Terrifying lack of security on Android devices.

[dennisr]

I'm a hobbyist developer on both iPhone and Android platforms, and as such, I have both phones and have used them extensively.

The "open" Android platform is great for me as a developer. I can submit anything and it appears in the store within minutes. With Apple, I have to wait a week or more for my applications to be approved.

That said, the iOS security does not come from the human reviewers. There are many things they simply cannot see. The security is built-in. The iOS API, as powerful as it is, is fairly restrictive in what it allows a developer to do. The "sandbox" is enforced. It is physically impossible for an application to read your SMS messages, for example. Fully knowing the limits of the platform as a developer, I feel comfortable downloading any app from the App Store (yes, some are crappy), knowing that it won't screw me over. I can just delete it and be done with it.

Android, on the other hand, feels like the Wild Wild West. Why does this innocuous Tic Tac Toe game with 5 stars need access to my phone settings and contacts? As such, my application experience is similar to what I do on my Windows box: I download only applications that I AM REALLY REALLY sure will not do anything bad. I explicitly do not go and download random developers' applications because who knows what they will do.

The open platform, while more convenient as a developer, while more powerful, actually limits me from exploring and from finding new, potentially awesome apps.

I'm sure you've helped a friend or a family member with a virus and spyware-ridden Windows box, full of toolbars. Have you tried explaining to them "just read the fine print?" Will they read the fine print when they install the Android app that uploads their contact information to a server in Russia?

(A recent example: Updated: Android wallpaper app that takes your data was downloaded by millions | VentureBeat )

As a developer, I prefer Android. I love the idea of "open." As a user, I really do feel much safer on iOS, at least for now.

 

[bajabum]

I'm a hobbyist developer on both iPhone and Android platforms, and as such, I have both phones and have used them extensively.

As a developer, I prefer Android. I love the idea of "open." As a user, I really do feel much safer on iOS, at least for now.

This week at the Black Hat Security Conference, Lookout will unveil the App Genome Project, which is the largest mobile application dataset ever created. In an ongoing effort to map and study mobile applications, the App Genome Project was created to identify security threats in the wild and provide insight into how applications are accessing personal data, as well as other phone resources. Lookout founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what mobile applications are doing and use that information to more quickly identify potential security threats.


Early Findings

Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include:

• 29% of free applications on Android have the capability to access a user

 

[Jethro10]

What tools do you need? I tried to install a live wallpaper app once that wanted access to my contacts and full Internet access. What tool do I need to figure out if that's sketchy or not beyond the one between my ears?

Several apps have already been seen to use the generic "internet access" to abuse this privilege and send data it shouldn't, where it shouldn't be sent.
So if this type of conduct bothered people, you would need tools to find where the data was being sent? I guess so?

Ta
J

 

[anteries]

I'm sorry if I sound like I'm bashing the OP, but working in Network Security field for the past 13 years there are more things to be fearful of than what you install on your phone and what it has access to.

1.) Don't install any banking apps unless they are put out by the bank itself! I would go to their website just to make sure they actually offer it and it's not some scam.
2.) DO NOT allow third party applications have access to your Netflix/Amazon/Roku (just examples) accounts. Especially by saving your passwords.
3.) Do you REALLY need "free" applications that store information in the "cloud" for you in case you lose your phone? Anything and everything is accessable if someone really wants that information.
4.) Use a different password (8-12 alpha/numeric with one special character) for every single site/e-mail you have. It's a pain, but think about it. One account gets hacked...they're all hacked.

I'm not trying to sound like the Harbinger of Doom here OR some nut saying the government has a satellite following you around....well, with GPS turned on, they could. LOL j/k BUT be realistic and use common sense about what you install and what it has access to. These applications are written by faceless people that you'll probably never meet in person, so if you're not willing to trust your best friend with your username/passwords, then why would you allow an application have access to it?

Again, I'm truly sorry to the OP if I came off sounding like an a$$...it's not aimed at you, but what I deal with on a daily basis would really make people think twice about what information they give out. Yes...I'm a security freak only because in college I had my identity stolen 2 times being naive.

Rastoma...I really want the Android OS to succeed too. I wouldn't buy an Iphone/Ipad/Itouch because the way they do business (closed platform), but the one thing they do have going for them is the review process for all apps submitted for download.

