8% of Android Apps Are Leaking Private Information 159
kai_hiwatari writes "Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th. The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages."
Compared to... (Score:5, Insightful)
...100% of your Facebook apps! Nothing to worry about here, folks.
Re:Compared to... (Score:4, Interesting)
Compared to 100% of your Facebook apps! Nothing to worry about here, folks.
Data leakage is one thing, unwanted text messages (premium SMS services are big money) is another story entirely.
Re: (Score:2)
Re: (Score:2)
Yeah - I've seen apps like that - I even had one that wanted to send a "legitimate" text for activation, but only would only text from my phone, which was problematic for me because I have normal texting turned off because it is too expensive (I can send/receive texts on my phone, just through a different number using the Internet - the main problem is I need to know if the number has been ported when sending, and people need to know to use my alternate number when texting me), so I just deleted it. Some o
...and... (Score:4, Insightful)
Re: (Score:3, Interesting)
maybe it is misleading. Maybe it technically is authorized by your definition.
However, note that ALL apps with ads need internet access, and yet the internet access gives them access to the whole internet, not just the ad server.
This always concerns me when its simple apps that really dont need internet access other than to display ads. How would I know what the app is doing?
I'm normally against the walled garden approach but Google's complete hands-off thing is really starting to get serious. Its almost
Re: (Score:3)
Without knowing exactly what is being sent to these "unauthorized servers," this is just a red herring.
Re: (Score:2)
You may have more sensitive data on your pc, but its unlikely to be stored in well-defined and well-known places. With a phone, a malware-creator knows exactly what data they can access and exactly where it is. Its not the amount of data, its the combination of the data's usefulness and ease-of-access. The rest is up to social engineering - which is the weakest link in any system.
The fact that they can send ANYTHING to these unauthorized servers is bad.
The problem with Android's security is that without
Re: (Score:2)
Your PC has a firewall; or Peerguardian2. Or both.
Where is this functionality on Android so that I can confirm that an App on my phone is behaving as per it's claims?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So Facebook apps destroy privacy. However, that does not change the point that some Android apps are doing the same thing.
I agree. The big question now is whether Google will ban the 800+ apps from their marketplace. If they turn a blind eye to these revelations, then they're no better than Facebook and we can expect more app developers to datamine in the future. Personally, I have faith in Google to do the right thing, but we shall see. The last thing they want is for these data to justify Apple's stringent approval process.
Re: (Score:2)
That's my point. I didn't mean 'justify' in an objective sense, I meant in the minds of consumers. I guess I could have worded it better.
Re: (Score:2)
Fair enough. For 'justification' in the minds of consumers (where I used the term 'validation' in my post), I think the way things have worked out are pretty clear so far. Apple's downloads are far more trustworthy than Google's. More apps, more downloads, fewer security issues.
The flip side is to see what Google will do, but aside from adopt a more stringent review process, it will be difficult for them to keep malware (of varying types) from making it to their store. Their model is reactive. I can see why
Re: (Score:2)
There was a story just a few months ago about iOS apps doing the exact same thing. There was even a lawsuit filed at the beginning of 2011. I think people put way too much stock in the iOS approval process.
I wouldn't doubt it, but Apple has demonstrated time and time again their willingness to cut people from the app store for the most minor violations of the ToS. A developer puts their company at a much higher risk by trying to pull such shenanigans on the iPhone. Just out of curiosity, was there any statistics to accompany the iPhone story? I mean, I seriously doubt 8%+ iPhone apps do this sort of thing.
Poor security/subterfuge/sloppy coding (Score:5, Funny)
Re: (Score:2)
+1 Casablanca reference.
Re: (Score:2)
Out of curiosity, what is the original quote?
[Hangs head in shame for not knowing]
Re: (Score:2)
I couldn't wait for a reply. I found it on IMDB (of course):
Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!
Permissions (Score:5, Insightful)
Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".
The hashed phone number (Score:3)
Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity".
The IMEI doesn't ensure the user's identity, just that of the handset. Pull out the SIM and put it in another handset (assuming AT&T, the only U.S. nationwide provider for which this actually works and which isn't an acquisition target), and the subscriber's identity follows the SIM (hence the name Subscriber Identity Module).
They still have access to the phone number, why not fine-grain it
Yeah, why not? To ensure the user's identity, perhaps the OS should make available the hashed phone number: the application can make sure the subscriber hasn't changed but not use
Re: (Score:3)
Don’t know how large phone numbers get in your country but rainbow tabling phone numbers seems rather trivial for anyone with a reasonable amount money. They can can probably guess the first part which leaves only about 10 digits (7 where I live) of combinations to try and if they are given away in sequence way less. Anyone know how long that would take with a modern GPU.
