Update:
Cnet and ZDNet were spreading a BS and marketing ploy from a company which is trying to sell its own "security" application. In an original article, Cnet repeated a misleading marketing information from a anti-spyware firm called SMobile, which claimed that 20% of Android apps are potentially spying on users, share private data, even places some invisible for a phone owner calls and SMS...
What is interesting, Cnet author realized their mistake and edited article (see comments below)! I really applaud it!
"Android requires application developers to declare the permissions their application will need in order to interact with the system and its data" and SMobile is sucking an information which is freely available and required for each app and trying to sell it to us! There is an obvious conflict of interests. Every technically-savvy Internet user knows that 90% of so called “free antivirus and anti-spam” software is bogus, trying to sell us unnecessary things and displaying false alarms.
As it was mentioned in one comment, iPhone apps do the same thing as Android apps, because it's just required by their functionality, but don't advertise as clearly and loud as Android apps what they can do.
As we know, Android OS automatically prohibits any app from accessing a resource in case this access wasn’t declared. Does iPhone OS do this? It sounds like a better control than a human looking on each app source code. With 200,000 apps in iPhone Store I highly doubt that every app was really inspected. I think I’ve heard about some apps being pulled from App Store *afterwards*…
Also, users voting for an app by downloading it IS a pretty strict control. There was an information about Wikipedia being almost as accurate as Britannica...
Now, let’s think about what could and should be done.
As ztts said in a Cnet comment,
”This is one of the most remarkably misinformed articles I've read in a long time. Of course some apps have access to sensitive information. If an app is meant to help organize contacts, for example, of course it has access to your contacts. This is true on any platform, and is obvious and unavoidable. The nice thing about he Android market is that, whenever you download an new app, it informs you of exactly what sensitive information it has access to, so one can make an informed decision. The fact that an app has access to information does not mean that it misuses it, as this article implies that 20% of all apps do. Truly sensationalist reporting.”
inetperu says in Cnet comment,
"Palm is taking the lead on this one I think. Personal data is locked down pretty tight - too tight actually since some apps are not even possible with the current restrictions. The ideal system would be for a permission based system like Palm WebOS uses for apps that require GPS data. When you install the app it notifies you that the app needs access to the GPS data and you can accept or deny. Something similar could be used to allow an app limited access to your address book, phone functions, SMS, etc. The user GRANTS permission to the app after being warned of possible abuse AND if access to those sensitive areas were logged automatically so that the user could review it every so often it would keep bad developers in check. Imagine an app that could scrape your entire address book, phone records, GPS history, etc. - a spammer/stalker/identity theirs dream app."
Limited access sounds like a useful idea, but... But if an app is denied a permission it was asking for *during its installation*, it then cannot perform normally, right? And asking for a permission *every time it is needed* is not a solution either, because it would create a nightmare user experience (I remember Zone Alarm doing that, as a result I just uninstalled Zone Alarm. Most users would do the same.)
Obviously, Android's way of declaring necessary permissions during installation is far from being an ultimate solution either, because most of the users will install apps anyway - if they need them.
WebOS performs a required and automatic logging of an access to sensitive areas, right? That's sounds like a really good idea. Such system logs can then be analyzed by [system] security software.
I'm pretty sure Windows has this mechanism as well. Isn't there a similar API in Android OS? I don't believe Google didn't pay attention to this area.
I have updated the story to change the misleading title and provide more information that users are expressly granting the permissions when they download the apps. I sincerely apologize for the mistake and will be doing a more in-depth follow up on Android security shortly. Here's the updated story: http://news.cnet.com/8301-27080_3-20008518-245.html?tag=newsEditorsPicksArea.0
ReplyDeleteThanks a lot. Such a quick fix is really extraordinarily! Sorry for my overly critical posts...
ReplyDeleteSure, Android security is far from being perfect, but what system has a perfect security? certainly not Windows, and probably not iOS either.
An interesting note from Ed Brunette on ZDNet:
ReplyDelete[i]SMobile Systems neglected to mention industry ties that rendered its report less credible. For example, their President and Vice President of Operations are former AT&T employees[/i]
Story continues... it's like endless waves spreading around the net after one intentional falsifications....
ReplyDeleteAnd one more. Is it epidemic or what?
ReplyDeleteIn all those inflammatory discussions, BlackBerry users keep absolute silence. That's unfortunate, because the very fact that BlackBerry devices are recognized by businesses tells us that they are [more] secure. It would be interesting to study / compare BlackBerry security model with ones from Android, WebOS, and iOS.
ReplyDeleteIn my reply to a critical comment under PCWorld article http://goo.gl/bUsl :
ReplyDelete"I don't understand the hysteria or the need to read more into this report than it actually states."
OK, suppose you are right. But real hysteria is not in our comments. No, real hysteria - that bunch of sensational articles on Cnet, ZDnet, PCWorld, Information Week, ... you name it, which link to each other, have titles absolutely not corresponded to article bodies (like http://goo.gl/SWgw ), etc., etc. This article says, "Google is reportedly taking issue with SMobile's conclusions" but instead links to Information Week article called "Google Finds Flaws In Android Security Report", which, contrary to its title, states than "Google says the report has problems. "This report falsely suggests that Android users don't have control over which apps access their data," a company spokesperson said in an e-mailed statement. "Not only must each Android app gets users' permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious."
A very bad journalism, at least.
As CharlesEyepz2p brilliantly stated above,
"It's called an open source community. It's the closest thing to democracy in the digital world because everyone gets a say in the goings on. That's why Android OS gets more updates than any other mobile OS. We speak, they listen. We have the gifts of freedom and choice. With those gifts comes the responsibility to watch each other's backs."
There is no absolutely secure systems out there, but that "community watch" is a surprisingly powerful tool. I don't have a link, but I saw some articles telling that Wikipedia is about as correct as Britannica...
Next, take a look at SMobile app in Android Market. It has a steep rice, less than 500 downloads and mostly negative comments. So, they are desperately need a positive publicity.
There is a controversy between these two statements from SMobile Security report: 1) "the fact remains that there is no means available for a user to know for sure that the app they just downloaded is doing only what the user sees it doing." 2) "One must look at the permissions it has requested to determine what the application’s true capabilities might be."
Now, I would agree that users cannot actually see what an app is doing within a set of permissions it required before installation. It is a problem, but on other operation systems there is even no such mechanism as required permission declarations.
Now, let's look at concrete examples provided by SMobile Security. In an older report http://goo.gl/MM7m they mentioned 3 "evil" applications. Two of them were never available on Android Market and have to be bought by Android user. Interesting... would you buy a software for spying on yourself? Even if you decided to do so, you'd need to visit app developer site at http://www.mobistealth.com/ , where a company explicitly described a purpose and functioning of application. (I wonder if SMobile Security actually grabbed that openly available information, rather that performed sophisticated security analysis.)
A third app was in Android Market and was removed by Google a long time ago.
In this report http://goo.gl/js1e SMobile Security mentioned Girlfriend Text Message Viewer app located in Android Market. While purpose of this app is kind of crazy, categorizing such explicitly named app as a malware is laughable.
Next one - THEFT AWARE. This is an app found in Android Market which purpose is to prevent cell phone theft. Is ai a suspicious / malware application?
And so on, and so on... These reports actually make a very sad impression of a company which tries to promote itself at the expense of others - Android users, Google, competitors...
A PC World user securitydude6868 correctly insisted http://goo.gl/bUsl that I have to present facts before accusing SMobile Security in wrong-doing. He was right and I performed a little research.
ReplyDelete