Does this happen in the Apple App store as well / as much or is it genuinely more secure?
Free Android apps often secretly make calls, use the camera
Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks. The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per …
-
-
Thursday 1st November 2012 16:10 GMT Anonymous Coward
Not possible to tell. Android apps have to say what permissions they use, iOS apps don't.
Always makes me wonder why Android doesn't have a simple "ad-only internet" permission so you know that a free ap is only using it for adverts and not to send any other data. Probably just too awkward to implement given the number of ad networks out there.
-
Thursday 1st November 2012 21:55 GMT jubtastic1
re: iOS app permissions
Are requested when first running the app, if you say no and it needs it to work it will request again when you try and use the feature.
Current App allowed permissions can also be viewed in Settings > Privacy and can be recinded from here.
It's not possible to silently make a call or message from an iOS app, I think you could possibly initiate a camera instance then hide it under the apps chrome to sneakily take a photo but I haven't heard of this happening.
Permission is not required for the microphone either so I suppose you could grab audio.
There's an element of *nix vs windows here, in that one platform is (on the whole), easier to penetrate, has more seats to exploit with more of them on older less secure versions to boot. Which isn't to say that the latest versions of Windows or Android are less secure, just that there are a lot of older versions running out there.
-
Thursday 1st November 2012 21:57 GMT The_Regulator
Permissions Yes, What They Access No
This is the whole problem with android, google and the open source community especially due to how popular android is becoming. The bad guys out there get to provide you with cool apps to sideload onto your phone because who the heck knows which apps run on which version of android and then which version of the OS you have on your phone. Then they get to siphon off your contacts and location information and whatever else they can find to assist with spamming and hacking you and your friends later.
Enjoy it while you can I guess, personally I would rather have vetted apps from apple or ms at least I know they are not mal/adware......
-
Thursday 1st November 2012 23:23 GMT Craigness
Re: Permissions Yes, What They Access No
@the_regulator why don' t you get yourself an android device and see for yourself what a load of nonsense you're putting out. People sideload becuse they don't know what version of android they have? Really? If you allow an app to access your contacts, which is a perfectly valid thing to ask users to grant to an app, then the app can access your contacts. The fact that android allows users to allow apps to access their contact data is NOT an android security issue.
-
-
-
Friday 2nd November 2012 09:10 GMT Anonymous Coward
yes happens there too.
Only last year hundreds of ios apps were found to be a accessing the address book and uploading the contents..
What this "news" for doesn't talk about are the huge strides Google is taking....
blogs.computerworld.com/android/21259/android-42-security
Nor does it talk about androids superior app sandboxing approach.
-
-
Thursday 1st November 2012 16:32 GMT Dave 15
That both Android and iOS have security issues, the one that would worry is it using phone calls/data when I don't think (or know) it should. The rest is of little real life consequence to many people. The core OS in both situations wasn't really designed to be secure. Symbian tried very hard by blocking some of the traditional buffer over run routes used by viruses and getting users to allow particular applications permissions, but permissions are usually given by the user anxious to use the app.
-
Thursday 1st November 2012 16:33 GMT HollyHopDrive
I think the android security model on the whole is pretty good. (not perfect though, i feel like sometimes I'd like a 'prompt me for this' option to be available).
Anyway, this problem is as old as the hills. Free apps that are more than you first expect. I bet loads of people install windows and mac applications without a second thought. Mobiles are at least better in this respect and android does at least give you the chance to see what you are about to let loose on your phone/tablet. Its up to the user to decide.
Would you let a stranger in your house without knowing a bit about them first? If you do, you are stupid. How many cold callers come to your door selling you x,y,z but really all they want to do is a take a peek to see if you are worth robbing. Free loft insulation anybody? I had one the other day that insisted they needed to see inside my loft to see if I would qualify but refused to explain why. They seemed a bit fishy (my gut feel) and I sent them away. But how many people would let them in. 2 days later and your 42" plasma will be missing!
I have often wondered about the stuff my son installs on his ipod. I have to trust the fact that apple have vetted the app. And if you believe that the problem doesn't exist there you are just as much of a fool. Anybody remember the tethering app that got past the ipolice. And I'm pretty sure you could get something equally nasty when you get no idea what permissions are required.
Don't get me wrong, I'm not having a go at apple, microsoft or google/android. I'm just saying there is no perfect solution. If people want the freedom to run whatever apps they want they have a responsibility to make sure the software does only what is says. And with free apps there is no such thing as a free lunch.
-
-
-
-
Friday 2nd November 2012 09:24 GMT Field Marshal Von Krakenfart
You only get what you (don't) pay for.
