Many More Android Apps Leaking User Data 299
eldavojohn writes "After developing and using TaintDroid, several universities found that of 30 popular free Android apps, half were sharing GPS data and phone numbers with advertisers and remote servers. A few months ago, one app was sending phone numbers to a remote server in China but today the situation looks a lot more pervasive. In their paper (PDF), the researchers blasted Google saying 'Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data.' Google's response: 'Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"
List of apps and permissions they need (Score:5, Informative)
Re:List of apps and permissions they need (Score:4, Informative)
Too bad after listing all the apps and what permissions they requested, they never named which of them misbehaved, only total numbers.
Re: (Score:2)
Posted in the comments at ars:
===================
SpinyNorman | Thu Sep 30, 2010 8:08 am | permalink
I wish you chaps would link through to your sources.
[edit] ah, here we go:http://appanalysis.org/pubs.html
No details on which apps did what, only summary information. These were the apps:
The Weather Channel (News & Weather);
Cestos, Solitaire (Game);
Movies (Entertainment);
Babble (Social);
Manga Browser (Comics)
Bump, Wertago (Social);
Antivirus (Communication);
ABC — Animals, Traffic Jam, Hearts,Blackjack
Re: (Score:2)
That's a list of the apps they studied, not a list of the apps which they found to be leaking private information. What I, and I suspect others are looking for is a table with the following headers: App Name, Publisher, Permissions, Leaked Information, version number.
Re: (Score:3, Insightful)
The problem with the article is that they label apps as "suspicious" when they work as intended. Bump, for instance, is an information sharing app. It's designed to share your contact info (if you choose so) with other phones. I can't imagine it isn't one of the two apps that transmit the phone number, IMSI, etc., to the app's server, as that's how it's supposed to work.
Of course, Bump is also available for the iPhone through Apple's app store.
And In Other News... (Score:3, Interesting)
And in other news, smartphone security sucks. News at 11.
Re: (Score:2, Insightful)
All this article shows is that Android security sucks. The whole popping up a dialog to ask the user for technical permissions system is fatally flawed, because most users don't understand and will just hit yes to proceed.
iPhone don't have the same degree of problem, because this kind of stuff will mean an app won't get into the App Store. Or if it manages to get through, it will be pulled rapidly once the security problem is discovered. That's one of the benefits of a single app store.
Re:And In Other News... (Score:4, Interesting)
"One of the benefits of a single app store" -- like the single Android Market, you mean? You don't know how good Apple's security screening is, so you just choose to trust them for no reason whatsoever.
Re:And In Other News... (Score:4, Insightful)
Indeed. It just offloads the problem on to someone else. I have no more reason to trust the guys at the App Store are going to be able to find sophisticated security holes. It's just another form of a false sense of security, with the added bonus that those bizarre Apple worshipers get to fit more snuggly into Jobs' uterus, believing themselves safe because their God and Protector wouldn't dare let anything nasty get through.
Re: (Score:3, Interesting)
I own an iPhone, iPod Touch and iPad, and am also a developer.
And I know that apps for them have remarkably free reign over when they can do, what data they have access to, and where they can send the data. And Apple really can't do much to police it, other than to pull the app [and I suppose possibly remotely delete/disable apps] if it is reported that an app is doing something wrong. Because they can really only do black-box testing, as they don't have access to your applications source code, what any a
Re: (Score:3, Interesting)
There was a story on /. a couple of years ago about an iPhone app that sent the user's phone number back to the developer, and then he called them trying to sell the paid version. It is hardly a problem just limited to Android.
Re: (Score:3, Insightful)
You're trusting them because if they fuck up, it's on their hands, and they potentially lose you as a customer.
Re:And In Other News... (Score:4, Interesting)
dialog to ask the user for technical permissions system is fatally flawed
understanding doesn't help me, not sure why it would help others. I think the flaw is it asks too late, and you can't block any of them to still use the App. IE I wanted a app to track car maintenance and MPG, I find the one that looks best, best reviewed... Now it comes up and says it wants phone, and internet access... Not needed for what I wanted, but what do I do now? Look for another, buy, install, and wait to see if it is worse?
