Baidu's Android Apps Caught Collecting Sensitive User Details (zdnet.com) 19
Two Android applications belonging to Chinese tech giant Baidu were removed from the official Google Play Store at the end of October after they were caught collecting sensitive user details. From a report: The two apps -- Baidu Maps and Baidu Search Box -- were removed after Google received a report from US cyber-security firm Palo Alto Networks. Both apps had more than 6 million downloads combined before being removed. According to the US security firm, the two apps contained code that collected information about each user's phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number. The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps. Palo Alto Networks security researchers Stefan Achleitner and Chengcheng Xu, who identified the data collection code, said that while some of the collected information is "rather harmless," some data like the IMSI code "can be used to uniquely identify and track a user, even if that user switches to a different phone." The research team said that while the collection of personal user details is not specifically forbidden by Google's policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and "identified [additional] unspecified violations" in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.
Fix Android instead of the store? (Score:2)
Isn't is time to beef up the security/privacy model of Android OS?
Re: (Score:2)
Exactly this. MANY apps collect all sorts of info they have no need to, and Android happily provides it, with no choice for the user to opt out.
Android needs to enforce a permission model where apps get access to nothing without permission. As it is, only a few specific permissions can be controlled by the user, the rest are all automatically granted to everything.
Re: (Score:2)
I'd like to see finer grained schemes. Problem right now is, permissions are granted to multiple, unrelated code paths simultaneously.
If you get X permission in Y role within context Z, you shouldn't be granted it silently also in context FU, which might be malicious.
I'm reminded of how multi level master keyed systems inadvertently create potential master keys that are usually unused. There exists a balance between not enough different levels of masters and too many to the point where nearly any old key wi
Re: (Score:2)
My biggest complaint is that Android has various permissions that it lists for apps in the play store, and that are often abused, but that the user has no control over at all. It's nice that we get to day no to some of them, but the rest of the ones they list in the play store should be controllable too.
Re: (Score:1)
The problem is that it's based on Linux
-9 Flamebait
Baidu is well-known for Spyware (Score:4, Insightful)
for example [bangkokpost.com]
If Google really wants to pretend to care about malware, they will ban Baidu from the Google Store completely, as well as anyone who includes their libraries. Doing anything else sends the message that you can get caught spying on users over and over again without any real penalty. After all, it takes no time to whip up a new version of an app with a different name, that you can sneak the spyware into later.
Re: (Score:2)
That's something seeing the link you provided was less than 5 years ago. How many chances can a company get? Based on my experiences I've found the Play Store to be akin to the Wild West. Not a very thorough vetting process (esp. for security) to get an app published on there.
In EULA - (Score:2)
Why am I not surprised? (Score:2)
Why is the Company Still in the Play Store? (Score:2)
If a company knowingly puts scammy software in the Play Store, Google should pull their whole account not just the app in question.
Nuke them from space, it's the only way to be sure.
Instead of blindly accepting (Score:2)