The objective of a curated platform is place a policy before the very first user gets infected. There will always be a program(s) that will try to circumvent this but putting such a policy will make it bit harder to do.
But, not having a policy and reciting the poem of openness just shows that the company just wants to walk away from investing resources for testing the application & raising flags to the developers. And, the only objective is pull personal data out for it's own profit. The basic question is for any CE company is how much Pro-consumer it is (every single customer matters because it's not an Ad money).
Excellent point.
Quote:
Originally Posted by samban
Andriods Trip of Death to China
I?ll take the iPhone 4?s ?Death Grip? over Android?s ?KungFu Grip?.
Having a hard time understanding what the problem with the app was. Was it that a Chinese guy made some app that required registration, which was pre-filled with info on the phone? Or was this a wallpaper app that secretly grabbed data from the SIM card and sent it over to some guy in China?
If it's the first scenario - well it's not such a big deal. As long as users know that their info is being sent and agree to it, it becomes about social engineering and not malicious software.
If it's the second then I sure hope that Android adopts apple-like stance to pre screening their apps, though I'm not sure how they would save face if they did that.
Update: We received a note from Jussi Nieminen, who indicated the data fields being retrieved, as reported by VentureBeat, are incorrect. Texting and browser history are apparently not retrieved, but your phone number, phone ID, and voicemail fields are. And, since it's not unheard of for voicemail entries to include a password when setup on a phone, it's possible they could wind up with that too. Also, the popularity of the app was apparently misstated, with actual downloads somewhere south of 250,000
Thanks for the update. No doubt the kind folks at AI will eventually revise their story again to reflect the new information. Perhaps.
I doubt they'll change the headline for it in the news page though.
>FBI details worst social networking cyber crime problems
Not only has suspect software cloaked in a wallpaper application gathered personal information from infected phones and sent it to a Web site in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely – including top-of-the-line models hawked by major wireless carriers.
In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather a device’s phone number, subscriber identifier, and currently programmed voicemail number.
Bad guys could read RFID passports at 217 feet, maybe a lot more
Black Hat: Most browsers can be made to give up personal data
Massive check-fraud botnet operation tied to Russia
Ensure 360-Degree Border SecurityWHITE PAPER
Black Hat too commercial for you?
Black Hat talk to reveal analysis of hacker fingerprintsHow Wi-Fi attackers are poisoning Web browsersBlack Hat: Zero-day hack of Oracle 11g database revealedEmail on Cruise Control: How to Guarantee Security, Speed and Confidence in EmailWHITE PAPERBlack Hat: Researcher claims hack of processor used to secure Xbox 360, other products
View more related contentGet Daily News by EmailIn a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.
The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.
The best way to distribute malware that could exploit the flaw – known as CVE-2009 1185 – is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."
CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.
But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.
Black Hat told that applications can steal data and – worse – take over the Android phones completely
When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.
But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says.
Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous Web sites to mask where the data is being sent, Wyatt says.
Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.
Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.
Read more about security in Network World's Security section.
I don't think it's fair to blame Google for this. People know it's an open marketplace, so it's their responsibility to check out the developer, make sure they're reputable, before installing something. They have to think of their phone as same as a PC in that respect.
I agree, i cant believe theres anyone dumb and lazy enough to download a wallpaper app. Its so easy to make one of your own. I have a Droid and I'm very selective in which apps I download especially knowing its an open market. Just proves that a large portion of the population are idiots.
I agree, i cant believe theres anyone dumb and lazy enough to download a wallpaper app. Its so easy to make one of your own. I have a Droid and I'm very selective in which apps I download especially knowing its an open market. Just proves that a large portion of the population are idiots.
The best way to distribute malware that could exploit the flaw ? known as CVE-2009 1185 ? is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."
This exploit has to be made from debug bridge with the phone connected to computer. An application can't exploit it.
Quote:
Originally Posted by gristan
Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.