Would be nice if google also disclosed that in the app market before choosing, then maybe developers would explain what they used the connections for...
But how? (Score:5, Insightful)
"We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"
How exactly is one supposed to do this? What is the process for building trust vis-a-vis apps when the only protection you receive from your service provider is "don't walk into dark alleys you don't trust"?
Re: (Score:3, Funny)
For a start, don't install a flashlight app that requests access to network features.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2, Interesting)
Good question. I wanted to install a recipe application by a popular brand name company (although the idea of trust with said company might be a little shaky - their guacamole only contains 2% avocado or somesuch) but I didn't feel right because of the permissions required. This app is available for the iPhone, so I don't know if it comes with the same restrictions. I emailed them asking them why the app needs to know my phone's identity and contact data as well as location. They responded thinking that I h
Re:But how? (Score:4, Interesting)
Re: (Score:2)
> What does your android phone have?
A user who refuses to install crap. Sometimes, it sucks not to install X, but hey. My device, my rules.
What Android needs... (Score:5, Insightful)
Not only the ability to display what permissions an app requests, but the ability to deny the use of those features on a per feature basis for each app.
For instance, an app may request internet access (cellular radio or wifi), the user should be able to choose to limit that to just wifi or even turn off connectivity for that app all together.
Re:What Android needs... (Score:5, Interesting)
which, incidentally, is what BlackBerry has. You can allow/deny each app permission to access your address book, calendar, internet connection, send SMS, open your mailbox, etc. I don't think even the iOS have that yet (or well, I think it does, but for GPS location only). An app must be prepared to get an "access denied" exception, and survive through it.
And for corporate users, an admin can even set your phone to not allow installation of custom programs, deny all requests to read the user's calendar/address book (except for a white-list of apps), etc, etc.
As an Android user I wish Android would copy this feature, and as a fan of superior technology, I wish BlackBerry could promote these security features more.
Re: (Score:2)
What's interesting is that if an Android app doesn't have permission an exception is raised, but you're taught to make sure to add the permission flag instead of catching the exception. (Which makes sense, because as it stands right now, if you don't set the flag you'll -never- get the permission). But if they had told you to catch the exceptions, applications would be ready for user-flippable permissions.
Re: (Score:2, Interesting)
What's interesting is that if an Android app doesn't have permission an exception is raised, but you're taught to make sure to add the permission flag instead of catching the exception. (Which makes sense, because as it stands right now, if you don't set the flag you'll -never- get the permission). But if they had told you to catch the exceptions, applications would be ready for user-flippable permissions.
Exactly. Take Camera.open for instance. According to the javadocs...
Throws
RuntimeException if connection to the camera service fails (for example, if the camera is in use by another process).
What about a permission exception?!?!
No - instead they say - "If you want to use the camera, include this catch all crap!"
<uses-permission android:name="android.permission.CAMERA" / >
<uses-feature android:name="android.hardware.camera" / >
<uses-feature android:name="android.hardwa
Re: (Score:2)
As a user, I think it'd be great to have the ability to nuke privileges to certain functions that I don't think that the app should have. Inversely, I think as a developer this would be incredibly frustrating. Taking away the ability to perform functions that very well could be a core function of the app would cause no end of frustration to debug and fix. Plus, bad reviews and crashes relating to stupid permissions filtering just increases the support head-ache of releasing apps.
I think a happy solution wou
Re: (Score:2)
My five year old Motorola phone had this feature. When a permission was needed it would say allow once, always, or deny. ...posted from Android.
Re: (Score:2)
Re: (Score:2)
Not only the ability to display what permissions an app requests, but the ability to deny the use of those features on a per feature basis for each app.
So the phone needs a decent firewall now?
Re: (Score:2)
Re: (Score:2)
I don't own an android phone yet, but i's linux based.. correct? Linux has a built in firewall via iptables. Why can't they just use that?
