Phone home
"This individual behaves like X, try showing them some adverts!"
Four researchers have found two thirds of the most popular Android apps indulge in seemingly-useless covert chatter with remote servers. Top developers including Gameloft, Unity3d, and grillgames are implicated to varying degrees. The chatter has no use to users. About half of the traffic is related to analytics, such as that …
There used to be a flashlight app on the Android app store that was about 3M in size and grabbed access to almost all phone privileges, including network access. It's since been taken down.
I use a firewall to block network access to any app that doesn't need it, but I refuse to install any app that wants to toggle sync on and off, as no good can come from that.
The trouble is that when research of this type is published, concentrating on only one platform, it doesn't provide enough information for purchasers to make an informed decision. At worst, it provides more grist to the mill of adherents (fan boys) of other OSs that theirs is somehow better. Safer. And it may be - but there isn't enough data here to make that kind of judgment. Equally, it may not be - it may be worse.
I would genuinely be interested to see this research but covering all the major mobile operating systems.
and the various contract providers are jumping with joy as data limits are exceeded every month for a few extra millions in fees too! look right to Verizon, comcast, att and euro providers to find no real throttles on this activity either. they love when they can keep the users blind to reality.
Which is why the move to more granular permission with Android 6.0 is welcome - I can then choose whether each app gets to read my contacts, call logs, access my SD card and so on.
Apps exist that can do this already, but because they work at a lower level developers don't have to allow for an app being denied access to something. This means they can misbehave in all sorts of weird ways. Any 6-compatible app will have to handle it gracefully. I wonder how FB and Twitter will react to a sudden loss of incoming data?
OTOH, I've already moved to using mobile websites for Facebook and Twitter. If nothing else, the HTTP protocol seems better at delivering data when you've got sketchy signal, no end of times I've sat there with 3G but no 4G, and the Facebook app refuses to do anything. Perhaps it prioritises the covert data!
Colour me cynical, but I'd not be too surprised if a lot of this background chatter is facilitated by that 800ln gorilla that is Google Play Services. It's also the service that has unfettered permissions, can even grant itself permissions, and tends to ignore other preferences/settings.
Aside: Google pushed a broken Play Services update onto my phone a fortnight ago (not the first time this has happened) resulting in it (PS) crashing every 10min. So I uninstalled all updates (reverting to firmware version). Other Google apps, e.g. Maps, Hangouts, Newreader, started bleating that I needed to update PS. Most of those I don't/haven't used. Seems they've all been running regardless? Some third party apps also complained, but appeared to still work fine.
PS: Wish I could uninstall Google bloatware---moreso for Gapps/Gservices that aren't available in my neck of the woods.
Which is why the move to more granular permission with Android 6.0 is welcome
It's a great idea, but I fear the practice will simply become that any app, when so denied any given permission, will either refuse to operate, or operate in some kind of useless limp mode, until the permission is granted/restored.
Seems unlikely that Google would have any reason to force app devs to give up their user data addiction, especially when it comes to behemoths like Faceache.
This can already be seen happening with Facebook platform apps. FB now permits users some granularity of choice on permission requests, however when you deny one or more requested permissions many apps in return refuse to operate.
"It's a great idea, but I fear the practice will simply become that any app, when so denied any given permission, will either refuse to operate, or operate in some kind of useless limp mode, until the permission is granted/restored."
I'm, usually, not quite so pessimistic. The vast majority of app developers don't actually have anything useful to do with all the data they collect, they do it simply because they can and because everyone else is doing it. Those not actually making money from their data slurping will not continue to demand silly permissions because that would ultimately lose them users and money - even if only a small proportion of people refuse to use such apps, that's still money lost for no reason. It's only the big players who actually have real business models based on data collection - Google, Facebook, and so on, who would actually stand to lose money from being denied data and will therefore continue to demand it no matter what.
Well that's fine, the developers will have to then wade through a mass of "bug" reports, low scoring reviews and (hopefully) abuse from tech blogs when their apps fail to work for no valid reason.
The Android Twitter app for example has a load of permissions that even I, as a user, can justify. Read and write SD card, because you can upload files. SMS, because (AFAIK) you can verify your phone number with a text. Contacts because it will offer to spam your mates.
Control the sleep functions of my phone? Draw on top of other apps? Not so sure about those, so I'd disable them (for the record, I'd disable most of the ones I listed above too, but play along eh?). If the app then refuses to work, at least it would tell me why it needed those permissions (because I'd get to a certain function and it would go "Oh, sorry, you need to have A enabled to do B") or I could legitimately harass their support people until they coughed up why they were using that permission.
I seem to remember reading also that part of the Google good-developer-guide-thing (probably not an official name) states that you have to intelligently handle lack of permissions come Android 6, not just bomb out totally.
I think you severely overestimate the number of low scores an app will receive for not being sufficiently restrictive in its set of permissions.
Look at Vista : it did mostly did The Right Thing. Windows 7 was made deliberately less secure, and needed an extra setting to restore the UAC to switch to the secure desktop and insist on a password.
Users did not appreciate this at all, why do you think they're going to give a rats arse that Facebook wants to control their camera, speaker, phone, address book, network and sd card?
No argument with any of that; I'm just making the observation. Plus, given the choice between:
A) Being unable to use an app because it refuses to work with a given set of restricted permissions, then seeking to spend time "reviewing" the app to gripe about said refusal to operate.
B) Finding something else
and
C) Simply granting the permissions.
...I highly doubt even a small minority of people would choose option A.
Like I say, I'm with you on what apps should and shouldn't be asking for/getting, however the trouble is the (apparent) quid pro quo of having some new shiny game/app/whatever is seemingly enough for them to just hand over control. Devs know this and exploit it, and until more people start to care about their privacy, that state of affairs ain't going to change.
I seem to remember reading also that part of the Google good-developer-guide-thing (probably not an official name) states that you have to intelligently handle lack of permissions come Android 6, not just bomb out totally.
"We're sorry, but you agreed to the EULA, which states this software requires the following permissions, which you have not granted. Please grant the permissions listed in order to continue."
To you and me, that's definitely bombing out, but at the same time it's a perfectly intelligent way to handle it. And more to the point, nobody can force your user to grant permissions, just like nobody can force you to provide a function/service without getting what you want in return for it.
Other than tracking your location there is nothing in iOS that would give an application the ability to perform stuff like this on the background. This is one big technical difference between the two platforms. iOS does not have real multitasking. You can register to listen to location tracking events from Bluetooth or GPS and if you get permission from the user then you can periodically run things on the background. But there is nothing that would keep your application running from the time the OS starts.
Solution is easy. Once we know which apps are secretly sending back-chat usage data etc we should immediately ensure the entire cast of "Made in Chelsea" install these apps. The resultant usage data will be so skewed by these moronic people that any company attempting to leverage the data for commercial gain will inevitably become bankrupt.
Am I being desperately optimistic in wondering whether user behaviours might change once permissions become granular and everyone knows? Or will they see it as UAC from Vista and get their knickers in a twist?
Hope it's the former... have to admit it's likely to be the latter though.