Nop, when an application broadcast an intent to another application, permissions have to be equal for the intent.
is this better, or worse than the time (just a few short weeks ago) when itunes / app store accounts were being charged up to $1400 without permission from their owners, or knowledge?
personally, sim card details, voicemail passwords are nothing compared to access my banking details and making transactions without my permission.
i do like apple insider. i like how they point their finger of hatred at apple's competition and tries to label them as incompetent. You know, exactly the same thing apple does. It's not admirable behaviour. Don't do it.
so.. to summarise. Android store, not perfect. iOS store, not perfect. One leaks phone details and some personal details, the other allows your hard earned cash to be unwittingly siphoned from your account.
In my applications I collected some device data, not user data.
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even ?Background? can?t well suited the phone?s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data.
There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.
I am just an Android developer, I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.
I am wondering why the the ceo of Lookout or the Author of venturebeat.com attacks me and make irresponsible points.
is this better, or worse than the time (just a few short weeks ago) when itunes / app store accounts were being charged up to $1400 without permission from their owners, or knowledge?
personally, sim card details, voicemail passwords are nothing compared to access my banking details and making transactions without my permission.
i do like apple insider. i like how they point their finger of hatred at apple's competition and tries to label them as incompetent. You know, exactly the same thing apple does. It's not admirable behaviour. Don't do it.
so.. to summarise. Android store, not perfect. iOS store, not perfect. One leaks phone details and some personal details, the other allows your hard earned cash to be unwittingly siphoned from your account.
i know which i'd prefer.
+1 Insightful
Those who keep parroting Jobs' line about curated stores being inherently more secure just have their heads in the sand. The reason for the curated store is just to put Apple in the central role of collecting a tax on every app sold. Any other explanation for it is merely rationalization.
An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.
The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn?t known because the Android Market doesn?t offer precise data," according to a report by Dean Takahashi of VentureBeat.
The app "collects a user?s browsing history, text messages, your phone?s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).
The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.
(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."
The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."
Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a device?s phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device?s SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."
Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.
Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)
Mobile data theft on the increase
The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.
However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.
iOS vs Android in app security
Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.
Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.
Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.
Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.
Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.
Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.
these things are more likely to happen on Android phones due to the fact that ANDROID and the ENTIRE ANDROID ecosystem is insecure.
I just love ludicrous propagandists spamming ignorant and debunked FUD. I really fail to see the rational behind it, but I am not an expert in psychological troubles.
Actually, if you examine facts, both platforms have exactly the same number of true security threats -- zero. Well, technically one if you count the user behind the keyboard, which is the most insecure link of either platform..
So sending all your personal information to China is not a security threat? It's really funny how the Android fans will accept anything as long as it's 'open'.
Quote:
Originally Posted by dasanman69
I agree, i cant believe theres anyone dumb and lazy enough to download a wallpaper app. Its so easy to make one of your own. I have a Droid and I'm very selective in which apps I download especially knowing its an open market. Just proves that a large portion of the population are idiots.
So it's the user's fault for not being a 'leet' whizkid? It's OK to have an insecure system with apps that steal your personal information and send it to China because the really leet users know to do an extensive search on any application before installing it - because it can cause so much damage.
Doesn't that simply prove what iPhone users have been saying all along? Android devices are a pia.
Quote:
Originally Posted by shao
is this better, or worse than the time (just a few short weeks ago) when itunes / app store accounts were being charged up to $1400 without permission from their owners, or knowledge?
personally, sim card details, voicemail passwords are nothing compared to access my banking details and making transactions without my permission.
i do like apple insider. i like how they point their finger of hatred at apple's competition and tries to label them as incompetent. You know, exactly the same thing apple does. It's not admirable behaviour. Don't do it.
so.. to summarise. Android store, not perfect. iOS store, not perfect. One leaks phone details and some personal details, the other allows your hard earned cash to be unwittingly siphoned from your account.
i know which i'd prefer.
(i have an android phone, and an ipad)
You're ignoring, of course, the fact that the issues are entirely unrelated. The one your citing is people who had their passwords stolen and misused. Now, Apple could require more secure passwords, but beyond that, there's nothing anyone can do. A user gives someone their password and that someone uses it maliciously. It's not a flaw in the system (and certainly not a flaw in iOS since it had absolutely nothing to do with iOS).