Re: (Score:2)
Or, rather than not installing, shows a dialog or something that says, "We need ad revenue to continue supporting this application! Please enable location permission so we can provide ads and let you use this application for free. Or buy our paid version!" That way the user knows what they're getting into.
Re: (Score:2)
More than that though, how much of the location stuff is really at the request of the developers? What say do they get when it comes to the overly invasive advertising other than not using it at all?
Re: (Score:2)
The issue with advertising (as I see it) is that there are actually a lot of small advertisers who are willing to pay for ad space, but only if it's relevant. For instance, I see ads for a local shop--that provides services as opposed to retail--in one app on my phone. You can bet that that shop owner would be unwilling to pay for ads that were going to be distributed nationally, because 99% of the people who see that ad aren't going to live close enough to use the service.
For someone like a car company, or
Re: (Score:2)
Gee, what are these "exception" things I keep hearing about? Someone was telling me you can catch them, and then handle them... whatever that means!?
Prevasive? (Score:2, Troll)
Re: (Score:3, Informative)
Pre, from the Latin prae meaning before, in front
evasive, meaning tending or seeking to evade
This submission was accepted prevasively to editing it.
Re:Prevasive? (Score:5, Funny)
Re: (Score:2)
Don't try to understand the editors. That is impossible. Instead, only try to realize the truth: there are no editors.
Applications I trust? (Score:5, Insightful)
It is hard enough to know if I should trust my child, and I raised him. He doesn't
tell me much. App developers tell me less, and some of them are devious. This is not
a good security model. And Google knows better.
So buy an iPhone. (Score:2)
Apple has that platform locked down nicely.
Re: (Score:3, Interesting)
Google's response == fluff (Score:5, Insightful)
What a bunch of fluff. The relevant developers don't care about "best practices" or any other voluntary standard. And how the f*** are users supposed to establish trust in certain apps? The platform does not significantly monitor an application's ongoing behavior, nor is anyone performing serious code-reviews or blackbox testing. Google COULD HAVE set up profiling tests similar to those run in TFA, but didn't.
For ONCE would a company please admit that they reduced privacy in order to provide the dumbed-down usability needed to capture market share and attract developers?
Re: (Score:3, Interesting)
I don't see the big deal with this. Android gives you infinitely more information about what an app is going to do than anything on the PC.
On my phone, I'll at least know if the app is going to look at my location, contacts, etc. and can make the choice to install it or not.
On my PC, all I know is that I'm downloading some binary data that could do anything it wanted.
It's not that hard. If you download a game that wants access to your contact data and full internet access, don't install it. Yes, even if
A checklist (Score:5, Interesting)
Rather than a blanket "you can send anything you want anywhere you want/you can send nothing to anywhere" switch, a finer-grained constrained set of permissions may be the way to go. Specifically:
And if an app provider doesn't like the light shone on their activities... that's a pretty good indicator right there.
Re: (Score:2)
"Information collection by ads should be governed by a different set of permissions than the app presenting the ads. Ad-supported apps are fine, but the user should know what ads are doing on the network independent of the app."
I think that is the strategy of 'Google ads' being served through apps, but I'm not sure if they've actually done that yet. AdMob (which is now Google as well) definitely needs internet and possibly coarse location if the dev wants to allow for geo sensitive ads. It would be nice to
Re: (Score:2)
I have a sneaking suspicion of collusion between wireless carriers and phone providers, that goes something like:
1. Have developers offer "free" ad-supported apps which helps sell phone
2. Cap bandwidth by which ads are served
3.????
4. Profit !
It's only fair... (Score:3, Funny)
...after all, many more users are leaking Android app data. [slashdot.org]
Re: (Score:2)
...after all, many more users are leaking Android app data.
They should see their primary care physician.
Comes with the territory (Score:2)
Developers: your customers pay for those services. (Score:2)
On the surface you don't pay anything for these tools. They integrate nicely into your app, and you only have to add a few lines of code -- the essence of what good developer's tool should provide.