You would probably have to make the method standard so you could not use unknown salt either.
Re: (Score:2)
Thinking about it I checked to see there was another only locally know number on SIM to hash it with but I could not see one on the wikipedia page.
If someone had have anticipated this they could have a stuck a sudo random key of reasonable length with no relation to the phone number to be hashed with the phone number and then providing a hash becomes a very good idea. But right now its a 33-34 bit key (someone might correct me) that can be hacked offline. And with openCL this is a few min and if its a short
Re: (Score:1)
And your algorithm was slow -- you probably recalculated the entire hash from the start for each number, for starters.
Fix that, and now consider using a GPU. You'll have your table in minutes.
You simply don't use md5 as a key derivation function if you know what's good for you. Nor SHA-1 or SHA-256 for that matter. You use bcrypt or scrypt or something else designed to be much more expensive than your standard hash algorithms.
Re: (Score:2)
Re: (Score:2)
You need to look up what a GUID is. http://en.wikipedia.org/wiki/Globally_unique_identifier [wikipedia.org]
http://stackoverflow.com/questions/2982748/create-a-guid-in-java [stackoverflow.com]
Re: (Score:2, Interesting)
Better yet, how about doing the intelligent thing and providing a UNIQUE identifier per APPLICATION. Not using the IMEI, but instead generate a UUID for each application to use as its unique id. Use a hash of some hardware value (like the IMEI) and the applications signature ( I assume apps have their own UUIDs in Android for identifying applications uniquely ).
Then they can uniquely identify a specific device has a specific app installed, they also won't be able to tell (if implemented properly) by using
Re: (Score:2)
Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".
The upshot of this would just be that developers would make apps that refuse to run unless you give them all the permissions they want. I'm imagining something along the lines of (pseudo-code incoming):
try{
obtainfeature();
} catch (FeatureNotGrantedException) {
showErrorDialog();
endProgream();
}
Re: (Score:2)
I have a friend who wrote an app that detects if you installed one of the many adblock software packages, tells you to buy the pay version and refuses to run if that's installed. The capability to scan what apps are installed in your phone is part of the API.
Re:Permissions (Score:4, Interesting)
http://slashdot.org/story/11/05/25/1221225/Cyanogenmod-Puts-Users-in-Control-of-Permissions [slashdot.org]
Re:Permissions (Score:5, Informative)
I remember someone had a /. sig with a link to a feature request for Android that users could simply choose which permissions they want to allow an app to have at installation. I think this was the link: http://code.google.com/p/android/issues/detail?id=3778 [google.com]. It seems to have a lot of support, but apparently we need more!
I also found this one too: http://androinica.com/2011/05/cyanogenmod-nightlies-secures-android/ [androinica.com]. I didn't read the link in much depth, but apparently it can do just what you describe if you root and install Cyanogenmod
Re: (Score:2)
This sig? ;)
Re: (Score:2)
Re: (Score:2)
This is unlikely all about permissions though. While I definitely agree with your point, this may very well be the same LogCat leak "uncovered" by lookout at DefCon of last year. Basicly what happens is lazy devs are writing personal info into the debug log. Other apps could read this with an innocous sounding "read logs" permission. It was a reader here at Slashdot who actually pointed it out to me (I write a guide for new users about Android permissions).
Of course, there may be more to it. And cert
Re: (Score:2)
Sure I have, and I said I agree with having more fine grained controls. But it's not that simple. There are downsides to that as well. Let me ask you this: how many applications have you downloaded to your computer that can access the hard drive?
Re: (Score:2)
Re: (Score:2)
I don't know. That sounds like a support nightmare.
I remember helping a friend whose computer suddenly stopped being able to access the internet, even though all of his settings were perfect and the computer was getting an IP address from the router just fine.
After an hour of checking everything I could think of I finally discovered what happened: he had one of those "firewall for dummies" installed. A dialog popped up saying "windows networking is trying to connect to the internet, allow / deny / block", a
Re: (Score:2)
Block their 'net access (Score:1)
Re: (Score:1)
How do you know when to deny net access?
An app that needs net access for it's main function can also behave maliciously.
Re: (Score:3, Insightful)
as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ....I know, I know.. but doing infosec configs on phone is still a more arcane deal than computers, plus I really don't want to have to root my android phone, to be able to trust it in the first place.
Perhaps if app permissions weren't 'set it and forget it', if the OS allowed us to go bac
Re: (Score:3)
as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ...