Just shows many app developers can't be trusted.
I don't think it just the app developers that can't be trusted. For the record I have an 'older' android phone and a newer android fondle slab.
To refer android as open source I feel is slightly misleading in that it not an open source project developed by open source fanbois, the driver behind android is 'you are the product' google. If android was a true open source product there would be more options to control security/access to the device. Google have a vested interest in having a certain amount of laxness in android security, they want apps to to have enough access to your personal information so that the so-called free aps can deliver targeted goggle ads to your 'phone.
-
Tuesday 6th November 2012 00:41 GMT Bah!
Orly
When you develop an app and use certain generic classes you may need to have permission to do so because those classes might have a number of broad functions. Just because the class is used request permission to have access to contacts doesn't mean the developer has used it to do so, but might be adding an entry to a database or checking that the phone status is appropriate to enable the app to run - you don't want to be calling an emergency number only to find the mp3 player is stuck on and wont switch off do you?
The freedom for app developers allows great apps to be developed but they are still vetted and suspect apps are blocked.
-
-
Tuesday 6th November 2012 00:49 GMT Bah!
Re: Name them!
They don't name the apps because this is an Apple sponsored article based on propaganda FUD. The code used by a number of advertisers used by developers for free versions of apps usually requires certain general permissions because the classes that the ad's run often need to check the phones state and read/write to the memory to log what ad's it's run and check if you are of the correct demographic for the ad and get updates to the ad's. The paid for versions of apps don't use the code to pull and delegate ad's out so they don't request permission for those functions.
This story has cropped up a dozen times often just after Google has a major product launch and has been disproven every time. It's pure FUD.
-
Thursday 1st November 2012 15:21 GMT Anonymous Coward
No such thing as a free lunch. Next someone will launch some Android botnet and hack millions of handsets. I'm actually surprised banking apps will allow themselves to be installed on Android handsets - but guess it's a bit like a Windows PC as it could have spyware / trojans as well.
Think I'll be looking to WinPho or iOS now as they appear to be more secure.
-
Thursday 1st November 2012 15:34 GMT Sir Runcible Spoon
Sir
"discovered that free applications are five times more likely to track user location and a whopping 314 per cent more likely"
Can anyone adequately explain why the wording of this sentence lends itself to making the second figure seem more than the first? i.e. the use of a 'whopping 3 times' versus the plain old 'five tmes more likely' ?
Unless it was supposed to be 314 times more likely. Just seems weird and out of place here where people don't just accept the written word and there are pedants everywhere.
-
Thursday 1st November 2012 19:44 GMT Frumious Bandersnatch
Re: Sir
I second that. In fact, it's not even clear whether it's in the range of 3x more likely or 4x. My reasoning? If it were 100% more likely then we're talking twice as likely, or 100% for the baseline + 100% extra. So is "314% more likely" supposed to mean it's about 3.14 times as likely, or 4.14 times (100% + 314%)?
Whatever it is, the whole sentence (including the "whopping" part) is too confusing.
-
-
Thursday 1st November 2012 15:34 GMT Matt_payne666
lots of scaremongering again, but with some justifications... like the listed examples... an app that requests the ability to use camera, gps, address book and text messages... it could be setup to take photos when your on the loo and send messages to your ex's... or it might just be an app that allows you to take a photo, geotag and send to a contact without leaving the framework of the application...
It should be as simple as adding in the small print as to what extent and reasons an application wants access to various bits of phone...
-
Tuesday 6th November 2012 01:03 GMT Bah!
Every time a developer writes an app and produces a free version it's supported by a 3rd party advertiser and they add the code that often needs to check the state of the app, the hardware such as the GPS and the location and the phone state - you don't want the ad to pop up on screen when your trying to call an emergency number blocking the keypad, and an advertiser might want demographically appropriate ad's shown, IE your location would be important so perhaps knowing that you are in a town with a Warner cinema but not a Cineworld Cinema would mean showing you the ad that relates to Warner is more likely to benefit both you and the advertiser. All of these functions might require various permissions, but these permissions often are so broad that they are misunderstood as meaning that you are being spied on and every time your phone is by your bed it's watching you give yourself some hand to gland action. Don't worry it's not.
This article is re-written and published again and again, uncited and unprovable yet every time it's published it disproven too. It's often seen around the time there are major product launches and always gets bias against Google.
-
-
-
-
Friday 2nd November 2012 13:34 GMT M Gale
Re: LBE Privacy Guard.
Unfortunately that requires a rooted device. Useless for anybody outside of Reg readers and other techies, and to be honest I'm not too fond of the idea myself. I like having a warranty.
