communications team. This report does not signal any security issues in Android. It falsely suggests that Android users don’t have control over which apps access their data. Not only must each Android app gets users’ permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious.I would appreciate it if you would update your article. You will also probably be curious to note the changes that have been made to the CNET article you cite.Jay NancarrowGoogle Communications
+1000
pwned...
Jay great reply. While you are checking over your app security check the app "What the Doodle". In particular when someone sucessfully adds you as a "friend" within the application.
It's really simple. Before you install a program, the OS will list everything that the program wants to have access to. READ IT. If you don't like what it has access to, DON'T INSTALL IT. Or you can even email the developer and ask him why the program needs access to this info. I've done that and almost every developer has responded within a day or two
And the Facebook S! application has the permissions to dial telephone numbers, and so on.