So you're saying, obviously, that the people who reported the app as sending this sensitive data to somebody in China are making it up. Lying, in fact. Interesting, but surprising that nobody at the black hat conference called them on it.
Unless the report was bogus and the security guys never claimed the wallpaper app actually did what's been attributed to it.
What makes you certain that the app cannot access the data claimed? Not that I'm doubting your knowledge - but thus far you're the only voice stating that position. And excuse my ignorance, Android is foreign to my experience.
No, I'm saying that with the information we havem, that the app requests PHONE_INFO permission, it's impossible to collect SMS'S, history, etc.
Perhaps the report is incomplete.
Looking on Android Market, all the apps from jackeey have the same permissions, and none of them alow to read sensitive data.
Whats the bet this will not be on CNN, Reuters and have over 4000 articles in a week devoted to "Evil Google" and their "flawed phone"?
When will the legions of haters start flooding the airwaves with vitriol about how Google owes them big time and lawsuits, senators and David Letterman start attacking Google?
........crickets.........
To me, the truly ironic part of this whole situation is that all of an Android users personal information like text messages, emails; IM's; web history, heck even their voice calls are all already being recorded by Google and probably sold off to marketeers - nothing is ever really free - and the only difference is that the information is now going to someone in Shenzen as well as Mountain View.
No, I'm saying that with the information we havem, that the app requests PHONE_INFO permission, it's impossible to collect SMS'S, history, etc.
Perhaps the report is incomplete.
Looking on Android Market, all the apps from jackeey have the same permissions, and none of them alow to read sensitive data.
Again, excuse my ignorance once more, would it not be possible for an app to run code with a different set of permissions once it was executed - an app within an app if you like?
Again, excuse my ignorance once more, would it not be possible for an app to run code with a different set of permissions once it was executed - an app within an app if you like?
No, it can't.
Also, you can't update an app with new permissions withouth asking for them
Well, I hate to agree with you, but there is no upside for Android on this one. Google needs to take a more hands-on approach to vetting apps.
Not that I disagree with you, but how exactly could the vetting of apps have changed the outcome in this instance? There is nothing in Apple's process that would prevent what occurred here.
It seems the bigger problem is that the application was able to access data it shouldn't have been allowed to access, which points at a bug somewhere in the Android API, not at a flaw with their application approval process (or lack of)
Quote:
Originally Posted by shadash
Microsoft has apparently adopted an Apple-like approach to their app store for WM7. It will be interesting to see if WM7 displaces Android over time if problems like this continue. MS could carve out a niche in which they are less restrictive than Apple (Google Voice, more carriers than just asstastic AT&T, etc.) but curate their app store to a much greater extent than Google. It will be interesting to watch how this plays out.
Maybe... but only if they really continue (i.e. something like this every 6 months or so). Otherwise it will be quickly forgotten.
I think WP7 will be cutting RIMs grass more than Google's.
Also, you can't update an app with new permissions withouth asking for them
I think that might be the point. It seems this application has been able to access phone data without the appropriate permissions. A bug in the Android security API perhaps?
To me, the truly ironic part of this whole situation is that all of an Android users personal information like text messages, emails; IM's; web history, heck even their voice calls are all already being recorded by Google and probably sold off to marketeers
Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone? \
Well why does google let these third party troijan horses work on their phones!!! I believe the only troijan horse that needs to run on these phones is the Google one. Do we really need several troijan horses multitasking ???
Do we still need somebody else analysing speech and mail and sms on the phone to sell you personal advertisements from the big corporations???
Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market! <insert sarcastic wit here> This while story comes as no surprise.... <rolls eyes>
No surprise true! But still sooner than I expected:
Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone? \
Sure! Read the privacy agreements. Maybe they don't do voicecalls now but you don't need to ask about the rest. Also they record your location are and stuff like that.
Their ruling is they use everything they need to make their service better. (Should I say their Ad service?)
Apple has a more sensible approach. There are 2 scenarios when Apple could get your location. For Ads the phone calculates your ZIP number, which than is transmitted to Apple. Google uses GPS coordinates for that.