Selective permission denial needs to be baked into the official build. Preferably with a popup for when a newly installed app first tries to use whatever part of the system that requires permission.
-
-
Monday 5th November 2012 10:51 GMT M Gale
Re: LBE Privacy Guard.
This of course, would be completely unlike the spying that was baked into iOS and only removed after they got caught with their pants down?
All the phone companies are at it. Funny how Google are the only ones to get called on it though. You'd almost think there was an agenda.
http://www.pcworld.com/article/227011/smartphone_spying_reality_check.html
-
-
-
-
-
Thursday 1st November 2012 15:41 GMT drunk.smile
I'm confused by this story...
At first glance, it sounds as though it's just scaremongering by a PR firm more than anything.
"Juniper researchers also discovered that 12.5 per cent of free finance apps had the ability to initiate a phone call without going through the dialer interface. Two thirds (63.2 per cent) didn’t provide a description of this capability within the app. However, after installing a number of these applications, it became clear that this capability was legitimately used by the app to contact local financial institutions."
- Okay, right... so the apps that required the permission did actually use the function legitimately. What's wrong with that?
"Meanwhile, 5.53 per cent of free apps have permission to access the device camera"
-Okay, right.... going by the detail provided on finance apps, what % of free apps use a camera legitimately as part of their software?
Not going to take a second glance as it's nearly 4pm which is pub o'clock.
-
Thursday 1st November 2012 16:11 GMT Miffo
Re: I'm confused by this story...
"At first glance, it sounds as though it's just scaremongering by a PR firm more than anything"
Same way I read it - so free apps use the camera more than paid for apps. They imply some sinister reason for it but when they check into it - there's nothing wrong. Perhaps there's another reason for a difference between paid apps and free apps? There's no evidence here - just some figures.
-
Thursday 1st November 2012 15:46 GMT MrXavia
Why not just check permissions before installing
Apps ask for permission, they don't get them without asking..... check the permissions when you install an app!!!
Some apps need access to send sms & make calls but most dont 'NEED' more than internet access..
I get suspicious when they want access to my contacts...
-
Thursday 1st November 2012 22:09 GMT Anonymous Coward
Uninformed users
The problem isn't people like you and other Reg readers who are smart enough to know whether the permissions being asked for are reasonable for what the app does. It is the much larger portion of fairly clueless users who just say "yes" to everything because they don't really understand what is being asked anyway.
Reg readers don't need to care about this because they are going to wonder why an app that plays checkers needs access to the camera or the ability to send texts.
-
Thursday 1st November 2012 15:47 GMT Phil W
Disconcerting perhaps....dangerous? only if you're silly
Android apps tell you when you install what permissions they need, if you aren't 100% sure about the app and it's asking for a lot of permissions or permissions you're not happy about (like the ability to make calls) you can and should choose not install it.
It's the the operating systems job, or the manufacturers job, to stop users making stupid decisions.
This is no different than PC security, PCs become infected with viruses extremely frequently because stupid users click "yes" on website banners etc offering antivirus software or similar without reading about it or checking it out in anyway first.
-
-
Thursday 1st November 2012 16:22 GMT Dave 126
Re: Fix the real issue
>Fix the real issue
>educate the users
Some users can't be arsed to invest the time. They would rather pay a premium and not have to worry about it. I guess it depends on how much they value their time verses their money- this varies wildly depending upon how much they earn.
There is room for both outlooks- instigate a walled garden, but allow users to leave it if they know what they are doing and take responsibility for their actions.
-
Friday 2nd November 2012 21:53 GMT M Gale
Re: Fix the real issue
Like the checkbox in Android under "Security" that states "allow installation of apps from unknown sources". Smae one that puts up a big scary warning about damage to your tablet if you check it. Or perhaps the one under "Developer Options" that states "Debug mode when USB is connected". Same one that puts up an equally scary warning about installing apps without notification and reading log data.. after you've gone through the "are you sure you want to fuck around with developer options" warning.
...which apparently isn't enough for some people who would rather pay $99 for the "privilege".
-
-
-
Thursday 1st November 2012 15:53 GMT PaulR79
Permissions use explained in description
I've thought for a while now that all apps should explain why they need the permissions they request. Some do already and some explain why they need additional permissions for an update. Make it mandatory for all published apps and this sort of crap will be easier to spot.
"Oh ... we need permission to use the camera to... erm... discretely spy on you."
Yes I know you can't make scammers tell the truth but a game requiring access to SMS or the ability to make calls would stick out like a sore thumb.
