Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Android Privacy

8% of Android Apps Are Leaking Private Information 159

kai_hiwatari writes "Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th. The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages."
This discussion has been archived. No new comments can be posted.

8% of Android Apps Are Leaking Private Information

Comments Filter:
  • Compared to... (Score:5, Insightful)

    by mederbil ( 1756400 ) on Wednesday July 20, 2011 @08:19PM (#36830660)

    ...100% of your Facebook apps! Nothing to worry about here, folks.

    • Re:Compared to... (Score:4, Interesting)

      by TubeSteak ( 669689 ) on Wednesday July 20, 2011 @10:07PM (#36831282) Journal

      Compared to 100% of your Facebook apps! Nothing to worry about here, folks.

      Data leakage is one thing, unwanted text messages (premium SMS services are big money) is another story entirely.

      • by drb226 ( 1938360 )
        11 / 10,000 = 0.11% - If you have any common sense when you download an app, you can probably be way more than 99.89% confident that it won't send unwanted texts. 8% sending private info to a server is troublesome, but again, reputable apps probably don't have this issue; slashdotters of all people should be pretty confident about their ability to discern the scamminess of an app.
        • by Creepy ( 93888 )

          Yeah - I've seen apps like that - I even had one that wanted to send a "legitimate" text for activation, but only would only text from my phone, which was problematic for me because I have normal texting turned off because it is too expensive (I can send/receive texts on my phone, just through a different number using the Internet - the main problem is I need to know if the number has been ported when sending, and people need to know to use my alternate number when texting me), so I just deleted it. Some o

    • ...and... (Score:4, Insightful)

      by msauve ( 701917 ) on Wednesday July 20, 2011 @10:12PM (#36831302)
      what exactly is an "unauthorized server?" Given that Android enforces constraints (permissions [android.com]) when you install an app, are they claiming that there are apps which can get Internet access without explicitly being granted permissions by the user when installed?
      • Re: (Score:3, Interesting)

        by dudpixel ( 1429789 )

        maybe it is misleading. Maybe it technically is authorized by your definition.

        However, note that ALL apps with ads need internet access, and yet the internet access gives them access to the whole internet, not just the ad server.

        This always concerns me when its simple apps that really dont need internet access other than to display ads. How would I know what the app is doing?

        I'm normally against the walled garden approach but Google's complete hands-off thing is really starting to get serious. Its almost

        • by msauve ( 701917 )
          How does any of that differ from apps on a PC, which all have unlimited Internet access? Is there some reason a phone is more sensitive? I've got more personal/confidential info on my PC than I do on my phone.

          Without knowing exactly what is being sent to these "unauthorized servers," this is just a red herring.
          • You may have more sensitive data on your pc, but its unlikely to be stored in well-defined and well-known places. With a phone, a malware-creator knows exactly what data they can access and exactly where it is. Its not the amount of data, its the combination of the data's usefulness and ease-of-access. The rest is up to social engineering - which is the weakest link in any system.

            The fact that they can send ANYTHING to these unauthorized servers is bad.

            The problem with Android's security is that without

          • Your PC has a firewall; or Peerguardian2. Or both.

            Where is this functionality on Android so that I can confirm that an App on my phone is behaving as per it's claims?

    • So Facebook apps destroy privacy. However, that does not change the point that some Android apps are doing the same thing.
      • So Facebook apps destroy privacy. However, that does not change the point that some Android apps are doing the same thing.

        I agree. The big question now is whether Google will ban the 800+ apps from their marketplace. If they turn a blind eye to these revelations, then they're no better than Facebook and we can expect more app developers to datamine in the future. Personally, I have faith in Google to do the right thing, but we shall see. The last thing they want is for these data to justify Apple's stringent approval process.

  • by justsomecomputerguy ( 545196 ) on Wednesday July 20, 2011 @08:22PM (#36830696) Homepage
    Vendor: "I'm shocked, SHOCKED to find information being leaked here!" Waiter: "Here's your mined data sir..." Vendor: "Thank you"
    • +1 Casablanca reference.

      • by treeves ( 963993 )

        Out of curiosity, what is the original quote?