The other is WIFI Hotspots. When you use a location API via any app (that you have approved) your phone automatically sends your GPS location with the BSSID and the strength of nearby Wifi Basestations to Apple. This data is transmitted completely anonymous and they can't track back where it came from. Google well just transmits everything.
"Android Phone Fans" have received clarification from the company.
"[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.
We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data."
Yep, thousands of Google employees sit in vast offices listening to your voice calls.
They have voice recognition. Maybe if you say Apple very often they send you more Apple Ads.
You have to remember that a lot of parts of Android are closed source and I believe there must be a reason for that. So that way your phone could do the keyword counting and only send those keywords to Google.
The schadenfreude being expressed here may well haunt a few posters in the future since the report cited points out that the app concerned did exactly what it was meant to, much like the "flashlight" app from Apple's AppStore.
Both had hidden functionality that the stores' respective app police failed to spot. How did that happen? Who can say.
What it does show is that there's no guarantee on either platform that the app you downloaded, digitally signed or not, won't have a payload that does something that you didn't agree to. And that payload might conceivably compromise your personal info.
The "Flashlight" app wasn't discovered by Apple. In order to deliver its benefits to the end user, the user needed to know how to access it, and once the info was out there, it was only a matter of time before somebody blogged it. That's how Apple became aware of it, and subsequently pulled it.
That app, for those unfamiliar with it, enabled tethering on the iPhone. A rather innocuous payload to be sure, but still forbidden by Apple. It could quite easily have been far less benign though, and there's no guarantee that there's not a smarthone app already doing the self same thing with your privacy right now. On either platform.
Let's be careful out there.
But the Flashlight App did exactly what it was supposed to do, although thru the back door. I already had two great Flashlight Apps but I did need a tethering App to help me consume my 2GB data plan minutes. I normally use 200-350MB /month so the months I would go over the 250MB would greatly exceed the price difference of the 2GB plan. And there are times when I want (Need) to use my laptop in the wild and this little tool in my toolbox will keep me from running to find a free WiFi hotspot
Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.
But the Flashlight App did exactly what it was supposed to do, although thru the back door. I already had two great Flashlight Apps but I did need a tethering App to help me consume my 2GB data plan minutes. I normally use 200-350MB /month so the months I would go over the 250MB would greatly exceed the price difference of the 2GB plan. And there are times when I want (Need) to use my laptop in the wild and this little tool in my toolbox will keep me from running to find a free WiFi hotspot
You are missing his point completely and veering off on an unrelated tangent. Sure, the tethering flashlight did what it was supposed to do. But it could have just as easily have been malware and Apple again would not have known about it, nor would unsuspecting downloaders.
This is a prime example why we should not embrace open source, this widely. People use all sorts of comparisons with prisons etc. It's just hyper bowl created by Stallman and his team. While things like DRM are examples of bad closed source software, there is a lot more example's of bad 'free' (yeah right) software. Take one look at the Linux desktop, no unified desktop, no unified dev environment and worse of all different apps use different custom and 'standard' API's making some applications have no sound while others have sound. Many problems, but just a fix there, put a terminal command on your desktop for when you use Firefox... bla, bla, bla.
A lot of people think that it really is open, that you can take any software and modify it. No. You have to make sure the credits include the developers who worked on the original app and you have to make sure you contact them so they know they are having a new version of there app created, and then sometimes they might demand you work ON THERE APP. You see what I mean? A mess.
If you like your GUI to have the file browser and the music player made by completely different people then it's up to you.
Reading this is like listening to Rush Limbaugh. There's way too much spin. Look around and you will see the truth... or you can stay in your walled garden and believe whatever they feed you.
I love my Mac Pro, my Macbook Pro, my iPad and my Nano but didn't care for the iPhone.
Granted the Android Market has some huge problems but for me the flexibility I have with
my phone is well worth the problems.
The competition between these 2 formats will make both phones better.
Comments
So you're saying, obviously, that the people who reported the app as sending this sensitive data to somebody in China are making it up. Lying, in fact. Interesting, but surprising that nobody at the black hat conference called them on it.
Unless the report was bogus and the security guys never claimed the wallpaper app actually did what's been attributed to it.