-
Thursday 1st November 2012 19:42 GMT Charles 9
Re: Permissions use explained in description
Agreed. How about this for an idea? For every permission an app requires, it must also submit to Google the reason for that permission, in specific detail. If it needs "Full Internet Access", for example, the submission must include specific reasons such as "This program receives advertising from the Internet to fund its development." Or if a financial app can send SMS messages, it must provide something like "This program can send SMS messages to financial institutions and read the replies to obtain account information." Google should require this of each specific permission and post them alongside the permissions themselves on the installation prompt. This would be a Google Play extension and could apply to all apps submitted in future, so it shouldn't break existing apps.
-
Saturday 3rd November 2012 21:57 GMT Wraiththe
Re: Permissions use explained in description
Privacy statements should be short and consise. List the resources available on a phone: Camera, contacts, GPS location, dialer, etc... then what it needs to access and WHY. I have no problem with an app using my contacts to function on the phone... that is normal. Esp. if it needs the info to use on clicking "share:" stupid, no brainer, so what. However, if it wants to upload my contacts or send them stuff I did not initiate... even worse in my name... holy crap! Of course a camera app needs to access the camera! DUH. But not when I am sleeping! Most people just want the cool things and say yes with out reading...or if they do try to read it, they become discouraged and just say yes - to get the cool thing. You bought the phone...now you need the apps. The stage is set, everything is as they intend: it is obviscated on purpose. Seriously, the permisions section when you agree in the app store is rediculously vague and useless. Basically what you need to know is: what is the app going to do with anything of yours. They do not say this.
One last note: Why is it that if you do not accept google's location services, you cannot use any GPS apps? You pay for a phone with GPS capabilities, but if you do not agree to let Google track your location, you cannot use ANY... ANYTHING that uses your GPS function on the phone.
I really do not thing this will ever change because most people don't have the time to worry about it, and they are too addicted to thier phones.
The apps and pretty much everything these days (even my DVD player) say if you do not like it, just don't use it.
A rollodex used to be one of the most valuable assets of a company, and these guys are getting them for free.
Another last note: Why do they allow the privacy notices with all the rederic, then links to the real privacy notices? (and sometimes those have links to the real privacy notices.)
-
-
Saturday 3rd November 2012 18:46 GMT Phil W
Re: Permissions use explained in description
A number of the better apps do this.
Or rather they explain the ones that aren't obvious. I installed a game recently that wanted access to coarse location data. It was an Ad supported app and there as a line in the app description explaining that this was simply so they could provide targeted Ads so you didn't get annoying Ads for things from other countries.
-
-
Thursday 1st November 2012 16:27 GMT Dave 15
oh well...
It might be legit for an application to use any of the features suggested. Applications which are 'funded' by providing shops the ability to know you are near and pump adverts at you might be totally legit and accepted by the user (for example). Many 'free' social networks will also want access to address books, maybe location and certainly camera...
Just because they access these features doesn't mean they have no right or need to.
However some might do it without you knowing and for no obvious good reason. This is a problem, it was addressed as much as possible in Symbian 9 onwards (several long years back) . The downside was most users still give the applications permission even when they don't understand for what or why.
-
Thursday 1st November 2012 19:56 GMT Charles 9
Re: oh well...
Then simply require an explanation for each permission. If it requires fine (GPS) location, it can explain, "This program uses location-specific advertising to fund its development." Honest enough, wouldn't you think, and easy enough to explain for legitimate uses.
Of course, disguising a malware use INSIDE a legitimate use (say a spy camera in a photo editing app) is another matter, but it should help some.
-
-
Thursday 1st November 2012 17:04 GMT thesykes
So free apps are more likely to access your contacts? You mean apps like Gmail, Facebook, Hotmail? Apps to send SMS... like Handcent? Take photos? Google translate, Tesco, Asda. Location? You mean like The Met Office, Green Flag, English Heritage or National Trust apps? My banking app lets me locate the nearest ATM or branch, and then phone the branch. Google maps lets you view info on shops, restaurants etc. and then phone them. Are all these sinister? They're all free. (Cue petty sniping about how sinister Google and Facebook are).
No doubt there are dodgy apps out there, but, stop the bullshit pointless reporting like this.
-
Thursday 1st November 2012 17:32 GMT Craig 8
I suppose this is the part of Juniper that used to be SMobile. Frankly I don't believe a word they say. Why does the headline bear no relationship to the content of the article? Did they find ANY apps that SECRETLY make calls and use the camera? I think not. I still remember the time when an SMobile executive went on local TV in the US after a bridge collapse saying, yes, wasn't it terrible that people died, but think how much worse it would have been if the emergency services had malware on their smartphones. WTF?