        [Hangs head in shame for not knowing]

        • by treeves ( 963993 )

          I couldn't wait for a reply. I found it on IMDB (of course):

          Rick: How can you close me up? On what grounds?
          Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
          [a croupier hands Renault a pile of money]
          Croupier: Your winnings, sir.
          Captain Renault: [sotto voce] Oh, thank you very much.
          [aloud]
          Captain Renault: Everybody out at once!

  • Permissions (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 20, 2011 @08:22PM (#36830698)
    I think a finer control over permissions for applications is required. Some applications ask for something like "ability to make calls", so that feature X works. If you don't care about feature X you should be allowed to deny such permission.

    Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".
    • Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity".

      The IMEI doesn't ensure the user's identity, just that of the handset. Pull out the SIM and put it in another handset (assuming AT&T, the only U.S. nationwide provider for which this actually works and which isn't an acquisition target), and the subscriber's identity follows the SIM (hence the name Subscriber Identity Module).

      They still have access to the phone number, why not fine-grain it

      Yeah, why not? To ensure the user's identity, perhaps the OS should make available the hashed phone number: the application can make sure the subscriber hasn't changed but not use

      • by nzac ( 1822298 )

        Don’t know how large phone numbers get in your country but rainbow tabling phone numbers seems rather trivial for anyone with a reasonable amount money. They can can probably guess the first part which leaves only about 10 digits (7 where I live) of combinations to try and if they are given away in sequence way less. Anyone know how long that would take with a modern GPU.

        You would probably have to make the method standard so you could not use unknown salt either.

        • by nzac ( 1822298 )

          Thinking about it I checked to see there was another only locally know number on SIM to hash it with but I could not see one on the wikipedia page.

          If someone had have anticipated this they could have a stuck a sudo random key of reasonable length with no relation to the phone number to be hashed with the phone number and then providing a hash becomes a very good idea. But right now its a 33-34 bit key (someone might correct me) that can be hacked offline. And with openCL this is a few min and if its a short

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Better yet, how about doing the intelligent thing and providing a UNIQUE identifier per APPLICATION. Not using the IMEI, but instead generate a UUID for each application to use as its unique id. Use a hash of some hardware value (like the IMEI) and the applications signature ( I assume apps have their own UUIDs in Android for identifying applications uniquely ).

      Then they can uniquely identify a specific device has a specific app installed, they also won't be able to tell (if implemented properly) by using

    • Another example, the permission "read phone state and identity". Developers often say, "oh, we are not reading your phone number, just your IMEI to ensure your identity". They still have access to the phone number, why not fine-grain it and say: "ok, the IMEI, that is ALL you can see".

      The upshot of this would just be that developers would make apps that refuse to run unless you give them all the permissions they want. I'm imagining something along the lines of (pseudo-code incoming):

      try{

      obtainfeature();

      } catch (FeatureNotGrantedException) {

      showErrorDialog();

      endProgream();

      }

      • I have a friend who wrote an app that detects if you installed one of the many adblock software packages, tells you to buy the pay version and refuses to run if that's installed. The capability to scan what apps are installed in your phone is part of the API.

    • Re:Permissions (Score:4, Interesting)

      by Nirvelli ( 851945 ) on Wednesday July 20, 2011 @09:27PM (#36831082)
      This functionality is available in CyanogenMod ROMs already.
      http://slashdot.org/story/11/05/25/1221225/Cyanogenmod-Puts-Users-in-Control-of-Permissions [slashdot.org]
    • Re:Permissions (Score:5, Informative)

      by elashish14 ( 1302231 ) <`profcalc4' `at' `gmail.com'> on Wednesday July 20, 2011 @09:32PM (#36831106)

      I remember someone had a /. sig with a link to a feature request for Android that users could simply choose which permissions they want to allow an app to have at installation. I think this was the link: http://code.google.com/p/android/issues/detail?id=3778 [google.com]. It seems to have a lot of support, but apparently we need more!