What makes you certain that the app cannot access the data claimed? Not that I'm doubting your knowledge - but thus far you're the only voice stating that position. And excuse my ignorance, Android is foreign to my experience.
No, I'm saying that with the information we havem, that the app requests PHONE_INFO permission, it's impossible to collect SMS'S, history, etc.
Perhaps the report is incomplete.
Looking on Android Market, all the apps from jackeey have the same permissions, and none of them alow to read sensitive data.
When will the legions of haters start flooding the airwaves with vitriol about how Google owes them big time and lawsuits, senators and David Letterman start attacking Google?
........crickets.........
To me, the truly ironic part of this whole situation is that all of an Android users personal information like text messages, emails; IM's; web history, heck even their voice calls are all already being recorded by Google and probably sold off to marketeers - nothing is ever really free - and the only difference is that the information is now going to someone in Shenzen as well as Mountain View.
No, I'm saying that with the information we havem, that the app requests PHONE_INFO permission, it's impossible to collect SMS'S, history, etc.
Perhaps the report is incomplete.
Looking on Android Market, all the apps from jackeey have the same permissions, and none of them alow to read sensitive data.
Again, excuse my ignorance once more, would it not be possible for an app to run code with a different set of permissions once it was executed - an app within an app if you like?
Again, excuse my ignorance once more, would it not be possible for an app to run code with a different set of permissions once it was executed - an app within an app if you like?
No, it can't.
Also, you can't update an app with new permissions withouth asking for them
Well, I hate to agree with you, but there is no upside for Android on this one. Google needs to take a more hands-on approach to vetting apps.
Not that I disagree with you, but how exactly could the vetting of apps have changed the outcome in this instance? There is nothing in Apple's process that would prevent what occurred here.
It seems the bigger problem is that the application was able to access data it shouldn't have been allowed to access, which points at a bug somewhere in the Android API, not at a flaw with their application approval process (or lack of)
Microsoft has apparently adopted an Apple-like approach to their app store for WM7. It will be interesting to see if WM7 displaces Android over time if problems like this continue. MS could carve out a niche in which they are less restrictive than Apple (Google Voice, more carriers than just asstastic AT&T, etc.) but curate their app store to a much greater extent than Google. It will be interesting to watch how this plays out.
Maybe... but only if they really continue (i.e. something like this every 6 months or so). Otherwise it will be quickly forgotten.
I think WP7 will be cutting RIMs grass more than Google's.
No, it can't.
Also, you can't update an app with new permissions withouth asking for them
OK.
Then it's somewhat baffling that nobody picked this up at the black hat conference, or alternatively, nobody has updated the original report.
I guess there's a lot more to come on this story.
No, it can't.
Also, you can't update an app with new permissions withouth asking for them
I think that might be the point. It seems this application has been able to access phone data without the appropriate permissions. A bug in the Android security API perhaps?
To me, the truly ironic part of this whole situation is that all of an Android users personal information like text messages, emails; IM's; web history, heck even their voice calls are all already being recorded by Google and probably sold off to marketeers
Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone?
Enjoy your spyware
Well why does google let these third party troijan horses work on their phones!!!
Do we still need somebody else analysing speech and mail and sms on the phone to sell you personal advertisements from the big corporations???
Soon Android users would need to install data protection app as a standard procedure much like Anti-Virus software in Windows system.
Yep! I can see it now ... "Your call cannot be connected until Kaspersky has updated its database ..."
Wait wait wait one damn second. You're trying to tell me that an 'open', unregulated, app store might have malicious apps on it from China? And these apps would collect personal and private data then transmit it to China? NO FREAKING WAY. Google has always been known for protecting user data and sees protecting it's customers as a priority. Android is simply the safest phone OS on the market!
No surprise true! But still sooner than I expected:
Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone?
Sure! Read the privacy agreements. Maybe they don't do voicecalls now but you don't need to ask about the rest. Also they record your location are and stuff like that.
Their ruling is they use everything they need to make their service better. (Should I say their Ad service?)
Apple has a more sensible approach. There are 2 scenarios when Apple could get your location. For Ads the phone calculates your ZIP number, which than is transmitted to Apple. Google uses GPS coordinates for that.