OTOH, you have the Android flaws being discussed here where the users's personal information is being sent to China without permission.
Surely even an Android fanboy can see the difference, no?
So sending all your personal information to China is not a security threat?
All your personal information? Even for you, that's extreme Android-hatred running amok. You apparently have left any sense of reality behind in your paranoia. Show even a single piece of evidence that "all" of anybody's personal information was sent to China. You can't? You're exaggerating in order to irrationally attack Android for some reason too weird to imagine? Why am I surprised?
Quote:
So it's the user's fault for not being a 'leet' whizkid?
'Leet' is a pathetic strawman. How about every user takes some responsibility for providing their personal info to anybody?
Quote:
Now, Apple could require more secure passwords, but beyond that, there's nothing anyone can do.
What a pity you don't hold Apple to the standards you apparently expect from Apple's competitors. That's known as hypocrisy. You practise it like an expert.
Quote:
OTOH, you have the Android flaws being discussed here where the users's personal information is being sent to China without permission.
Flaw? Intentional mining of data, as apps on the AppStore are also able to do, and actually do, is hardly a flaw.
Surely even an Apple fanboy can understand those simple concepts, no?
Quote:
Basically, he says it's OK for the app to send your personal information to China because other apps do it, too.
Just like AppStore devs do. But you're right that neither platform's devs should collect and disseminate personal data without express permission. And I'll have some respect for your position when I see you castigating Apple here on this forum for permitting its devs to do that.
As the smoke clears on this whole debacle one has to wonder if those left with egg on their face for jumping to conclusions and not checking facts are at all embarrassed?
It seems at least AI was at least decent enough to acknowledge the facts in an update of the original article. One wonders if certain forum users will show the same decency? I assume not.
Just like AppStore devs do. But you're right that neither platform's devs should collect and disseminate personal data without express permission. And I'll have some respect for your position when I see you castigating Apple here on this forum for permitting its devs to do that.
Really? Please name the Apple AppStore apps which have sent the same information to China for millions of users as this wallpaper app. It's easy for you to lie and pretend things, now try to prove it.
Really? Please name the Apple AppStore apps which have sent the same information to China for millions of users as this wallpaper app. It's easy for you to lie and pretend things, now try to prove it.
Comments
The objective of a curated platform is place a policy before the very first user gets infected. There will always be a program(s) that will try to circumvent this but putting such a policy will make it bit harder to do.
But, not having a policy and reciting the poem of openness just shows that the company just wants to walk away from investing resources for testing the application & raising flags to the developers. And, the only objective is pull personal data out for it's own profit. The basic question is for any CE company is how much Pro-consumer it is (every single customer matters because it's not an Ad money).
Excellent point.
Andriods Trip of Death to China
I?ll take the iPhone 4?s ?Death Grip? over Android?s ?KungFu Grip?.
Repeating it a milion times won't make it more true
actually it does.
If it's the first scenario - well it's not such a big deal. As long as users know that their info is being sent and agree to it, it becomes about social engineering and not malicious software.
If it's the second then I sure hope that Android adopts apple-like stance to pre screening their apps, though I'm not sure how they would save face if they did that.
Update: We received a note from Jussi Nieminen, who indicated the data fields being retrieved, as reported by VentureBeat, are incorrect. Texting and browser history are apparently not retrieved, but your phone number, phone ID, and voicemail fields are. And, since it's not unheard of for voicemail entries to include a password when setup on a phone, it's possible they could wind up with that too. Also, the popularity of the app was apparently misstated, with actual downloads somewhere south of 250,000
Thanks for the update. No doubt the kind folks at AI will eventually revise their story again to reflect the new information. Perhaps.
I doubt they'll change the headline for it in the news page though.
http://www.networkworld.com/news/201...ck.html?page=1
>FBI details worst social networking cyber crime problems
Not only has suspect software cloaked in a wallpaper application gathered personal information from infected phones and sent it to a Web site in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely – including top-of-the-line models hawked by major wireless carriers.