-
Thursday 1st November 2012 17:44 GMT A J Stiles
How to Fix It
Insist on absolutely no Native Code outside the kernel -- at all. And enforce it, iron-fistedly.
If everything in userland is fully interpretated, then not only does this mean it doesn't matter what processor is fitted -- ARM, Intel or some souped-up 6502-descendant -- but also, the software is transparent as far as the user is concerned. Third-party code auditing should provide a reasonable level of security, since all auditing houses would be competing with one another; any one giving out a false all-clear would destroy their reputation in an instant.
(And in the meantime, there's always flight mode.)
-
Thursday 1st November 2012 18:15 GMT M Gale
Re: How to Fix It
"or some souped-up 6502-descendant"
You know how ARM was invented?
"Acorn's aim at that time was to produce personal computers which met the needs of the business community by providing office automation facilities. Clearly, more power was needed than was offered by the 6502. In the fine tradition of the computer hobbyist, the design team decided to develop their own processor, which would provide an environment with some similarities to the familiar 6502 instruction set but lead Acorn and its products directly into the world of 32-bit computing."
(http://www.ot1.com/arm/armchap1.html)
-
-
Friday 2nd November 2012 01:30 GMT Anonymous Coward
The Windows security model and Android security model are very similar
I love Android - and I love Windows as it is. But I understand why many don't. In the same way that a mechanic enjoys tinkering with cars, I enjoy tinkering with PC's and phones.
Android and Windows assume a certain level of 'interest' in what's being done. Many people using PC's and phones don't care how something's being done - they just want to run that casino app, or visit a porn site, or whatever else. If you stick boxes up saying "Are you sure you want to do this?" they'll quickly learn to always hit "Yes" to the box that pops up. If you have a screen during install that says "This app has access to your phone; it can make phone calls. This app has access to your camera, it can take photos whenever it likes" - people train themselves into "always hit Install on the next page". It's as it is with EULA screens.
There is a fundamental problem here. We require that drivers have a license to drive; for their own safety, and for the safety of everyone else. We require they have a certain level of understanding as to how a car works. We require them to understand safety signs that give them warnings - and to understand the implications.
But give them a phone or PC that has access to their bank details, contact details of all their friends and colleagues, potentially access to business networks and business resources - and it falls back to "I want porn now - Yes, Yes, Install, Yes".
I don't know what the solution is, despite my driving license example. The options thus far appear to be "Better education" - but years of Windows and malware suggest that won't work, or walled gardens that restrict everybody's ability to tinker.
-
Friday 2nd November 2012 02:16 GMT stewski
Sensationalist BS
The style and content of this story were Sun level sensation, with virtually nothing of interest.
"Free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books than paid counterparts."
whopping? after the first part suggests 5 times more likely to track location and the second part talks about a whopping 314 percent, do you think we are idiots, sun readers, or just so bored that bad maths and english will brighten up our day.
Is requesting the capability to use location services proof that free applications are 5 times more likely to track user locations. I don't know but this whole piece and the study reads as thin on facts and big on BS.
-
Friday 2nd November 2012 08:00 GMT toadwarrior
Not surprising. Not many people write code just for fun. They'll want something in return. It's better to pay someone up front for their work rather than find out they choose to compensate themselves in other ways.
Android needs far better control over security. Let users disable certain access and there should be a setting to make it so an app can do something unless it gets a user to ok it at the time of access. Those who don't mind being nagged can get more protection.
-
Friday 2nd November 2012 09:21 GMT Tom 7
Yes toad
when I write code I expect it to save me time and effort in the long run, if I think its OK I'll share it.
I have worked for commercial organisations who write code to make money. More time is spent trying to ensure they get that money (and more) than solving the problem at hand.
If Apple had spent the money designing apps rather than take motorola to court for living in the same 3d world as everyone else they could have perhaps even written a mapping app that worked. Not that they need to - most users would rename the place they got to rather than admit they'd pissed their money up the wall.
-
-
Monday 5th November 2012 11:39 GMT Anonymous Coward
The researchers found it not immediately obvious what some permissions were required for, and in that regard I've had several users complain about one of my free apps requiring the location permission with quite a few "location, wtf!?!? 1 star, uninstalled" type "reviews". It's an app for building a GPS track to export for geo tagging photos in Light room. I really didn't think I'd need to explain that permission...
So yes, lack of app permission detail would help a lot - but as is always the case user stupidity is going to be one of the biggest points of failure but it's not hard to envisage a scenario were a dodgy dev writes a load of BS for permission description and people install it anyway.
The free lunch point needs ramming home - too many users think there's no reason whatsoever to have ads on a free app.