The other is WIFI Hotspots. When you use a location API via any app (that you have approved) your phone automatically sends your GPS location with the BSSID and the strength of nearby Wifi Basestations to Apple. This data is transmitted completely anonymous and they can't track back where it came from. Google well just transmits everything.
edit: Link to google privacy center: here
link to apple privacy: here
PS you should read those before you buy your device...
Do you really think Google is getting a copy of every single message, IM, email and voice call made from an Android phone?
Yep, thousands of Google employees sit in vast offices listening to your voice calls.
"[Update]: MyLookout chimed in with us to clarify some details that other outlets have been reporting. Specifically, the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.
We’re not yet certain on what the developer’s intentions are for using the pieces of data it does send to China – so we can’t outright call it malicious – but it is collecting and sending data nevertheless. Hopefully that clears up some of the confusion everyone’s been faced with regarding the read-only property READ_PHONE_STATE that the application uses to access certain pieces of data."
So not as bad as reported, but bad nonetheless.
Yep, thousands of Google employees sit in vast offices listening to your voice calls.
They have voice recognition. Maybe if you say Apple very often they send you more Apple Ads.
You have to remember that a lot of parts of Android are closed source and I believe there must be a reason for that. So that way your phone could do the keyword counting and only send those keywords to Google.
The schadenfreude being expressed here may well haunt a few posters in the future since the report cited points out that the app concerned did exactly what it was meant to, much like the "flashlight" app from Apple's AppStore.
Both had hidden functionality that the stores' respective app police failed to spot. How did that happen? Who can say.
What it does show is that there's no guarantee on either platform that the app you downloaded, digitally signed or not, won't have a payload that does something that you didn't agree to. And that payload might conceivably compromise your personal info.
The "Flashlight" app wasn't discovered by Apple. In order to deliver its benefits to the end user, the user needed to know how to access it, and once the info was out there, it was only a matter of time before somebody blogged it. That's how Apple became aware of it, and subsequently pulled it.
Click for info.
That app, for those unfamiliar with it, enabled tethering on the iPhone. A rather innocuous payload to be sure, but still forbidden by Apple. It could quite easily have been far less benign though, and there's no guarantee that there's not a smarthone app already doing the self same thing with your privacy right now. On either platform.
Let's be careful out there.
But the Flashlight App did exactly what it was supposed to do, although thru the back door. I already had two great Flashlight Apps but I did need a tethering App to help me consume my 2GB data plan minutes. I normally use 200-350MB /month so the months I would go over the 250MB would greatly exceed the price difference of the 2GB plan. And there are times when I want (Need) to use my laptop in the wild and this little tool in my toolbox will keep me from running to find a free WiFi hotspot
Millions affected. Not a single one complains. And no lawsuits! And yet some of these Android users (who don't even own an iPhone 4) are constantly finding a new thing about the iPhone to carp about.
Yeah exactly! Android users are a jealous bunch.
But the Flashlight App did exactly what it was supposed to do, although thru the back door. I already had two great Flashlight Apps but I did need a tethering App to help me consume my 2GB data plan minutes. I normally use 200-350MB /month so the months I would go over the 250MB would greatly exceed the price difference of the 2GB plan. And there are times when I want (Need) to use my laptop in the wild and this little tool in my toolbox will keep me from running to find a free WiFi hotspot
You are missing his point completely and veering off on an unrelated tangent. Sure, the tethering flashlight did what it was supposed to do. But it could have just as easily have been malware and Apple again would not have known about it, nor would unsuspecting downloaders.
A lot of people think that it really is open, that you can take any software and modify it. No. You have to make sure the credits include the developers who worked on the original app and you have to make sure you contact them so they know they are having a new version of there app created, and then sometimes they might demand you work ON THERE APP. You see what I mean? A mess.
If you like your GUI to have the file browser and the music player made by completely different people then it's up to you.
I love my Mac Pro, my Macbook Pro, my iPad and my Nano but didn't care for the iPhone.
Granted the Android Market has some huge problems but for me the flexibility I have with
my phone is well worth the problems.
The competition between these 2 formats will make both phones better.