In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather a device’s phone number, subscriber identifier, and currently programmed voicemail number.
Bad guys could read RFID passports at 217 feet, maybe a lot more
Black Hat: Most browsers can be made to give up personal data
Massive check-fraud botnet operation tied to Russia
Ensure 360-Degree Border SecurityWHITE PAPER
Black Hat too commercial for you?
Black Hat talk to reveal analysis of hacker fingerprintsHow Wi-Fi attackers are poisoning Web browsersBlack Hat: Zero-day hack of Oracle 11g database revealedEmail on Cruise Control: How to Guarantee Security, Speed and Confidence in EmailWHITE PAPERBlack Hat: Researcher claims hack of processor used to secure Xbox 360, other products
View more related contentGet Daily News by EmailIn a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.
The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.
The best way to distribute malware that could exploit the flaw – known as CVE-2009 1185 – is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."
CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.
But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.
Black Hat told that applications can steal data and – worse – take over the Android phones completely
When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.
But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says.
Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous Web sites to mask where the data is being sent, Wyatt says.
Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.
Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.
Read more about security in Network World's Security section.
I don't think it's fair to blame Google for this. People know it's an open marketplace, so it's their responsibility to check out the developer, make sure they're reputable, before installing something. They have to think of their phone as same as a PC in that respect.
I agree, i cant believe theres anyone dumb and lazy enough to download a wallpaper app. Its so easy to make one of your own. I have a Droid and I'm very selective in which apps I download especially knowing its an open market. Just proves that a large portion of the population are idiots.
I agree, i cant believe theres anyone dumb and lazy enough to download a wallpaper app. Its so easy to make one of your own. I have a Droid and I'm very selective in which apps I download especially knowing its an open market. Just proves that a large portion of the population are idiots.
>large portion of the population are idiots.
THAT'S Ya " KIN "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The best way to distribute malware that could exploit the flaw ? known as CVE-2009 1185 ? is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."
This exploit has to be made from debug bridge with the phone connected to computer. An application can't exploit it.
Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.
Nop, when an application broadcast an intent to another application, permissions have to be equal for the intent.
http://thenextweb.com/apple/2010/07/...e-hack-itunes/
http://thenextweb.com/apple/2010/07/...unrelated-fix/
personally, sim card details, voicemail passwords are nothing compared to access my banking details and making transactions without my permission.
i do like apple insider. i like how they point their finger of hatred at apple's competition and tries to label them as incompetent. You know, exactly the same thing apple does. It's not admirable behaviour. Don't do it.
so.. to summarise. Android store, not perfect. iOS store, not perfect. One leaks phone details and some personal details, the other allows your hard earned cash to be unwittingly siphoned from your account.
i know which i'd prefer.
(i have an android phone, and an ipad)
In my applications I collected some device data, not user data.
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even ?Background? can?t well suited the phone?s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data.
There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.
I am just an Android developer, I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.
I am wondering why the the ceo of Lookout or the Author of venturebeat.com attacks me and make irresponsible points.
http://www.scribd.com/mobile/documents/35072457
is this better, or worse than the time (just a few short weeks ago) when itunes / app store accounts were being charged up to $1400 without permission from their owners, or knowledge?
http://thenextweb.com/apple/2010/07/...e-hack-itunes/
http://thenextweb.com/apple/2010/07/...unrelated-fix/
personally, sim card details, voicemail passwords are nothing compared to access my banking details and making transactions without my permission.
i do like apple insider. i like how they point their finger of hatred at apple's competition and tries to label them as incompetent. You know, exactly the same thing apple does. It's not admirable behaviour. Don't do it.
so.. to summarise. Android store, not perfect. iOS store, not perfect. One leaks phone details and some personal details, the other allows your hard earned cash to be unwittingly siphoned from your account.
i know which i'd prefer.
+1 Insightful
Those who keep parroting Jobs' line about curated stores being inherently more secure just have their heads in the sand. The reason for the curated store is just to put Apple in the central role of collecting a tax on every app sold. Any other explanation for it is merely rationalization.