My thoughts (Score:2)
"...half were sharing GPS data and phone numbers with advertisers and remote servers."
Two words: DOUCHE.BAGS.
This isn't an Android problem (Score:3, Insightful)
Nobody, at any marketplace service, is going to have time to do a code review of everything that gets submitted. Even console games -- which have a months-long and intensely painful approval process the likes of which you've never seen -- don't do code review. The very concept is ridiculous, there's way too much code and way too many people involved. You're going to have to trust your developers folks, and make use of the user-ratings tools if you don't.
Android's model of showing you what special access the software uses is about as good as I think you can get in the real world without learning to use a packet sniffer. RIM's ability to disable individual types of access is cool as well, but if the software needs it to function (or says it does) I'm not sure how the user is supposed to be in a position to use it intelligently. To avoid these sort of data harvesting problems, they'd have to somehow psychically know that the contact manager they're trying out uses that internet access for more than the occasional ad serve, and how would they know that?
Re: (Score:2)
When an iDevice app tries to read your location, it requires your permission to access that data. That's enforced by iOS, it's not an honor thing. The first time it tries to do so, iOS pops an alert saying "this app wants to access your location. Allow/Deny".
Re: (Score:2)
Location isn't a big deal to me.
My name, phone number, contact list, call history, and text messages ARE.
Re: (Score:3, Insightful)
...is there an iPhone equivalent to the "uses internet access", "uses coarse location services" page that the Android Market displays to you?
Yes. Both systems use similar schemes for jailing apps, with user permissions for access to various services.
There's a ton of iPhone, Blackberry, Parlm, etc apps using advertising support, which is what the vast majority of this article is finger-pointing.
True, but most are transitioning to iAd, which divorces the advertiser and location services from one another such that it is not so much of privacy concern.. at least if you trust Apple to do what they say (as opposes to every app developer).
Nobody, at any marketplace service, is going to have time to do a code review of everything that gets submitted.
Well, they could if they put the resources into it. It might even be important enough to end users if malware becomes a real issue on mobile platforms. That s
Re: (Score:3, Interesting)
Simple solution.... (Score:2)
Core features of apps == "leaks"? (Score:5, Insightful)
The headline doesn't really match the contents of the paper as far as I can tell.
For example, "Evernote" is listed in the paper for:
1) Taking pictures with the camera
2) Recording audio with the microphone
3) Determining your location
And for transmitting this data to its servers.
These functions are, however, exactly what the application is designed for. You take notes (including snapshot notes and voice notes) and upload them to your account. When you launch the app, there are big buttons for "take a snapshot note" , "take an audio note", etc. Geo-tagging via the location APIs can be disabled from the Settings page, but this is another core advertised feature of the product.
So this is a bit like making it into Slashdot by discovering that a mail client transmits text that you type (and your email address!) to a mysterious "SMTP" server. ... on the INTERNET!"
Headline: "Researchers discover nefarious 'e-mail' application leaking your data
Growing trend... (Score:2)
Personally, I think this is going to be a larger issue as time goes on. Right now, it's more of an annoyance with advertisers and marketing companies, but who's to say that in the near future some other companies don't start providing apps that track users for other reasons.
Could you imagine a company that provides location data for your ex-spouse, or perhaps girlfriend or boyfriend, or even your children? I know this is kind of tin-foil hat paranoia, but I think the recent problems with things like the Go
It's not 'leaking', it's 'sending' (Score:2)
The apps aren't leaking information. Leaking implies the information is being sent accidentally.
The apps are taking the information and sending it to whomever intentionally.
iPhone/iPad does this too (Score:2, Insightful)
sorry to piss on the fanbois flames spouting "iPhones walled garden is much safer" and other such uninformed crap
the iPhone App Stores dirty secret is its worse, much worse
http://www.slashgear.com/iphone-spyware-debated-as-app-library-phones-home-1752491/ [slashgear.com]
http://gadgets.boingboing.net/2009/04/13/pinch-media-statisti.html [boingboing.net]
It IS the Granularity (Score:2)
The last time this issue came up, I started sending emails to the developers of my apps challenging their need for permissions that don't seem to make sense. I got several replies that stated that the legitimate permission the developer needs is buried under overly broad packages.