That's why I have a dumb phone that just makes phone calls and sends text messages and laugh whenever people talk about their phone being infected with malware.
Re: (Score:2)
Requires rooting (Score:5, Insightful)
LBE Privacy guard, Droid wall, or just a ADB terminal and iptables
Which requires 1. phones to have a security vulnerability that allows rooting, 2. users to know how to root a phone, 3. users to somehow learn that they should install a firewall on their phones, and 4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).
Re: (Score:2)
1. phones to have a security vulnerability that allows rooting
Or just getting a rootable phone from the get-go (such as the Nexus *)
2. users to know how to root a phone
If the user doesn't know how to root a phone (assuming an easily rootable device), should (s)he really be able to block specific functionality from the apps? Sounds like a support nightmare to me.
3. users to somehow learn that they should install a firewall on their phones
See answer above.
4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).
That applies to all 3rd party software.
Are rootable phones on prepaid carriers? (Score:2)
Or just getting a rootable phone from the get-go (such as the Nexus *)
I can't really afford $70 per month for phone service, and I imagine that a lot of other people have an entry-level Android-powered phone on a $25 per month plan, such as LG Optimus V or Samsung Intercept, because they're in the same position. The LG Optimus V was rootable as of January 31, 2011 [addictivetips.com], but the article appears not to have any updates as to whether it is still rootable. Are there any Android-powered phones that are 1. designed from the ground up to be rootable and 2. available on a pay-as-you-go ca
Re: (Score:2)
1. designed from the ground up to be rootable
I thought there were a few choices outside of the Nexus, but I don't really know. Motorola and HTC keep on promising easy unlock solutions, but AFAIK so far have delivered nothing. Didn't Sony-Ericsson have something in that area as well?
And how about the Nexus One? It should be coming down in price nicely, and it's still a damn good phone.
Even the Nexus S is around 2/3 of the original price these days, so that might be an option.
available on a pay-as-you-go carrier?
Sorry, I don't know the American market. My impression is that at least in Eur
The US market sucks (Score:2)
My impression is that at least in Europe it's cheaper in the long run to buy the phone unlocked and search for a provider on the side
And it's the exact opposite in the United States, where there are no truly unlocked phones. Each phone is either locked to Verizon (a CDMA2000 provider), locked to Sprint (a competing CDMA2000 provider), locked to AT&T (a GSM provider preparing to acquire the only other nationwide GSM provider), or "unlocked" GSM. The trouble is that "unlocked" GSM phones work only on GSM providers, and once AT&T buys T-Mobile's USA operations, GSM phones will work only with AT&T. And even if you buy your phone
Re: (Score:2)
Are there any Android-powered phones that are 1. designed from the ground up to be rootable and 2. available on a pay-as-you-go carrier?
Yes. Import one from China. They're all rootable, and they're all unlocked by default. I have a Ctone T01, which is a pretty decent phone in most respects. It has something pretty close to a stock Android 2.2 install, looks decent, and works as you'd expect.
They're all made in China (Score:2)
Import one from China.
They're all made in China. I assume you mean buy a phone not associated with a well-known worldwide brand. But do these have access to Android Market? And with which U.S. prepaid carrier would I activate a Ctone T01 should I decide to buy one? This announcement [shanzai.com] mentions GSM but not CDMA, leaving AT&T as the only choice once AT&T completes its acquisition of T-Mobile.
Re: (Score:2)
They're all made in China.
Most are made in Taiwan. For China in my original post read PRC.
But do these have access to Android Market?
Yes.
GSM but not CDMA, leaving AT&T as the only choice once AT&T completes its acquisition of T-Mobile.
Ah, I had momentarily forgotten that GSM networks aren't universal in the US like they are here in the UK. Still, there are plenty of CDMA-capable phones on this list [dhgate.com]. I'd recommend against buying a phone here that appears to be from a manufacturer you recognize -- it isn't, and there's a chance of it being intercepted at customs.
Re: (Score:2)
Or just don't install apps that are asking for privileges they shouldn't need. If an app claiming to be an Angry Birds addon wants permission to access my contacts list or the ability make phone calls, I'm going to be suspicious.
Re: (Score:2)
iPhone apps are just as bad... (Score:4, Interesting)
If you use the firewall program that you can download with Cydia, you will find that a majority of iPhone apps connect to ad sites, statistic sites, behavioral targeting sites, and many domains that have zero to do what what the app does. The end user has zero control of what an app can do, and any app can happily slurp your contacts and anything available to it and hand it over to whatever site it feels like, and only people who have JB-ed their phone would know.
