SlideIT now a security risk

[fluorite]

SlideIT now requires internet access. They claim they use it for license validation, but Google provides other means to do this with granting the app internet access.

I am unwilling to grant any keyboard app internet access. That is the perfect recipe for a key logger, stealing passwords, credit card numbers, etc.

This was my favorite app. Now I am uninstalling.

 

[erika61489]

I didn't even notice that during the update. Do you really think that would make it possible for people to steal information that way?

 

[acsguitar]

I didn't even notice that during the update. Do you really think that would make it possible for people to steal information that way?

In theory every and any app with "Internet access" could steal your identity. I assume google would find this out and kill the app. ON the other hand this guy is probably making bank from this app.

As an IT guy (and a not paranoid one at that) I think we'll all be ok. My paranoid co-workers would probably freak though

 

[fluorite]

In theory every and any app with "Internet access" could steal your identity.

It would take a combination of access to the internet and access to deeply confidential information. Most apps do not have both.

What I find especially problematic is that Android/Google offers a license validation service that could be used instead of internet access. That service has internet access, so an app does not need its own internet access to validate.

As an IT guy (and a not paranoid one at that) I think we'll all be ok. My paranoid co-workers would probably freak though

Even if I have confidence in the integrity of the developers (whom I have never met), must I also have confidence in the protection of their development machines? Must I also have confidence in future purchasers of their product line? The possible opportunities for compromise are extensive.

If I were part of a serious identify theft ring, SlideIT would be a very tempting acquisition.

I hope they fix this. SlideIT was my favorite app.

 

[RookieRick]

Couldn't agree more.. Found this thread because I was sick of a "feature" in Swype (the hated "hidden word" popup), found SlideIT as a proposed alternative, and when I went to install it from Android market did a double-take at the app permissions, thinking "why the HELL does a keyboard app need internet access?"

I'm not an "tinfoil hat" type, but common sense dictates that I share all the concerns listed above about the fact that I have no idea who the developers are, how secure their systems are, if they have any thing in place to prevent a "rogue" developer who works for them and gets pissed doing nasty things, etc etc etc. Fluorite said it best: "The possible opportunities for compromise are extensive."

 

[AngryHatter]

Would not we have heard of all the users being compromised?
I think the OP is mistaken.

 

[idavis]

Wouldn't it be possible to set up the emulator, and install this app. Then you could intercept the communication and take a gander at what's being passed back and forth.

The issue I have seen with licensing is there are too many ways. I have the android licensing, but to sell on Amazon, you will have to use their licensing, and I got an email from a website the other day offering to distribute my app with yet another licensing scheme. It could very well be that he just came up with his own homegrown licensing scheme and avoids having to build multiple copies of the app just to satisfy all the different app stores.

Anyone thought of emailing the developer for an explanation?

 

[JLang]

Would not we have heard of all the users being compromised?
I think the OP is mistaken.

Or perhaps (one of) the first you see to balk at unnecessary permissions and the associated risks.

 

[rsci]

While it is not likely because if anyone found out they are keylogging it would be over for them as a business, I would err on the side of caution. Things like this do happen and for me, the risk is too high.

See http://www.codinghorror.com/blog/2008/03/a-question-of-programming-ethics.html

 

[MattIsGreat]

I really loved this app. One of two I have thought worth paying for. However, I'm not sure it's so much better than the other keyboards to justify the risk.

I found a thread on XDA started by the creators of SlideIT. I don't know anything about coding or programming, so I did not sign up and respond in the thread, but I think it would be of great benefit to many of us if somebody who does know something about coding/programming to ask them what this is all about.
Here is the link: New SlideIT keyboard version - Page 5 - xda-developers

 

[wayrad]

I've got DroidWall blocking SlideIt, but it still seems to work fine. Evidently the internet access isn't too crucial.

 

[Gianna]

I just discovered this app. Has anyone determined how safe it is? My phone is not rooted so Droid Wall us not an option.

 

[amlothi]

I use Swiftkey and it also requires this access to download language data. No way to verify whether it uses internet access after the setup is finished. I just use DroidWall to block it.



If you don't trust the app developer to not steal you data, why would you trust an anonymous forum poster to tell you an app is safe?

Make the decision yourself.

 

[fluorite]

I just discovered this app. Has anyone determined how safe it is? My phone is not rooted so Droid Wall us not an option.

SlideIT still requires internet access, which I find very troubling for a keyboard app. SlideIT has all the permissions it needs to log your passwords.

If you really want to use SlideIT, I suggest you switch to another keyboard app before entering any passwords or sensitive info. You can switch back again after.

Swiftkey also requires internet access, which makes me quite nervous. But at least they do give a better justification for why they want it than does SlideIT.

 

[Gianna]

That helps. Thanks!

 

[RobertB-DC]

SlideIT is just 10c on the Android Market today, which is a big discount over its usual price (IIRC). I was taken aback, though, by the permissions it seeks. What jumped out at me was the Internet access, but also the "Read contact data" permission. Those just don't seem to be a good combination.