For example, a battery monitor app needs to request access to "Phone Calls" to read the battery state.
With such granularity developers can't be responsibly specific and end users have no rational way to accept/reject apps based on
Little snitch (Score:2)
Re: (Score:2, Informative)
All apps have access to r/w your sdcard, and to get your identity (esn/imei/meid/phone number). Once you give an app permission to access the internet, your identity and sdcard contents are public.
Google needs to fix this. Don't believe me? Install a file manager app. Most won't ask for permission to access the sdcard, but they will be able to. Some permissions are granted without the app asking for it.
Are you sure? In the app I wrote I had to explicitly request access to these in the application's manifest file, or get an error.
Re:15 of the 30... (Score:5, Insightful)
Re: (Score:2)
Being able to know where you are and when isn't personal information?
As long as no "who" information is transmitted to the advertiser, it's not personal. It's just some unknown device at coordinates X,Y at time T. Add on a unique identifier, then it starts getting personal as they can start building a profile of person P.
Re: (Score:2)
As long as no "who" information is transmitted to the advertiser, it's not personal. It's just some unknown device at coordinates X,Y at time T.
Are you braindead? "Hey, this guy goes to the same spot every day at 5:30 PM and remains there until 7:30 the next morning. That must be his home. Hey, here's the address. Hey, I got his name now."
Re: (Score:2)
AdMob uses the -coarse- sensitive location for ads when you want to serve up something thats location sensitive like 'Eat at McDonalds in "My City" at abc blvd.' but that's pretty much it. All they really need is the coarse location setting which gives a general approximation of where the individual is at in order to target ads for the best experience. That's is a location sensitive ad, and it was the choice of the app developer to allow it. The app developer wants more money from their ads, but its not lki
Re: (Score:2)
Not if you take into account anyone who's got line-of-sight to you, or is within earshot of you...
Re: (Score:2)
Not if they don't know who you are. You're not scared enough of being seen driving down the highway to hide your face and plates. Nor are most technical people so fearful of this that they'll bother to use a proxy to avoid IP and browser information to be revealed.
Raw GPS data in itself is pretty useless except to correlate similar coordinates. What can they do- send you an ad for a local pizzeria if it's dinnertime, or local entertainment otherwise? Big deal.
There is only capacity to profile if they co
Re:15 of the 30... (Score:5, Funny)
"This is OnStar. You appear to be traveling at a high rate of speed after stopping at a bank. Do you require police assistance?"
Whatever.. (Score:2)
> 15 of the 30 got on their list due to providing location data for advertising. I hardly consider that a sending your personal data as the article implies.
That's fine. I do.
Re:This is why OSS is so important (Score:4, Interesting)
No, the problem is gold-rush developers. With a platform like the iPhone, or Android, you have a sudden perception among developers that they can get rich from relatively simple apps. This leads to the '200 fart apps' problem, and it also leads to a massive incentive to get things to market before the competition, which causes a complete lack of QA in the release process.
There is no simple solution to this, the only thing to do is wait for the platforms to mature.
Re:This is why OSS is so important (Score:5, Informative)
it also leads to a massive incentive to get things to market before the competition, which causes a complete lack of QA in the release process.
In the iOS world any app can try to read the GPS but the user is presented with a dialog asking for permission to do so. If it's an annoyance you can turn apps' permissions on or off individually in the Location options.
From what I've read, Apple's review process runs apps through some pretty funky things looking for naughtiness.
The odd piece slips through, of course, but I doubt it's half the popular programs as it sounds like it is for Android.
Re:This is why OSS is so important (Score:5, Insightful)
^ this.
This is the value of the App Store that geeks/developers consistently underrate. Apple's walled garden provides a barrier to entry that helps to reduce the risk of ending up with a fart app that's also downloading your private banking information to China.