      I also found this one too: http://androinica.com/2011/05/cyanogenmod-nightlies-secures-android/ [androinica.com]. I didn't read the link in much depth, but apparently it can do just what you describe if you root and install Cyanogenmod

      • This sig? ;)

      • by dargaud ( 518470 )
        Yes, there should be an advanced permissions tab where you can: allow / deny / randomize the data used by the apps. If I want to use a dead pixel tester (random example) than wants internet access, phone call access and GPS access, I'm sorry but NO, I'm not installing it. But in most cases the app would still be useful without the GPS position or other minor features. And 'randomizing' is for when the app refuses to work with the service denied.
    • This is unlikely all about permissions though. While I definitely agree with your point, this may very well be the same LogCat leak "uncovered" by lookout at DefCon of last year. Basicly what happens is lazy devs are writing personal info into the debug log. Other apps could read this with an innocous sounding "read logs" permission. It was a reader here at Slashdot who actually pointed it out to me (I write a guide for new users about Android permissions).

      Of course, there may be more to it. And cert

    • Really? The real phone number is pretty much the most unreliable piece of information you can get from the phone identity. I've seen wrong numbers, no numbers, garbage data and so on stored in the field.
    • by Zebedeu ( 739988 )

      I don't know. That sounds like a support nightmare.

      I remember helping a friend whose computer suddenly stopped being able to access the internet, even though all of his settings were perfect and the computer was getting an IP address from the router just fine.
      After an hour of checking everything I could think of I finally discovered what happened: he had one of those "firewall for dummies" installed. A dialog popped up saying "windows networking is trying to connect to the internet, allow / deny / block", a

  • LBE Privacy guard, Droid wall, or just a ADB terminal and iptables can stop leaks like this by denying net access to any app that you don't want to give it to.
    • by Anonymous Coward

      How do you know when to deny net access?

      An app that needs net access for it's main function can also behave maliciously.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      as much as I hate to say this, because, well, this attitude is what got us into the mess with consumer computers... this is my phone I'm talking about, I shouldn't have to go through all this mess to keep my phone secure. ....I know, I know.. but doing infosec configs on phone is still a more arcane deal than computers, plus I really don't want to have to root my android phone, to be able to trust it in the first place.

      Perhaps if app permissions weren't 'set it and forget it', if the OS allowed us to go bac

    • Requires rooting (Score:5, Insightful)

      by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Wednesday July 20, 2011 @08:45PM (#36830880) Homepage Journal

      LBE Privacy guard, Droid wall, or just a ADB terminal and iptables

      Which requires 1. phones to have a security vulnerability that allows rooting, 2. users to know how to root a phone, 3. users to somehow learn that they should install a firewall on their phones, and 4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).

      • by Zebedeu ( 739988 )

        1. phones to have a security vulnerability that allows rooting

        Or just getting a rootable phone from the get-go (such as the Nexus *)

        2. users to know how to root a phone

        If the user doesn't know how to root a phone (assuming an easily rootable device), should (s)he really be able to block specific functionality from the apps? Sounds like a support nightmare to me.

        3. users to somehow learn that they should install a firewall on their phones

        See answer above.

        4. users to somehow learn which firewall programs are safe and which are not (see also fake antivirus on Windows).

        That applies to all 3rd party software.

        • Or just getting a rootable phone from the get-go (such as the Nexus *)

          I can't really afford $70 per month for phone service, and I imagine that a lot of other people have an entry-level Android-powered phone on a $25 per month plan, such as LG Optimus V or Samsung Intercept, because they're in the same position. The LG Optimus V was rootable as of January 31, 2011 [addictivetips.com], but the article appears not to have any updates as to whether it is still rootable. Are there any Android-powered phones that are 1. designed from the ground up to be rootable and 2. available on a pay-as-you-go ca

          • by Zebedeu ( 739988 )

            1. designed from the ground up to be rootable

            I thought there were a few choices outside of the Nexus, but I don't really know. Motorola and HTC keep on promising easy unlock solutions, but AFAIK so far have delivered nothing. Didn't Sony-Ericsson have something in that area as well?
            And how about the Nexus One? It should be coming down in price nicely, and it's still a damn good phone.
            Even the Nexus S is around 2/3 of the original price these days, so that might be an option.

            available on a pay-as-you-go carrier?