Take care guys and gals. This wife has told me to get off the computer already. Guess who "I" have to answer to? lol

-S

I think you are totally cool in your response. my original post was something of a blurting out of my first impression.

Having thought about it more and read the posts here, I think that there are issues with security on all mobile platforms, but the thing is there are things I can do to protect myself.

As you suggest, if anyone particularly concerned that they can be careful about what I install.

Quirky games for my handset, do I need need them, I can read an e-book on my phone instead.

Also I realise that a lot of helpful applications are not really necessary as the phone browser experience is so good. and what's more if there are apps for Amazon and eBay I want to install, being the fact that they are so big and well known they are liable to be legitimate.

 

[A.Nonymous]

Several apps have already been seen to use the generic "internet access" to abuse this privilege and send data it shouldn't, where it shouldn't be sent.
So if this type of conduct bothered people, you would need tools to find where the data was being sent? I guess so?

Ta
J

No. You just need to know not to install the app in the first place. I mentioned the live wallpaper app that needed full Internet access. Do I need a "tool" to figure out where that data is being sent or can I simply use the tool between my ears to know that that permission is completely unnecessary and not install the app. It's really not that difficult. If I have questions about the permissions, I either don't install the app or I email the dev (which you can do right from the market page) and ask. If I don't like their response (like with the MixZing dev) I don't download the app and tell others not too. No one has pointed out the big flaw in iOS. You have no idea what the apps have access to. You trust that Apple is protecting you. You trust that Apple has screened the apps properly. You trust that Apple has your best interests at heart. Maybe they do and maybe they don't. At least with Android, it's all in my hands. I guarantee you that I have my best interests in mind when I'm looking at installing apps.

 

[Steelwool199]

The Getjar and Market versions are fine, they have internet access for the ads, but there was one floating around that had more permissions but I forget who was hosting it.

I think it just might not like my phone then. Tried installing/uninstalling twice.
Thanks for clearing this up for me. My version was from Getjar.

 

[dennisr]

No one has pointed out the big flaw in iOS. You have no idea what the apps have access to. You trust that Apple is protecting you. You trust that Apple has screened the apps properly. You trust that Apple has your best interests at heart. Maybe they do and maybe they don't. At least with Android, it's all in my hands. I guarantee you that I have my best interests in mind when I'm looking at installing apps.

With all due respect, the security in iOS does not come from human reviewers. They simply wouldn't be able to catch all the baddies.

The human reviewers are just there to enforce look-and-feel standards, reject features Apple does not like, and so on. That is a whole other beast. The security comes from the API design -- each application runs in a sandbox and has very limited access to system functionality. For example, an app cannot read your SMS messages -- it is actually impossible, no API exists for that. An application cannot swap your keyboard with another one and log your keystrokes, etc. It cannot read memory of other apps.

For apps that use GPS, a big fat warning pops up on the screen asking for your permission.

I hope I'm not out of line here, but I wish some sort of sandboxing guarantee like that existed in Android...

Of course, my statements are not true for a "jailbroken" iPhone: jailbroken apps, while most are safe, possess all the power (and risk that comes with it) of Android apps. No sandbox. For this reason, I do not advise my non-techie friends to jailbreak their phones.


(I'm a developer of both iPhone and Android apps, and love both platforms equally. )

 

[Szadzik]

With all due respect, the security in iOS does not come from human reviewers. They simply wouldn't be able to catch all the baddies.

The human reviewers are just there to enforce look-and-feel standards, reject features Apple does not like, and so on. That is a whole other beast. The security comes from the API design -- each application runs in a sandbox and has very limited access to system functionality. For example, an app cannot read your SMS messages -- it is actually impossible, no API exists for that. An application cannot swap your keyboard with another one and log your keystrokes, etc. It cannot read memory of other apps.

For apps that use GPS, a big fat warning pops up on the screen asking for your permission.

I hope I'm not out of line here, but I wish some sort of sandboxing guarantee like that existed in Android...

Of course, my statements are not true for a "jailbroken" iPhone: jailbroken apps, while most are safe, possess all the power (and risk that comes with it) of Android apps. No sandbox. For this reason, I do not advise my non-techie friends to jailbreak their phones.