Google's free-for-all Marketplace is a real risk to Android's long term success because it sets up Android phones to become the must-see destination for viruses, mal-ware, and other shady operations. How long do you think it's going to be before having an Android anti-virus application is a practical requirement? What the uber-geek sees as the positive benefits of the Android eco-system (freedom and unlimited choices) are in fact NEGATIVE attributes to most of the rest of the mobile phone consuming populace. It's sorta like Android is the Linux of mobile phones...oh wait.
I enjoyed the EVO vs. iPhone YouTube video as much as anyone but more than a funny rip on Apple, it's also a perfect demonstration of how a lot of the technical community doesn't get it. Android's popular because the iPhone is hard to get and it's a pretty respectable facsimile of an iPhone, not because it has more WIFIs and GBs than Apple. When rogue apps start to make Android painful to use and own expect consumers to start looking for The Next Big Thing (tm).
Re:This is why OSS is so important (Score:4, Interesting)
This is the value of the App Store that geeks/developers consistently underrate.
That's because a lot of geeks and developers don't need Apple to tell them what not to install, they're typically capable of figuring that out on their own. If a simple card game asks for fine-grain location information or full internet access, that should be a red flag to anyone paying attention.
Maybe it's just the case that Android is for "power users" and Apple is for everyone else, but the value that you see in Apple's store is simply not needed by a lot of the people who buy Android devices, and in fact becomes a negative.
Re: (Score:2)
Philosophically, the market is only fractionally made up of geeks and developers. Consumers are where the big bucks are. You then make a leap to conclude that "Android is for 'power users'" and Apple for everyone else.
Instead, TFA implies that google is saying caveat emptor, where Apple is at least trying to prevent surrepticious application behavior. Some people believe that this action embues a sense of trust. I'm not sure that I do, but others seem to feel so.
Becoming a 'negative'? I would expect Google
Re: (Score:2)
You then make a leap to conclude that "Android is for 'power users'" and Apple for everyone else.
No, I didn't conclude that. You can tell by the phrase "maybe it's just the case". That's one hypothesis for why Android users seem to favor an open market. I don't know what the actual reason or reasons are, so that's why I guessed.
I would expect Google to tell developers to show source, parse that source for obvious bad behavior, and act to prevent problems, be they memory leaks, Java cache loops, or mad-dialing behavior or attempts to use information they're not supposed to.
They can do that, but they can only do that on their own marketplace. It's fine if Google wants to vet apps, as long as they don't require that all apps that get installed need to have been vetted by Google. That's the negative part of the Apple model.
Re: (Score:2)
Then the added value of a Google store is simply as a money taker, and any subsequent Android app vendor unless they vet the code.
In my mind, the negative part of Apple's model is threefold: 1) Apple's hideous commission, 2) censorship without providing an adult marketplace, and 3) components of the vetting process that very highly restrict an application's behavior in a way that doesn't suit Apple, not the user's intention or desire.
Just throwing open a store and saying here are some great Android apps has
Re:This is why OSS is so important (Score:5, Interesting)
Eh - malicious devs aren't retarded. If you are going to write code that does something bad, you'll hide it in an app that would also need that level of access.
For example - if I want to write an app that will secretly send text messages from your own to a premium text service that will cost you $9.99 per text - I wouldn't stick it into a card game app. I'd stick it into an app that claims to do something novel or useful with text messages. Like an app that takes your boring text message and translates it into ebonics, or leet speak or whatever.
If you code it in such a way that, it won't send out the premium texts until after a particular date - say 3 months after you write it; if it's a half-way decent app, you'd have plenty of time to build a user base with decent ratings.
Re:This is why OSS is so important (Score:4, Insightful)
I don't doubt that you're right or that Android will continue to be popular with the technically savvy. The risk for Android is that it puts Linux's chaos and complexity front and center in the mobile phone market and ends up burning out customers because people are overwhelmed with choices and malware. (Is it the year of the Linux desktop yet?)