[ Follow up article ]
An app distributed by Google's Android Market has collected private data from millions of users and forwarded it to servers China, validating Apple's uniquely strong stance on mobile security in the iPhone App Store.
The exploit, tied to an app that appeared to simply load free custom background wallpapers, was downloaded "anywhere from 1.1 million to 4.6 million times. The exact number isn?t known because the Android Market doesn?t offer precise data," according to a report by Dean Takahashi of VentureBeat.
The app "collects a user?s browsing history, text messages, your phone?s SIM card number, subscriber identification, and even your voice mail password. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China," the report noted (see the update by Lookout below).
The data upload was only discovered afterward, through forensics performed by mobile security firm named Lookout which sells virus and malware protection software for Android, Windows Mobile and BlackBerry devices. The problem was announced at the Black Hat security conference being held in Las Vegas.
(Update: Lookout has clarified in followup comments with AppleInsider that the intent of their "App Genome Project" research was to "identify security threats in the wild and provide insight into how applications are accessing personal data and other phone resources."
The group noted that the Android wallpaper app was "not proven to be malicious," but that the app does "ask the user for specific information around the phone details and that information is transferred to a server [in China]."
Correcting the original VentureBeat story, Lookout stated that "the apps from these developers send several pieces of sensitive data to a server, including a device?s phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device?s SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."
Lookout also reiterated there is "no proof of malicious intent and in the past apps have been a bit overzealous in getting access to sensitive data with no ill intent." Lookout compared the Android wallpaper app copying local data to a Chinese server with a recent App Store title that purported to be a flashlight app while actually including a hidden SOCKS proxy that could be used for tethering.
Lookout added that it hasn't "yet" published a report detailing the Android wallpaper app, suggesting that it is continuing to look at the situation.)
Mobile data theft on the increase
The issue recalls a recent AT&T website leak that could hypothetically have enabled a malicious hacker to access 144 thousand of iPad 3G user's email addresses.
However, the Android app data theft was actually perpetrated by malicious hackers and not just demonstrated by researchers; it involves far more sensitive data; and affected far more victims--by more than an order of magnitude.
iOS vs Android in app security
Apps on any platform can access personal data and forward that data to an external server, but the Lookout research found that 47 percent of the selection of Android apps it looked at incorporated third party code (which may include malicious functions), while only 23 percent of analyzed iPhone apps did.
Apple also approves iOS apps through a strict vetting process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install.
Unlike other mobile platforms secured by Lookout, Apple's iOS platform doesn't have a live virus problem because third party iPhone apps can only be distributed through Apple's curated App Store, and apps are forced to run in a segregated sandbox environment where they can't infect the system. That doesn't necessarily mean iOS apps can't forward user data inappropriately however; Apple has discovered and pulled apps that have violated its privacy policies.
Apps must also be signed by a certificate created by Apple, which makes it much harder for malicious developers to anonymously distribute software designed to cause problems or steal data. Apple's security measures also make such efforts less attractive financially, despite the iOS platform's installed base being much larger than Android's.
Exploitable vulnerabilities in the iOS platform have been reported elsewhere, including the Safari browser, but crafting a malicious attack via the browser requires luring users to a malicious site rather than simply distributing a bad app that appears to be useful and genuine.
Lookout chief executive John Hering said in the report that "he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps," but the report noted it's "unclear what happens" when apps don't actually do what they represent.
[ View this article at AppleInsider.com ]
http://www.androidtapp.com/android-w...user-data-fud/
these things are more likely to happen on Android phones due to the fact that ANDROID and the ENTIRE ANDROID ecosystem is insecure.
I just love ludicrous propagandists spamming ignorant and debunked FUD. I really fail to see the rational behind it, but I am not an expert in psychological troubles.
Actually, if you examine facts, both platforms have exactly the same number of true security threats -- zero. Well, technically one if you count the user behind the keyboard, which is the most insecure link of either platform..
So sending all your personal information to China is not a security threat? It's really funny how the Android fans will accept anything as long as it's 'open'.