I'm also baffled by the need for Internet, when the app *also* requests "Market license check" permission -- meaning it doesn't need Internet for licensing. I see several language packs in the Market, so it doesn't seem like it should need 'net for language support.

Nonetheless, I think I'll try it out for a dime. But I won't use it for anything secure. (I assume when an input method isn't the current input method, that it can't intercept anything?)

I really should be more concerned about my current primary data entry method -- Graffiti, which displays a stupid ad in the text entry area in the free version. I'm holding out paying $3 for the no-net version, because they haven't added any functionality besides porting from the Palm version. Even the help screens still include the Palm-specific "Shortcut" glyph!

 

[Roze]

I usually just switch back to the stock keyboard when I have to enter any passwords. It's a bit tedious but I feel it's much safer then using a keyboard with internet permission.

 

[mills2533]

What are the other means of using Google licensing without internet access?

SlideIT now requires internet access. They claim they use it for license validation, but Google provides other means to do this with granting the app internet access.

I am unwilling to grant any keyboard app internet access. That is the perfect recipe for a key logger, stealing passwords, credit card numbers, etc.

This was my favorite app. Now I am uninstalling.

 

[alostpacket]

Checking a license via the Google LVL library will use the Market app to ask the Android Market to send a cryptographically signed response. When doing this first step, only the Market app itself is communicating with the internet.

The (Google) recommended way for handling the signed response from the Android Market is to pass it along to the dev's private web server to verify.

This second step requires the INTERNET permission, while just asking the Android market app if the license checks out only requires the CHECK_LICENSE permission.

This is how the Android Engineers recommend it be implemented. Doing it this way makes it extremely hard to hack.

However, some apps do not do the second step and do a simple license check using the Android Market, and then just read the response in the app itself. This is trivial to hack.

Hope that helps explain it.

.

 

[RobertB-DC]

I've only used the SlideIT keyboard for a day, but I already like it better than Swipe.

I hadn't used Swipe for months, because it would spew gibberish if I swiped over letters it didn't know how to handle. SlideIT handles that situation by (literally) saying "??". At first I wasn't happy with that, but now I see that it's a lot better than churning out nonsense if I miss a letter in a long word.

It seems to be more responsive on my low-end phone. Though I need to see if the slowdown I'm seeing now is due to the skin I d/l'd, or if it's due to other factors.

It's still got glitches, but I'm going to get rid of Swipe (it's a system app, but I can back it up and delete it with Titanium).

While I'm at it, I may get rid of Better Keyboard 8, too. I only used it when I had to avoid the CR-send issue of Graffiti, but SlideIT works just as well (or better) in non-sliding mode. The skinning on SlideIT is better, too -- BK8's skin has ugly gaps in its graphics, and I never heard back from the devs when I wrote about it (unless I just dreamed that I sent a note).

Plus, even though I paid for Better Keyboard, I can't get updates now that it's been yanked from the Market. That would make Better Keyboard the first paid app I've yanked (though again, Titanium Backup makes the jump a bit less daring).

 

[Blorg]

SlideIT is just 10c on the Android Market today, which is a big discount over its usual price (IIRC). I was taken aback, though, by the permissions it seeks. What jumped out at me was the Internet access, but also the "Read contact data" permission. Those just don't seem to be a good combination.

I imagine it wants the read contact data permission to add the names to the dictionary. Swype also has that permission and that is what it uses it for.

I also got it yesterday in the sale and was quickly impressed, it seems faster and more accurate than Swype. A few things I do prefer on Swype but so far I think I will be keeping this one.

 

[Vorbis]

I also downloaded Swiftkey X and SlideIT for 10p. This thread has made me nervous!

 

[Benjie]

I too prefer SlideIt over the other keyboards. Easy to use, easy to add to, easy to delete words, great shortcuts and backing up/restoring the dictionary.

 

[RobertB-DC]

The (Google) recommended way for handling the signed response from the Android Market is to pass it along to the dev's private web server to verify.

This second step requires the INTERNET permission, while just asking the Android market app if the license checks out only requires the CHECK_LICENSE permission.

Thinking about this more, I think a dev that follows the Google recommendation is shooting themselves in the foot. It's a six-dollar app, so it's not the cheapest, but it's not terribly expensive either. So maybe you'll lose a few purchases to hackers with rooted phones and custom ROMs -- so what?

Compare that to the number of purchases you'll lose among savvy phone users who know what a keylogger is. My gut feeling is that you'd break even, in the end... losing x% of sales to tech-savvy cheaters but gaining x% of sales to security-conscious honest folks. And don't forget, us phone geeks have non-geek friends who ask, "What's that cool keyboard you're using?" Push us away, and you lose those referrals too.

Meanwhile, I'm happy with SlideIT, and I'm even ready to give the devs the benefit of the doubt and just use it whenever. Besides, the FBI already knows everything I'm typing anyway.

 

[alostpacket]

Yeah, I agree there is trade-off there for the internet method of checking licenses, especially with keyboard replacements. Whether it's the right call or not, I dunno. Not for me to decide I just try and explain the tech.