Let's face it: Apple doesn't police the App Store out of some Machiavellian power trip or pure altruism, they do it to protect their brand identity (and therefore their ability to demand a premium for their products). That it also happens to be a nice benefit for their customers is just a happy side-effect.
Google's abdicated this role in the Marketplace and I think that's dangerous for the long term viability of Android as a mobile platform. Google isn't acting like it believes it has to care, but it should.
If Nokia weren't so culturally opposed to anything they didn't invent themselves this would be a grand opportunity for them: adopt Android and build a walled garden for Android in the Apple style. A variety of cutting edge phones, with high end features, global support from multiple carrier partners AND a protected/policed app store? It would be a game changer for both Android and Nokia, but they'll never do it. (Look up in NIH syndrome and you'll get a redirect to Nokia's home page.)
Re: (Score:2)
Google's free-for-all Marketplace is a real risk to Android's long term success because it sets up Android phones to become the must-see destination for viruses, mal-ware, and other shady operations.
Yes, because Microsoft's free-for-all software development policies has really threatened it's long term success. All the viruses, mal-ware, and other shady operations are causing people to abandon the OS and move to other competing OSes. Oh wait, that's a complete crock. My bad. I guess free-for-all access to software isn't a threat to long term success, rather, it's a key to long term success. Hmm, go figure. It flies in the face of Apple-apologist common sense. Well distort my reality!
Re: (Score:2, Interesting)
> When rogue apps start to make Android painful to use and own expect consumers to start looking for The Next Big Thing (tm).
Yeah, it'll be like when everyone stopped using Windows and Microsoft was forced out of the OS busi....oh wait...
Re: (Score:2)
You can compare it to PC software. There is no regulating of what programs you are allowed to install or not.. this goes for linux and windows (i don't know mac). There are trusted vendors that emerge from the masses based on performance. The Android market is probably too new to produce "leaders" that people use as their goto software people. I enjoy the freedom of installing anything i want on my PC.. it should be the same for the phone. Why not?
If you're going to install something on your computer,
Re:This is why OSS is so important (Score:4, Interesting)
This is the value of the App Store that geeks/developers consistently underrate. Apple's walled garden provides a barrier to entry that helps to reduce the risk of ending up with a fart app that's also downloading your private banking information to China.
This could also lead to a false sense of security, which is also massively underrated. Apple can't possibly catch all software flaws. Indeed iOS4 was jailbreaked by a vulnerability in PDF code, leading to a simple website visit to gain root access to your phone. Which was a little scary to think what might have happend if that vulnerbaility was in the hands of a malicious party.
Android won't need anti-virus because it is very robust security model. It is linux after all, which is largely virus and malware free. The design of the OS is even more robust than desktop linux. With the exception of rooted phones, viruses would find it very difficult to propogate let alone do any real damage.
The occasional malicious app that steals some userdata is about all that can go wrong. For now.
The value of the Apple App store is Apple has done some of the thinking for you. Unfortunately this means iOS users will install everything without ever stopping to consider security. This is dangerous to have a user base completely ignorant of security matters and Apple is demonstrably guilty of keeping it's users in the dark as much as possible. Androids prompt for permissions is a rather good way of making people stop and think about the app you are about to install, and I believe this kind of thing is the correct initial approach. User education is 90% of the problem with security on digital platforms.
In practice, both iOS and Android have problems with malware already, and it's hard to say one has more of a problem than the other. Frankly, neither approach to app security is ideal therefore both platforms will be constantly fighting malware. Android could do with a lot more quality control - at very least stop neglecting the market, the moderation system for comments and ratings needs updating. Nothing beats weeding out bad apps by a good feedback system.