I agree, i cant believe theres anyone dumb and lazy enough to download a wallpaper app. Its so easy to make one of your own. I have a Droid and I'm very selective in which apps I download especially knowing its an open market. Just proves that a large portion of the population are idiots.
So it's the user's fault for not being a 'leet' whizkid? It's OK to have an insecure system with apps that steal your personal information and send it to China because the really leet users know to do an extensive search on any application before installing it - because it can cause so much damage.
Doesn't that simply prove what iPhone users have been saying all along? Android devices are a pia.
is this better, or worse than the time (just a few short weeks ago) when itunes / app store accounts were being charged up to $1400 without permission from their owners, or knowledge?
http://thenextweb.com/apple/2010/07/...e-hack-itunes/
http://thenextweb.com/apple/2010/07/...unrelated-fix/
personally, sim card details, voicemail passwords are nothing compared to access my banking details and making transactions without my permission.
i do like apple insider. i like how they point their finger of hatred at apple's competition and tries to label them as incompetent. You know, exactly the same thing apple does. It's not admirable behaviour. Don't do it.
so.. to summarise. Android store, not perfect. iOS store, not perfect. One leaks phone details and some personal details, the other allows your hard earned cash to be unwittingly siphoned from your account.
i know which i'd prefer.
(i have an android phone, and an ipad)
You're ignoring, of course, the fact that the issues are entirely unrelated. The one your citing is people who had their passwords stolen and misused. Now, Apple could require more secure passwords, but beyond that, there's nothing anyone can do. A user gives someone their password and that someone uses it maliciously. It's not a flaw in the system (and certainly not a flaw in iOS since it had absolutely nothing to do with iOS).
OTOH, you have the Android flaws being discussed here where the users's personal information is being sent to China without permission.
Surely even an Android fanboy can see the difference, no?
I'll just leave this here...
http://www.androidtapp.com/android-w...user-data-fud/
ROTFLMAO. Whining self-defense. Basically, he says it's OK for the app to send your personal information to China because other apps do it, too.
Oh, and I love the part about needing 8 permissions to run a wallpaper app.
So sending all your personal information to China is not a security threat?
All your personal information? Even for you, that's extreme Android-hatred running amok. You apparently have left any sense of reality behind in your paranoia. Show even a single piece of evidence that "all" of anybody's personal information was sent to China. You can't? You're exaggerating in order to irrationally attack Android for some reason too weird to imagine? Why am I surprised?
So it's the user's fault for not being a 'leet' whizkid?
'Leet' is a pathetic strawman. How about every user takes some responsibility for providing their personal info to anybody?
Now, Apple could require more secure passwords, but beyond that, there's nothing anyone can do.
What a pity you don't hold Apple to the standards you apparently expect from Apple's competitors. That's known as hypocrisy. You practise it like an expert.
OTOH, you have the Android flaws being discussed here where the users's personal information is being sent to China without permission.
Flaw? Intentional mining of data, as apps on the AppStore are also able to do, and actually do, is hardly a flaw.
Surely even an Apple fanboy can understand those simple concepts, no?
Basically, he says it's OK for the app to send your personal information to China because other apps do it, too.
Just like AppStore devs do. But you're right that neither platform's devs should collect and disseminate personal data without express permission. And I'll have some respect for your position when I see you castigating Apple here on this forum for permitting its devs to do that.
I won't be holding my breath.
It seems at least AI was at least decent enough to acknowledge the facts in an update of the original article. One wonders if certain forum users will show the same decency? I assume not.
Just like AppStore devs do. But you're right that neither platform's devs should collect and disseminate personal data without express permission. And I'll have some respect for your position when I see you castigating Apple here on this forum for permitting its devs to do that.
Really? Please name the Apple AppStore apps which have sent the same information to China for millions of users as this wallpaper app. It's easy for you to lie and pretend things, now try to prove it.
Really? Please name the Apple AppStore apps which have sent the same information to China for millions of users as this wallpaper app. It's easy for you to lie and pretend things, now try to prove it.
http://www.macworld.com/article/1437...n_numbers.html
http://i-phone-home.blogspot.com/sea...l%20of%20Shame