            Sorry, I don't know the American market. My impression is that at least in Eur

            • My impression is that at least in Europe it's cheaper in the long run to buy the phone unlocked and search for a provider on the side

              And it's the exact opposite in the United States, where there are no truly unlocked phones. Each phone is either locked to Verizon (a CDMA2000 provider), locked to Sprint (a competing CDMA2000 provider), locked to AT&T (a GSM provider preparing to acquire the only other nationwide GSM provider), or "unlocked" GSM. The trouble is that "unlocked" GSM phones work only on GSM providers, and once AT&T buys T-Mobile's USA operations, GSM phones will work only with AT&T. And even if you buy your phone

          • by julesh ( 229690 )

            Are there any Android-powered phones that are 1. designed from the ground up to be rootable and 2. available on a pay-as-you-go carrier?

            Yes. Import one from China. They're all rootable, and they're all unlocked by default. I have a Ctone T01, which is a pretty decent phone in most respects. It has something pretty close to a stock Android 2.2 install, looks decent, and works as you'd expect.

            • Import one from China.

              They're all made in China. I assume you mean buy a phone not associated with a well-known worldwide brand. But do these have access to Android Market? And with which U.S. prepaid carrier would I activate a Ctone T01 should I decide to buy one? This announcement [shanzai.com] mentions GSM but not CDMA, leaving AT&T as the only choice once AT&T completes its acquisition of T-Mobile.

              • by julesh ( 229690 )

                They're all made in China.

                Most are made in Taiwan. For China in my original post read PRC.

                But do these have access to Android Market?

                Yes.

                GSM but not CDMA, leaving AT&T as the only choice once AT&T completes its acquisition of T-Mobile.

                Ah, I had momentarily forgotten that GSM networks aren't universal in the US like they are here in the UK. Still, there are plenty of CDMA-capable phones on this list [dhgate.com]. I'd recommend against buying a phone here that appears to be from a manufacturer you recognize -- it isn't, and there's a chance of it being intercepted at customs.

    • by artor3 ( 1344997 )

      Or just don't install apps that are asking for privileges they shouldn't need. If an app claiming to be an Angry Birds addon wants permission to access my contacts list or the ability make phone calls, I'm going to be suspicious.

    • interesting, thanks. I installed this and discovered PermissionsRequest: https://market.android.com/details?id=com.zillionly.PermissionsRequest&feature=also_installed [android.com]
  • by Anonymous Coward on Wednesday July 20, 2011 @08:32PM (#36830782)

    If you use the firewall program that you can download with Cydia, you will find that a majority of iPhone apps connect to ad sites, statistic sites, behavioral targeting sites, and many domains that have zero to do what what the app does. The end user has zero control of what an app can do, and any app can happily slurp your contacts and anything available to it and hand it over to whatever site it feels like, and only people who have JB-ed their phone would know.

    Android, it is more obvious because you don't have to jailbreak it to see the programs phoning home.

    For example, take some of the photo editing apps on the iPhone. If you look at them, they appear to just uplaod your photo to a website and do the core editing via that as opposed to the application doing much. So, that private photo you decide to use a 99 cent app to make humorous? It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

    For the tl;dr crowd, iPhone apps are just as nasty, but they hide it better, being impossible to trace unless one jailbreaks their device.

    • It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

      You'd have to look at the EULA (do they even present an EULA?) to see what rights they grab for themselves. Even then, you still own the copyright on the image. I doubt an EULA that stated "by using our service you transfer copyright of all images uploaded to us" would be considered conscionable.

    • by Lehk228 ( 705449 )
      It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

      I suggest you refrain from participating when you have no fucking clue what you are talking about
      • It is now on someone's Web server, and they can (in theory) claim full ownership and copyright of the image at any time.

        I suggest you refrain from participating when you have no fucking clue what you are talking about

        I'm not sure what he said that was incorrect. He never said that they could be awarded full ownership. He just said that they could claim full ownership.

        If I broke into the house of a famous photographer, copied their memory cards quickly and left, then I could claim full ownership of those images. If I began making prints and selling them before the original photographer, I'd probably be sued, but it may be hard for the original photographer to prove ownership. I think an app (as suggested here) is a l

    • by bonch ( 38532 ) * on Wednesday July 20, 2011 @10:56PM (#36831514)

      This study looked at 10,000 Android apps. Your claim is that iPhone apps are "just as bad," which implies that you also studied 10,000 iPhone apps and that 800 were found to be leaking private data. Could you provide the link to your study, or is all you have an anonymously posted anecdote about running Cydia on your single phone without any examples given of the apps you're describing?

