What is "goodware"?

[IcyTotem]

Hi, I am a master student in computer science. I am working on Android malware classification. As a starting point for my work, I want to define more or less precisely what "goodware" is for the users.
I want your opinions on this: when can you say that an application is totally benign for you?

 

[Hadron]

Welcome to the forum

Firstly, I've never heard the term "goodware" before, and frankly hope I never do again - it's horrible

Otherwise, an app is totally benign for me when it performs the task I want it to do, doesn't interfere with anything else, and doesn't collect any data whatsoever about me.

I've emphasised "totally" because that word set the bar high for me.

 

[IcyTotem]

Hi, thanks for the response. That's what I thought of, more or less: it does at most what you want it to do. If it does less, maybe it's not very well-written, but not malicious.

It is interesting however that you pointed out also that it doesn't collect any data about you, but this may be the task you want to perform. For example, there are some apps that grant you some discounts or prizes for visiting pubs or restaurants frequently and/or recommending them. They disclose your position and preferences but you want them to do so, otherwise you won't get those rewards.

 

[lunatic59]

I'm with you on that one Hadron. The last thing we need is more cutesy jargon.

Goodware = Software that does what it's supposed to with relative ease and nothing else.
Crapware = Software that may or may not do what it's supposed to, but is poorly coded or full of bugs.
Malware = Software written for nefarious purposes.
Tupperware[sup]

 

[dan330]

I agree with Hadron with .. totally benign

if the app was designed to collect certain data to complete its advertised function. then the user understands this. It should NOT collect or look at anything else outside its scope. or send the data it was given permission to collect to any other entity (inside or outside its organization).

 

[Hadron]

It is interesting however that you pointed out also that it doesn't collect any data about you, but this may be the task you want to perform.

Dan called that one correct: if that's part of the function then I expect that, but in that case I also expect it to be the minimum data necessary for the task, and only to be collecting what I know it's collecting, not slurping up other stuff while it's at it. To use your example, if it needs to register that I'm in a particular shop, it does not need to report anything about where I was before then, or where I went afterwards (even though I could imagine that being of interest to a retailer). And if, like your pub/restaurant example, it knows who I am then it needs to be particularly restrictive about what it collects and who it gives it to.

However, I personally can't think of a case where I do want this, and you did say to me personally.

Last edited by Slug; Today at 04:48 PM. Reason: Corrected misspelling of user name

:rofl:

 

[dan099]

While I agree with Hadron's definition of benign, I am not so sure that the concept is not worthwhile. I wouldn't mind a "word" that describes a program that meets Hadron's criterion (which is exactly what I want.)
To me "goodware" sounds a little ... tacky. How about an acronym because the world needs another one of them.

 

[IcyTotem]

That was a minor misunderstanding caused by an and interpreted as a logic and

Anyway, here is another discussion point. We said that an app is benign to us if it does at most or only what we expect it to do, and no more. But then... how can we have expectations about an application? Do you think that its description should detail absolutely everything done by the app behind the scenes? It would be a bit overwhelming in that case. So how do we fill up the gap between a developer proposal and an user expectation?

That is more a philosophical issue, since I am trying to find an automatic method to detect if an application is benign, where there is room for error in the case the answer is "no", but it would be tremendously awful if the answer is incorrectly "yes".

 

[lunatic59]

I suppose there has to be a bit of due diligence and understanding of what access entails. For example, an app that is design to interact with social media and allow me to share images with geotagging, I would expect it could access quite a bit including my location through GPS, address books, user files, etc. A single player game, OTOH I would not expect to be able to access personal information at all.

 

[dan330]

example.. why would a game like "flappy bird" need to assess my phone log? and contact data?

I know it is free.. and has advertisements.. so I expect it to need internet access.

I don't wan to give it GPS info!

Note: Flappy bird ...was only an example.. not that I know it needs or wants these things.

 

[Hadron]

Anyway, here is another discussion point. We said that an app is benign to us if it does at most or only what we expect it to do, and no more. But then... how can we have expectations about an application? Do you think that its description should detail absolutely everything done by the app behind the scenes? It would be a bit overwhelming in that case. So how do we fill up the gap between a developer proposal and an user expectation?

I think the important distinction is between features related to the app's function, and which you could reasonably expect to be related to that, and things which are not actually part of that functionality. So if for an app has features I don't use, but which are clearly related to it's function, that's benign. If it does other things which I might not have guessed that doesn't automatically make it not benign, but I'd expect the app description to at least include an outline of the main functions. If it can do things which have an effect outside that app (e.g. alter my phonebook data) then it had better be clear that it can do this, and not do it without my knowledge and consent.

The commonest "non-core" functionality concerns advertising. I understand that devs need to make money (though I prefer to pay for an app and not have ads), so using the internet to deliver ads I would still class as benign. Collecting data about me means I'd not class it as totally benign, but it depends on what data are collected, how they're used, and who has access how far from benign I'd rate it. Since I've no way of checking what is done with data that are collected, the first step here is does it ask for access to data that are not necessary for the app's function? But yes, I would want a full description of data collected and their use.

By the same token, aggressive advertising technologies, such as those recently banned from the Play Store, are not benign in my book. So it's not just the app itself, but the behaviour of any ad network the developer signs up with, which needs to be considered.

Then there's data collection by the app devs themselves. I can understand how it may be helpful for a developer to know how their app is used, so I class that type of statistical collection as benign if it is done openly, properly anonymised, there is an option to decline and the default is not to participate. But you'd not need to include this in the app description if it met those criteria, since you'd get to read that if you found the option and before you enabled it.

 

[funkylogik]

Loving this topic guys :beer:

 

[IcyTotem]

So in the end, it all comes down to what the application is permitted to do, and therefore the most straightforward approach would be, following your lead in the definition of the term, to correlate the application's description to its permission set. Alas, I have been highly discouraged to use permissions to check whether an app is benign, because "everyone else does" and it is not a reliable method.

Another possibility is of course to analyze what the application actually does, and this implies using some dynamic techniques that are imho too resource consuming for my purpose.

 

[funkylogik]

Ive always thought "benign" basically meant "harmless"?

 

[Hadron]

Some permissions are very broad, and some could have legitimate uses in an app but also be used for illegitimate purposes. Having permissions which aren't needed for the main function is a black mark in my book (but it does require understanding what they do to apply this test). Having no unnecessary permissions is a good sign, but not proof that an app is benign (e.g. a security app needs a huge range of permissions to do its job, so the permission list does not itself tell you whether such an app is benign or the worst type of malware). So I agree, it's useful but far from sufficient.

 

[IcyTotem]

Well, there are studies that correlate the appearance of certain permissions together to the existence of a certain type of malware. For example, DroidRanger found that the ADRD malware is essentially related to the set of permissions {Internet, Access Network State, Receive Boot Completed}. However, also a wallpaper application could have the same permissions: the first two to load new wallpapers from the web and the third one to set a wallpaper when the phone boots. Of course there are further filters applied on top of the permissions alone.