Android, it is more obvious because you don't have to jailbreak it to see the programs phoning home.
For example, take some of the photo editing apps on the iPhone. If you look at them, they appear to just uplaod your photo to a website and do the core editing via that as opposed to the application doing much. So, that private photo you decide to use a 99 cent app to make humorous? It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.
For the tl;dr crowd, iPhone apps are just as nasty, but they hide it better, being impossible to trace unless one jailbreaks their device.
Re: (Score:3)
You'd have to look at the EULA (do they even present an EULA?) to see what rights they grab for themselves. Even then, you still own the copyright on the image. I doubt an EULA that stated "by using our service you transfer copyright of all images uploaded to us" would be considered conscionable.
Re: (Score:3)
I suggest you refrain from participating when you have no fucking clue what you are talking about
Re: (Score:2)
It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.
I suggest you refrain from participating when you have no fucking clue what you are talking about
I'm not sure what he said that was incorrect. He never said that they could be awarded full ownership. He just said that they could claim full ownership.
If I broke into the house of a famous photographer, copied their memory cards quickly and left, then I could claim full ownership of those images. If I began making prints and selling them before the original photographer, I'd probably be sued, but it may be hard for the original photographer to prove ownership. I think an app (as suggested here) is a l
Re:iPhone apps are just as bad... (Score:5, Insightful)
This study looked at 10,000 Android apps. Your claim is that iPhone apps are "just as bad," which implies that you also studied 10,000 iPhone apps and that 800 were found to be leaking private data. Could you provide the link to your study, or is all you have an anonymously posted anecdote about running Cydia on your single phone without any examples given of the apps you're describing?
Re: (Score:2)
Sorry, but you are way overstating the case.
His claim is that they are just as bad, not that his evidence is as creditable. It could easily be based on a much smaller sample, (say three) and still have a "evil app" rate as bad or worse than the android. The error bars would just be a lot bigger.
Re: (Score:2)
The fact that there's no evidence that 800 out of 10,000 iPhone apps are leaking private data suggests an inherently superior security process, whatever the cause. I don't think it's a leap in logic to suggest it might have to do with the approval process apps must go through before they can reach customers.
Keep on postin' anonymously.
That's obvious (Score:5, Insightful)
Multiplayer metagames and assets on SD (Score:2)
When simple one-player games and such say they require full internet access I think "that may be for ads".
Not all games whose action is single-player are purely single-player; many include a multiplayer metagame. This includes the ability to upload scores or other achievements to a server, to download other players' achievements for comparison, and to verify that other players' achievements were earned through legit play.
When they require access to contacts, SD card, etc... That usually means don't install it.
As for contacts, I agree with you, but a lot of programs require access to the SD card because the device's internal storage is too small to hold all data (meshes, textures, sound, etc.) that p
Re: (Score:2)
Agreed. And I have an audio recorder/spectrum analyzer that records to SD. There are obvious cases where it's needed. Installation to SD is one possibility too, but why would something like a Tetris clone need access? I didn't actually see one, but that's the type of thing I see a lot - simple thi
How big is Tetris? (Score:2)
Installation to SD is one possibility too, but why would something like a Tetris clone need access?
Let me guess: you haven't seen the FMV opening cut scene in Tetris Worlds for PlayStation 2. Tetris products are a lot bigger than they used to be: from the 26 KiB of Tetris 3.12 for MS-DOS (1985) to the 32768 KiB of Tetris DS (2006).
Re: (Score:2)
Do you tell that to the app devs? So that they might understand why they are losing sales?
Re: (Score:3)
I agree that devs should be more open about why they are asking for permissions, particularly the more dangerous ones, such as access to the contacts, phone, or SMS.
Some apps now feature those explanations on the market description, presumably because users were asking for it. I encourage you to contact the developer every time you decide not to install an app due to the permissions. At least give him a chance to explain himself so that others can benefit from it.
As for access to the SD card, this is usuall
Re: (Score:2)
The latest Cyanogen includes the ability to revoke privileges. You need access to my contacts? Sandboxed fake contacts okay? Cool.
I've been running Cyanogenmod and have been using the revoked privileges feature. Where can I enable the fake data feature? Some programs refuse to work when you revoke privileges to something like your contact list, it'd be great to just feed it false info instead.
The Apple solution (Score:1, Troll)
Perhaps Google should follow Apple's lead here and simply change the EULA to give permission for application writers [iphonehacks.com] to access personal information and location [consumerist.com].