      • by HiThere ( 15173 )

        Sorry, but you are way overstating the case.

        His claim is that they are just as bad, not that his evidence is as creditable. It could easily be based on a much smaller sample, (say three) and still have a "evil app" rate as bad or worse than the android. The error bars would just be a lot bigger.

  • That's obvious (Score:5, Insightful)

    by gr8_phk ( 621180 ) on Wednesday July 20, 2011 @08:32PM (#36830784)
    When simple one-player games and such say they require full internet access I think "that may be for ads". When they require access to contacts, SD card, etc... That usually means don't install it. Unfortunately most of the apps I've looked at require full internet access AND access to contacts and don't get installed as a result.
    • When simple one-player games and such say they require full internet access I think "that may be for ads".

      Not all games whose action is single-player are purely single-player; many include a multiplayer metagame. This includes the ability to upload scores or other achievements to a server, to download other players' achievements for comparison, and to verify that other players' achievements were earned through legit play.

      When they require access to contacts, SD card, etc... That usually means don't install it.

      As for contacts, I agree with you, but a lot of programs require access to the SD card because the device's internal storage is too small to hold all data (meshes, textures, sound, etc.) that p

      • by gr8_phk ( 621180 )

        As for contacts, I agree with you, but a lot of programs require access to the SD card because the device's internal storage is too small to hold all data (meshes, textures, sound, etc.) that pertains to the game.

        Agreed. And I have an audio recorder/spectrum analyzer that records to SD. There are obvious cases where it's needed. Installation to SD is one possibility too, but why would something like a Tetris clone need access? I didn't actually see one, but that's the type of thing I see a lot - simple thi

        • Installation to SD is one possibility too, but why would something like a Tetris clone need access?

          Let me guess: you haven't seen the FMV opening cut scene in Tetris Worlds for PlayStation 2. Tetris products are a lot bigger than they used to be: from the 26 KiB of Tetris 3.12 for MS-DOS (1985) to the 32768 KiB of Tetris DS (2006).

    • Do you tell that to the app devs? So that they might understand why they are losing sales?

    • by Zebedeu ( 739988 )

      I agree that devs should be more open about why they are asking for permissions, particularly the more dangerous ones, such as access to the contacts, phone, or SMS.

      Some apps now feature those explanations on the market description, presumably because users were asking for it. I encourage you to contact the developer every time you decide not to install an app due to the permissions. At least give him a chance to explain himself so that others can benefit from it.

      As for access to the SD card, this is usuall

  • says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server

    Perhaps Google should follow Apple's lead here and simply change the EULA to give permission for application writers [iphonehacks.com] to access personal information and location [consumerist.com].

    That would certainly get rid of the "unauthorised" part of that statement.

    • by jrumney ( 197329 )
      The other part of the solution is to run a closed market, and be picky about what apps you allow. If the developers of security software have nothing to sell on your platform, they won't go blabbing about the security holes to try to sell their product.
      • by mjwx ( 966435 )

        The other part of the solution is to run a closed market, and be picky about what apps you allow. If the developers of security software have nothing to sell on your platform, they won't go blabbing about the security holes to try to sell their product.

        Yeah, because a vulnerability in the inbuilt PDF reader will never be exploited...

        So lets all stick our heads in the wondrous sand of a walled garden and pretend that security holes dont exist because we aren't allowing security experts to say anything.

      • And you're better off with remote PDF security bugs that can result in total takeover of you device. And it will all be hushed up to maintain the mantra that "Macs don't get malware and viruses"...
    • Actually, Apple specifically points out in their review process that apps that ask for location data without an obvious legit reason are rejected.
      • by mjwx ( 966435 )

        Actually, Apple specifically points out in their review process that apps that ask for location data without an obvious legit reason are rejected.

        Given the fact that Apple has given permission via the EULA to allow applications to send information back to their own servers (after which they can do what they wish with it) and their lack of ability to keep out non-legit data miners I dont have a lot of faith in the walled garden approach.

        • Yeah, you made that pretty obvious. However, I am pointing out that Apple IS making an effort to blunt apps that do pure data-mining. Something Google is NOT.
      • This link [gigaom.com] was posted [slashdot.org] earlier by choko, but it bears repeating since I see this or similar statements all through this article's comments. It's about a report from the Wall Street Journal that showed over half of the popular iPhone apps they tested sent personal information without asking permission.