(I'm a developer of both iPhone and Android apps, and love both platforms equally. )

If any type of sandboxing was to be introduced in Android it would mean Android would not be an open operating system, which I think is the biggest of its advantages. The openness is gone and 30% of users move to other platforms as there is nothing that keeps them with Android anymore.

 

[anteries]

Just when you think it's safe to go back in the water again. Let me give you an example, I was interested in an application called Vlingo, to enable voice recognition on my phone.

This seems like a big company, good website and from what I gather is connected with Google.

It's a free install, but it wants permission to send premium SMS messages.

The thing that I find so maddening about android applications, is the total lack of available information.

On Vlingos website there is no mention of why this permission is needed, there is a hint it's a product that needs to be purchased.

I'm getting angry that because I feel I'm being kept in the dark. Applications that are advertising supported, don't tell me how frequently they are connecting to the Internet, how much data they're using. or anything.

It all seems so dam shady. I've only got one application on my phone that hasn't asked for full Internet access, access to my contacts and Internet. And most of them want to be up to modify my Sd card.

I want independent permissions, like a firewall. I want a pop-up to say this application want to access the Internet, do you want to allow it.

Is it really in the whole of the android development, it didn't cross anyone's mind this would be a useful feature. ridiculous.

I get the feeling from the android platform that it is like travelling in a car at 90 mph and then someone unscrews the steering wheel and throws out the window.

It's going to be bot net central before long.

 

[Legato]

It's a free install, but it wants permission to send premium SMS messages.

This is another example of an app needing permission to do it's basic function, but when it asks you for it it looks very bad. VLingo is a hands free texting/emailing app. I can click a button and say, "Text John" and it will open a text message to John, i then can speak all the message i want in the text and VLingo will put it in there for me and send it when i am done. It isn't going to send 100's of txts to china for you. It just needs it to make SMS for you.

Kinda like how Launcher Pro asks for like 20 permission, at face value this looks horrific. How can i let them make phone calls for me?!?!?! But in reality since it is replacing the basic home launcher, it needs all those permissions to function properly

Personally i don't think we need a "sandbox" type app. We need Blackberry type permissions. Where when you install an app and it asks for permisson to do certain things, you can go to a page listing every available permission to give an app and you can decide line by line what you think it needs and what you dont. Now if you deny permission to something it needs to function the app won't work. But if you feel giving permission to make text or phone calls bad, then you can just disable that part of the app. I miss that greatly

 

[Szadzik]

I want independent permissions, like a firewall. I want a pop-up to say this application want to access the Internet, do you want to allow it.

Is it really in the whole of the android development, it didn't cross anyone's mind this would be a useful feature. ridiculous.

I get the feeling from the android platform that it is like travelling in a car at 90 mph and then someone unscrews the steering wheel and throws out the window.

It's going to be bot net central before long.

Just install DroidWall that has already been suggested.

 

[A.Nonymous]

This is another example of an app needing permission to do it's basic function, but when it asks you for it it looks very bad. VLingo is a hands free texting/emailing app. I can click a button and say, "Text John" and it will open a text message to John, i then can speak all the message i want in the text and VLingo will put it in there for me and send it when i am done. It isn't going to send 100's of txts to china for you. It just needs it to make SMS for you.

Kinda like how Launcher Pro asks for like 20 permission, at face value this looks horrific. How can i let them make phone calls for me?!?!?! But in reality since it is replacing the basic home launcher, it needs all those permissions to function properly

Personally i don't think we need a "sandbox" type app. We need Blackberry type permissions. Where when you install an app and it asks for permisson to do certain things, you can go to a page listing every available permission to give an app and you can decide line by line what you think it needs and what you dont. Now if you deny permission to something it needs to function the app won't work. But if you feel giving permission to make text or phone calls bad, then you can just disable that part of the app. I miss that greatly

The problem with that is that people are idiots. But that's the problem with any system. I have the Kindle app for example. It has full Internet access because it uses Whispersync obviously. Now, let's say I'm an idiot. I say, "Amazon doesn't need full Internet access so I can read books!!! I'm blocking that!!!" Now the app doesn't work. I'm baffled and puzzled. Why won't it sync up with my Kindle device? How come I can read books on my Kindle with no problem, but the books on my phone don't sync? WTF? This app is full of bugs. How could they put out this POS app?? Then I post a long rant about how buggy the Kindle app is on a forum and start trashing them in the market. In fact the app works perfectly fine. I've broken it.