That would certainly get rid of the "unauthorised" part of that statement.
Re: (Score:2)
Re: (Score:3)
The other part of the solution is to run a closed market, and be picky about what apps you allow. If the developers of security software have nothing to sell on your platform, they won't go blabbing about the security holes to try to sell their product.
Yeah, because a vulnerability in the inbuilt PDF reader will never be exploited...
So lets all stick our heads in the wondrous sand of a walled garden and pretend that security holes dont exist because we aren't allowing security experts to say anything.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Actually, Apple specifically points out in their review process that apps that ask for location data without an obvious legit reason are rejected.
Given the fact that Apple has given permission via the EULA to allow applications to send information back to their own servers (after which they can do what they wish with it) and their lack of ability to keep out non-legit data miners I dont have a lot of faith in the walled garden approach.
Re: (Score:2)
Re: (Score:2)
This link [gigaom.com] was posted [slashdot.org] earlier by choko, but it bears repeating since I see this or similar statements all through this article's comments. It's about a report from the Wall Street Journal that showed over half of the popular iPhone apps they tested sent personal information without asking permission.
Re: (Score:2)
Re: (Score:2)
Fair enough.
Have we learned nothing... (Score:5, Insightful)
Wow! CTO of company that makes money selling security software for Android says that Android has security problems!
If you think you can get honest and objective info about this problem from the CTO of a company that is in the business of selling solutions to the problem, then you should not be allowed to use the Internet.
I'm not saying that there isn't a problem - I'm just saying that this is so obviously the wrong source that it is no better then an advertisement.
Re:Have we learned nothing... (Score:4, Interesting)
Well, I do believe them without any problem. Half the application I tried to install on my phone ask for ridiculously high permissions. I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?
I would love the operating system to allow you to report fake information to some application. The application want access to your contact list? sure give it an empty list. It wants to know your GPS location. Sure, give a fixed user-defined location (in the middle of the ocean if possible).
Re: (Score:3)
Maybe the Tetris game has a social aspect, where high scores are collected and posted on the internet, along with a geographical tag, like "New York, USA". It could be that the high scores are even customized for your location, so that you can compete against all the other New Yorkers playing that game. Some people would think that was the greatest thing in the entire world, I'm sure. For the more cynical among us, it's difficult to believe that social gaming is anything more than a big scam, but not eve
Re: (Score:2)
Re: (Score:2)
Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.
HTTP tunnel (Score:3)
Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.
And run an open HTTP tunnel on someapplicationpage.com. You see, a device can't always enforce a privacy policy.
Re: (Score:2)
Sure, but it would give you an idea what webpage you could block if you wanted/could. Right now, "Free range internet" means you have no idea where your data is going. With a specified domain you could at least block that one address.
Territorial licensing (Score:2)
I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?
Internet? Upload high scores, as Elbereth mentioned. GPS? To keep you from playing in another country where a different company has the exclusive license for the Tetris brand. But contact list? Don't know; that would raise my suspicion.
Re: (Score:3)
Re: (Score:2)
All applications with ads ask for those permissions. They don't want to advertise something you can't buy in your own country.
If you don't want that then buy an application with no ads - simple.
Only 8% ?!?!? (Score:2)
Re: (Score:2)
You can protect yourself better (Score:3)
I easily belive that (Score:2)
There are many apps which require excessive permissions without any reasonable explanation. Many of these appear as close-to-identical apps to shotgun better. I am surprised its only 8%.
List of apps (Score:2)
Why is it that whenever these types of articles come up it's next to impossible to find the actual list of offending apps, if at all. So which are the 11 apps that send SMS out without permission?
Re: (Score:2)
The "article" is based on somebody's comments about their upcoming presentation at a conference. I'm sure the apps will be named and shamed at or immediately after the conference (in just under 2 weeks). I'll be intrigued to find out what exactly the researcher is defining as "personal information" though: my suspicion is he interprets it *very* broadly. As an example, I'm working on an Android app right now that sends the device's OS version, model name and screen resolution back to my server for the pu
Margin of error (Score:4, Informative)
Re: (Score:2)
Not sure if you're aware of how percentages work... http://en.wikipedia.org/wiki/Percentage [wikipedia.org]
Re: (Score:1)
Re: (Score:2)
And what makes you think either of those platforms are any better?
At least on Android you always see what permissions an app is requesting before you install it. The same is not true on iOS
Re: (Score:2)
Good luck flogging that dead horse. No one is interested in your windows phones.
Re: (Score:2)
Re: (Score:2)
10000 and 800 are not round numbers.