  • by Trufagus ( 1803250 ) on Wednesday July 20, 2011 @09:24PM (#36831072)

    Wow! CTO of company that makes money selling security software for Android says that Android has security problems!

    If you think you can get honest and objective info about this problem from the CTO of a company that is in the business of selling solutions to the problem, then you should not be allowed to use the Internet.

    I'm not saying that there isn't a problem - I'm just saying that this is so obviously the wrong source that it is no better then an advertisement.

    • by godrik ( 1287354 ) on Wednesday July 20, 2011 @09:49PM (#36831190)

      Well, I do believe them without any problem. Half the application I tried to install on my phone ask for ridiculously high permissions. I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?

      I would love the operating system to allow you to report fake information to some application. The application want access to your contact list? sure give it an empty list. It wants to know your GPS location. Sure, give a fixed user-defined location (in the middle of the ocean if possible).

      • by Elbereth ( 58257 )

        Maybe the Tetris game has a social aspect, where high scores are collected and posted on the internet, along with a geographical tag, like "New York, USA". It could be that the high scores are even customized for your location, so that you can compete against all the other New Yorkers playing that game. Some people would think that was the greatest thing in the entire world, I'm sure. For the more cynical among us, it's difficult to believe that social gaming is anything more than a big scam, but not eve

        • This is the greatest thing in the entire world. It means I can move to a sparsely populated backwater country and not feel like I suck quite so much! Couple that with a game like Audiosurf [wikipedia.org] that procedurally generates levels based on music and I can be the BEST! (At Todd Rundgren's Utopia Theme (In New Zealand)) ;)
        • Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.

          • Fine then... ask for permission to contact someapplicationpage.com instead of the whole freaking Internet.

            And run an open HTTP tunnel on someapplicationpage.com. You see, a device can't always enforce a privacy policy.

            • Sure, but it would give you an idea what webpage you could block if you wanted/could. Right now, "Free range internet" means you have no idea where your data is going. With a specified domain you could at least block that one address.

      • I checked a tetris like game that want to access your GPS location, your contact list and the internet. Why ?

        Internet? Upload high scores, as Elbereth mentioned. GPS? To keep you from playing in another country where a different company has the exclusive license for the Tetris brand. But contact list? Don't know; that would raise my suspicion.

      • I just installed DroidWall [android.com], which is a basic firewall for Android. You need to be rooted, and the UI isn't the greatest. But it lets you control which apps have permission to access the Internet (and you can choose WiFi and 3G/4G permissions separately if you so desire). What good is having my GPS location and contact list if you're unable to report it back home (Mr. Anderson)!
      • by kregg ( 1619907 )

        All applications with ads ask for those permissions. They don't want to advertise something you can't buy in your own country.

        If you don't want that then buy an application with no ads - simple.

  • No wonder most apps don't make money.
  • by aaaurgh ( 455697 ) on Thursday July 21, 2011 @01:58AM (#36832132)
    I use the LBE Security app which allows me to more closely control what I want an app to have access to, it's a bit like a permissions based firewall - you can block specific permissions on each app. It does result in the odd FC if you tighten it down too far on everything but it's usually possible to find a workable combination. e.g. permit an app to access the phone id. (which it expects to always have access to and which causes it to FC if not) but then block it's access to the network (which cannot always be expected to be available)... so what if it knows the id. if it cannot report it.
  • There are many apps which require excessive permissions without any reasonable explanation. Many of these appear as close-to-identical apps to shotgun better. I am surprised its only 8%.

  • Why is it that whenever these types of articles come up it's next to impossible to find the actual list of offending apps, if at all. So which are the 11 apps that send SMS out without permission?

    • by julesh ( 229690 )

      The "article" is based on somebody's comments about their upcoming presentation at a conference. I'm sure the apps will be named and shamed at or immediately after the conference (in just under 2 weeks). I'll be intrigued to find out what exactly the researcher is defining as "personal information" though: my suspicion is he interprets it *very* broadly. As an example, I'm working on an Android app right now that sends the device's OS version, model name and screen resolution back to my server for the pu

No spitting on the Bus! Thank you, The Mgt.

Working...