Re:This is why OSS is so important (Score:4, Insightful)
The majority of the general cell phone using population is always going to be ignorant of security, and is always going to want someone else to deal with it.
iOS is also quite secure by design. It is based on a real UNIX that also has very few wild viruses. iOS has had a couple of bad remote exploits in it's existence, both of which were fixed pretty fast. Android (just like Linux and any other OS) has some too. Fixing them in Android might actually be problemmatic as many carriers seem to take the view that os upgrades are optional. Both systems are inherently as vulnerable to trojans as anything else. The difference is, Apple does a pretty thorough job of prescreening, and doesn't let you install pretty.scr that your friend emailed you. Google doesn't. And tossing your users out to look after their own security doesn't work. Otherwise Windows would be the safest OS.
Google is going to have to step up before something bad and widespread happens. If they don't, someone else, probably the carriers, will do it for them. And if you think Apple is repressive, you've clearly forgotten what (popular) cell phones were like before the iPhone.
Re: (Score:3, Informative)
http://en.wikipedia.org/wiki/Mac_OS_X [wikipedia.org]: "Mac OS X (pronounced /mæk o s tn/ mak oh es ten)[6] is a series of Unix-based operating systems and graphical user interfaces...."
http://arstechnica.com/apple/news/2007/08/mac-os-x-leopard-receives-unix-03-certification.ars [arstechnica.com]: Mac OS X Leopard receives UNIX 03 certification
Oh, and mustn't forget:
http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]: "As of 2006, there are relatively few security exploits targeting Mac OS X (with a Unix-based file system and kernel)."
Well, yo
Blackberry too (Score:3, Interesting)
One of the reasons that BB's are so popular with the corporate crowd - despite lacking some of the "nifty" features of other phones - is that they're really good on security. BES allows the corp to do a lot of things to a lost/stolen/etc phone. The data on the handset is supposed to be encrypted, and can easily be reset or wiped. Most apps have varying levels of security that *ASK* the first time (to access the internet, or whatever) whether they should be allowed a one-time or consistent access to various
Re: (Score:2)
It may just be sending some statistical data so the server can form better assumptions about the user and thus provide better service in the future. Or it may be sending such data for nefarious purposes. Without accessing the code, you can't know...
I don't see how access to the code is necessarily going to help you with that either, unless the developer commented their code with
How the data is used will be on the server side, and complete transparent to the end user.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This is the same reason why I'm still running a version of Pandora from nearly a year ago, along with a couple other apps. I still get the annoying notification about having 3 updates ready to install, but I feel it's a small price to pay.
Re: (Score:2)
Given that the vast majority of their users will spends hours and hours using the fruits of their labor; they'll refuse to support it with funds. No matter how great they think it is.
That sense of entitlement pushes software devs to come up with creative ways to make money. Advertising is the go-to and if they can get more money using the GPS to make it targeted ads, of course they are going to try.
I'm sure nobody at Pandora is going to lose sleep because someone won't install their free app and use it, f
Re: (Score:2)
Can i buy your phone? serious question. Must accept sim cards and be 3g.
Re: (Score:2, Insightful)
Can i buy your phone? serious question. Must accept sim cards and be 3g.
He doesn't have a phone for you to buy. He's a "magical! revolutionary!" fanboi troll.
Re: (Score:2)
Your own statement of saying "apple's walled garden" just proves his "but its open..." statement even more. But please continue.
Your statement implying meaning to his implying meaning to the parent's comment implies... wait a second. Where are we going with this?
Re: (Score:2)
It's a pissing match, where each party is trying to piss in opposite corners of a round room.
Re: (Score:2)
Even though we have seen applications that say they are flashlights actually enable Phone Tethering get to the App Store? If you really think Apple is going over these things that finely, you are crazy.
Re: (Score:2)
> Oh wait, I do pay for that.
True. Overpriced phone, overpriced data, voice & messaging plans.
The main cost is your freedom to install some nice stuff because Apple does not merely filter based on purely user-loving reasons. All too often, they just don't like something for monetary, strategic or political reasons.
Oh and the fact that you need to jump through hoops for tethering? What the fuck? I press one button and my Desire is a hot-spot.
In any case, I wish Android market was more restrictive in s
Re: (Score:2)
Wikileaks!