No skewing here folks
So they've run through the permissions being requested by the apps, but not actually checked out what the apps do.
A fifth of Android applications aren't playing fair, according to SMobile Systems which reckons that mobile application marketplaces are rife with malware. SMobile ran though more than 48,000 applications on the Android Marketplace (about three quarters of the whole marketplace) collecting details of the permissions the …
My problem is that it's just very difficult to know. I don't know if I've experienced spyware or not. I don't know why so many apps seem to require too many permissions.
But I know I am constantly appalled at the permissions so many apps claim they require.
This is one reason among many that I think Android needs basic logging of who/what is running now, who/what was running then who/what is taking up the system who/what accessed the phone or my contact list or the dialer.
Android runs a logging server that's intended to be accessed from a PC/workstation using the Android SDK tools. There is a native Android client that can act as a client for this log and allows you to mail the last x lines (intended as a tool to report crashes to developers). It's on the Market and called Log Collector. Don't expect a nice consistent access and security log as you described though, it's a pretty haphazard collection of developer logging mostly for debug purposes.
... if you don't like the access they're requesting. In my case, I emailed the writers of Better Keyboard and asked them to explain themselves - an update to their keyboard app suddenly started requiring internet access. I obviously didn't like the potential for data (including password) leakage that offered, but was told it was due to the speech-to-text functionality they'd added. I asked if they'd consider a separate version without that, as I wouldn't be using that functionality anyway. That didn't materialise, so I don't use that app now - it wasn't good enough to justify the permissions, and how could I trust the company enough?
You need to be able to make informed decisions, which I think is the real problem - the same is true of many desktop applications, which is why I've seen so many PCs full of spyware.
I've always said that rather than just list what permissions an application is requesting, they should be tick boxes, so you can deny, in your case, the internet permission.
More work for the dev's to make sure the lack of permission is handled gracefully, but still a worthwhile modification IMO.
However, mobile phones are consumer devices. although Android phones are probably a bit more on the geeky side of the spectrum, they are aimed at an audience that simply isn't tech-savcvy enough to make these informed decisions you mention. These users simply don't know the consequences of them clicking "Agree" when they are asked for certain permissions. If an app requests internet access, the average user will think that it'll be used for registration, not for the potential of some nefarious data-sniffing. It simply won't cross their mind that the latter is a possibility.
"...and less secure than Apple's draconian impositions". It seems to me that there's an unwarranted conflation of draconian policy and security; were the policy motivated by a desire for security there might be some justification for that, but the examples that we've seen recently have had far less to do with security than they've had with eliminating either competing applications or applications that allow users to change the look and feel of their Apple device.
I too have noticed that many apps look for way more permissions than required (e.g. notepad app looking for Location Data). However I'd put that down to developers still learning the platform activating additional permissions in the manifest then forgetting to turn them off for the live product.
The more mature ones have a more streamlined permission request.
Apps looking for 'net access, location data and other surprising items can just be because the dev has included one of the ad presenters.
Got alerted to this when the torch app I'd been using suddenly demanded net and location. Checked with dev, who explained about ad package. Didn't downgrade to the new version, though I understand the wish to make some change. I did ask for a payware adless version, but nothing came of it.
Bill Ray in understatement shock. Film at 11. Is your hyperbole generator in for servicing today ?
Its more than "More than a little alarmist."
Suggesting that you can derive a figure for "malware" purely from the list of permissions a sample of apps require to run is closer to, say, complete and utter bum gravy.
You also fail to mention that when you install an app, it lists the permissions in big bold type and asks if it's ok to continue the install.
It simply requires you use your brain for a nanosecond to realize a solitaire app doesn't need dialer or location permissions and hit the hell-no button. Granted, most people don't have both brain cells to rub together, but that's no fault but their own.
Personal responsibility - it's a new idea!
What would be good, and I was a little suprised (given the dialog) that you can't, is to disable permissions per app.
If my fart noise app wants dialer access, why can't I uncheck that permission? The first time the app *actually uses* that part of the API, ba-ding, [Continue][Abort][Badgers]...
I agree with the comment that some app devs have clearly not cleaned their manifest before release, but a more fine-grained permissioning would be nice.
Plus, if devs were allowed to put a one-line reason on each permission request, I'd know that the fart app just wants to prank call my boss, and I could allow it.
The reason many apps ask permissions seems to be that they are "free", so they need to deliver ads. If you could disable permissions on individual apps, it would spoil the "free" app model. Many comments on Android Market complain that apps keep "updating" with no benefit to the user, presumably for commercial reasons.
So, you can read the comments and not use apps that look risky. Problem is, when you have eliminated the apps that are either risky or buggy or both, there are not all that many useful apps left. Hopefully this will improve as the market for Android apps increases. But we've some way to go.
"Of the 30 or so downloads I've done, all bar 1 insisted on creating a gmail account, and since I don't have or need one, the install stopped right there."
That's the clue right there.
It needs some way of spamming you.
If it has no means of doing that, it doesn't have a reason to run the app.
Regardless of the description leading you up the garden path.
Google have announced on the developer blog today that they have the facility to remotely remove malicious applications from Android handsets (remember that whole Kindle 1984 debacle?) which basically renders what SMobile Systems software does pretty much pointless. Their app can't have the access to run the kind of heuristic and signature checking you expect from a typical anti-malware software so they're proably just checking app/package names against a blacklist and prompting the user to remove hits, but reporting malicious apps to Google will do exactly the same for free (though probably more slowly but with fewer false positives).