You mentioned Vlingo earlier. Let's say I deny them access to my contact list and the ability to send text messages when I install the app. The app sits on my phone for a couple of days because I'm busy and don't have time to do anything with it. Now I try to use it to make a phone call in my car. I say "call Mom". It says that it can't find a number for Mom. Now I'm pissed. Mom is clearly in my contacts. I can pull up my contacts app and see Mom right there, but the app says it can't find her. How can a company like this put out such a POS app? Do you see where I'm going here?

The Android system trusts that people will say, yes, this permission makes sense for this app, but no, it doesn't make sense for this app. The BB system trusts that users won't break the crap out of their apps. The iOS system assumes that you completely trust Apple to protect you. You have no clue what permissions the app you're using has, you just assume that Apple has vetted them. The Windows system makes you trust the developer completely. None of these systems are perfect.

 

[Ozymandias88]

With all due respect, the security in iOS does not come from human reviewers. They simply wouldn't be able to catch all the baddies.

The human reviewers are just there to enforce look-and-feel standards, reject features Apple does not like, and so on. That is a whole other beast. The security comes from the API design -- each application runs in a sandbox and has very limited access to system functionality. For example, an app cannot read your SMS messages -- it is actually impossible, no API exists for that. An application cannot swap your keyboard with another one and log your keystrokes, etc. It cannot read memory of other apps.

For apps that use GPS, a big fat warning pops up on the screen asking for your permission.

I hope I'm not out of line here, but I wish some sort of sandboxing guarantee like that existed in Android...

Of course, my statements are not true for a "jailbroken" iPhone: jailbroken apps, while most are safe, possess all the power (and risk that comes with it) of Android apps. No sandbox. For this reason, I do not advise my non-techie friends to jailbreak their phones.


(I'm a developer of both iPhone and Android apps, and love both platforms equally. )

Actually there is. All android apps run in their own sandbox, if the app doesn't request any permissions then it can't access anything (just like iPhone). Now if the app needs to access say the internet, gps, etc... so it can download advertisements then it requests it in it's androidmanifest.xml. That request is always displayed (in rather dangerous orange writing I might add) when you install the app.

This happens regardless of where you install an apk from. To access anything outside of it's sandbox it must request access in the androidmanifest.xml and it's displayed when the apps installed.

Without the request in the androidmanifest.xml the app can't access anything outside it's little sandbox.

The only exception to this is applications that require root, they can do practically anything they like if you give them su permision just like jail broken iphone apps.

 

[A.Nonymous]

So far I've not run across any apps that requested root access and didn't have a good reason for it. Has anyone else? Someone recommended Droid Wall, but that only blocks the Internet Access permission. It doesn't block access to contacts, sms, etc.....

 

[sookster54]

So far I've not run across any apps that requested root access and didn't have a good reason for it. Has anyone else? Someone recommended Droid Wall, but that only blocks the Internet Access permission. It doesn't block access to contacts, sms, etc.....

What difference would that make? If droidwall is blocking the specified app from the internet via wifi and 3G, then it can't do much harm even if it reads the contacts list, the only way is if that application asked you for permissions on "services that costs you money" aka send SMS and make phone calls.

Droidwall blacklists everything by default, I enable access everything via wifi then select apps for 3G (TuneIn radio, Last.fm, browsers, Yahoo/MSN/Talk, etc).

 

[A.Nonymous]

What difference would that make? If droidwall is blocking the specified app from the internet via wifi and 3G, then it can't do much harm even if it reads the contacts list, the only way is if that application asked you for permissions on "services that costs you money" aka send SMS and make phone calls.

Droidwall blacklists everything by default, I enable access everything via wifi then select apps for 3G (TuneIn radio, Last.fm, browsers, Yahoo/MSN/Talk, etc).

Right, but it does keep some apps from working. I've had several issues with several apps on my phone when I installed Droidwall until I sussed out that those apps needed Internet access to work.