

20% of Android apps use private data - coderdude
http://www.readwriteweb.com/archives/android_opens_blinds_on_20_of_app_data.php

======
houseabsolute
It's a whitepaper by a security firm. Using my HouseAbsolute behavior-based
detection methodology, I have used various heuristics to detect that this
study is possibly BS. Some key factors in this detection, with exclamation
points showing how concerning an individual flaw is (! is the least, !!! is
the most. Note that all these points are regarding the researchers' whitepaper
itself.):

!!! The article makes a big deal out of a specific spyware application. This
wouldn't be very much of a problem if the application weren't openly described
by its authors as one whose sole purpose is spying on the phone's user. So why
make a big deal out of it!?

!! The article makes a big deal of the fact that some applications have
requested the same set of permission that some spyware apps have. I can think
of no conceivable specific combination of permissions that alone would give
much information at all about whether or not an app is spyware. It also makes
a big deal of how nine applications can brick the phone without going into any
detail about the nominal purpose of these apps (i.e. does it make sense that
such an app behaving as described in the market entry for this app should need
to brick the phone).

! This article seems to imply that one would need any of these permissions to
harm the user. From my understanding of Android development, I believe that
any application can raise an intent to open a webpage in the browser, and the
url of that page could easily be used to transmit sensitive information even
with no permission at all. (I could be wrong on this one.)

!!! Any app that requests two of the permissions they label as sensitive is
marked as suspicious. This means that any app wanting to both access the
internet and do any of the following is considered suspicious according to
this study:

\- Access coarse location.

\- Write to the external storage.

\- Send an SMS.

! The company behind this paper is trying to sell something that you would be
more likely to buy if you believed its results.

------
Adaptive
I enjoy RWR, but it's a bit sensationalist to use "seize" in that headline
when what they really mean is "access" and by access they mean "access after
explicit permission has been granted."

I do think there are issues to be addressed, and the article mentions apps
which can send premium text messages, an exploit vector which is more
concerning.

~~~
CitizenKane
Not to mention that in a lot of situations this is exactly the point. Twitter
can access contact data so it can add a person's twitter account into their
contact information. You might use a solution to synchronize your contacts
with a CRM so that you can follow up on potential leads. That's "seizing"
you're data, but that exactly what you want it to do in that case. This is
pure sensationalism and is exactly why journalism shouldn't be the pratice of
copying press releases for the sake of some hits.

~~~
olefoo
The constant chasing after traffic is not a good thing for the new media
ecosystem, it leads to sites that glory in lots of low quality attention, and
a boring sameness to the novelties on parade. We need to find a way to
compensate creators based on the quality of their audience, rather than mere
quantity.

The only functional forces pushing in that direction at present are patronage
amd pride. Patronage from the audience and pride from the performers.

------
barrkel
This seems to be a PR piece written by SMobile Systems ("enabling Secure
mobility") promoting their "new behavior-based detection methodology",
leveraging "heuristic-style technology".

One of their conclusions appears to be that "one must look at the permissions
it has requested to determine what the application's true capabilities might
be". Very heuristic.

Quotes from [http://threatcenter.smobilesystems.com/wp-
content/uploads/20...](http://threatcenter.smobilesystems.com/wp-
content/uploads/2010/06/Android-Market-Threat-Analysis-6-22-10-v1.pdf) (PDF)

------
cheald
Ugh, sensationalist fluff. Android's permissions system is very clear and very
easy for the end user to understand. "This app might cost you money" on
install is pretty darned clear!

~~~
lut4rp
PEBKAC, sir. That's the problem.

------
lut4rp
The way this article has been titled, it screams "SENSATIONAL!!11 READ ME!!!".
Comes across as applications lock all your photos and messages and charge a
dollar a peek.

------
starlight
I thought you have to explicitly allow applications to access any data outside
their own directory?

~~~
aschobel
You need permission to access any user data (SMS, calendar, etc).

It is almost impossible to get data from another app if the author doesn't
expose it somehow (place it on SD Card, expose Content Providers).

~~~
brisance
>>Finally, 3% of all of the Market submissions that have been analyzed could
allow an application to send unknown premium SMS messages without the user's
interaction or authorization.<<

Could an independent Android developer comment on whether this is in fact
true?

~~~
Niten
I'm not privy to any statistics on the matter, but simply as an Android user I
can tell you that Android applications can't dial numbers, send SMS, etc.,
unless you explicitly grant them permission to do so -- and Android will tell
you, plain as day, that the application wants privilege to access "Services
that can cost you money".

