back to article The TRUTH about LEAKY, STALKING, SPYING smartphone applications

More than a third of smartphone apps can track user location, according to a study based on an analysis of more than 800,000 Android applications. Analysis of 836,021 Play Store Android applications by net security firm BitDefender also revealed that more than one in 20 (5 per cent) of Android smartphone apps can locate and …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. TRT Silver badge
      Coat

      Re: As a windows phone owner

      That'll be the microwave radiation from your handset...

      Mine's the one with the tinfoil hat in the pocket.

    2. Nigel Brown

      Re: As a windows phone owner

      Because windows doesn't have any dodgy applications does it............

      1. Bogle
        Windows

        Re: As a windows phone owner

        Windows Phones don't have any apps ... full stop.

    3. Anonymous Coward
      Anonymous Coward

      Re: As a windows phone owner

      No desktop market share gives linux fanbois a similar feeling of invulnerability. Don't confuse a lack of interest from hackers as a sign that your device is invulnerable. It's windows. Think it through.

      1. Destroy All Monsters Silver badge
        Trollface

        Re: As a windows phone owner

        It's windows. Think it through.

        Because Redmond sure doesn't.

    4. Alexander Hanff 1

      Re: As a windows phone owner

      Except pretty much EVERY Windows Phone app requires permission to access location data due to a requirement in the windows phone advertising API.

      1. Anonymous Coward
        Anonymous Coward

        Re: As a windows phone owner

        "Except pretty much EVERY Windows Phone app requires permission to access location data due to a requirement in the windows phone advertising API."

        Not true, plus you can turn location services off!

        Who uses it anyway? I never had a need.

        1. Alexander Hanff 1

          Re: As a windows phone owner

          You can turn it off but that doesn't stop 95% of apps asking for permission to use it even if it is turned off and if you say no, you cannot install the app. My understanding is that even if you have it turned off if you allow it for an app it is enabled for the app. I would be very happy to be proved wrong.

  2. Winkypop Silver badge
    Meh

    Smart phones

    Dumb users?

  3. Semtex451

    When the Borg come to assimilate us these issues will vanish you know.

    1. Anonymous Coward
      Anonymous Coward

      "When the Borg come to assimilate us these issues will vanish you know."

      Apple have already borged most of our twenty somethings! And the parents without the nouse to research their own handset choice. Good riddance.

      1. Wzrd1 Silver badge

        "Apple have already borged most of our twenty somethings!"

        Funny, I'm 52, I own two iphones, two ipods, a Windows fartphone and android tablets and smartphones.

        My desktop and server OS's are Linux, NetBSD, Windows and Solaris.

        So, am I "borged"? Or do I use each OS to its desired and designed purpose?

        Frankly, the lot of them are shit, save for *BSD, whose developers are so stodgy that new fangled things have to be around for a half decade before the kernel has support for them.

  4. Phil Endecott

    > a separate study by cloud security firm Zscalar into privacy issue with

    > iOS apps found that 96 per cent of iOS apps require email, address

    > book (92 per cent), location (84 per cent), camera (52 per cent),

    > calendar (32 per cent) permissions.

    I don't believe it. What was their methodology? Can we have a link to this study?

    1. Wzrd1 Silver badge

      "I don't believe it. What was their methodology? Can we have a link to this study?"

      I find it interesting that where the data is going wasn't documented in depth.

      Or at all, really.

  5. Trollslayer

    2G

    Does me plus a 1-2 week battery life.

  6. Ken Hagan Gold badge

    Those free apps

    If you aren't paying, you aren't the customer. You are the product.

    OK, so it's not original, but I will make damn sure that my offspring have learned this by the time they've grown up because it seems to be an all-pervasive phenomenon in modern society. Do they teach this in schools, yet?

    It's only 12 words. It wouldn't take long. It's ever so important.

    1. drunk.smile

      Re: "If you aren't paying, you aren't the customer. You are the product."

      I'm going to teach my off spring this too. I can probably incorporate into the same chat about the birds and the bees.

      1. Oldfogey
        Black Helicopters

        Re: "If you aren't paying, you aren't the customer. You are the product."

        Are you so sure paid apps are any better? Perhaps you are just paying to be the product?

        1. Anonymous Coward
          Anonymous Coward

          Re: "If you aren't paying, you aren't the customer. You are the product."

          > Perhaps you are just paying to be the product?

          It works for Ryanair and Easyjet, anyway.

          1. Philip Lewis

            Re: "If you aren't paying, you aren't the customer. You are the product."

            I flew SleazyJet(tm) on Friday and this evening. The LGW approach was "exciting" to say the least and I was impressed that the landing was as neat as it was. Top marks to Mr. Pilot. As for the rest, well, it seemed pretty much like every other airline, except everything costs. I have flown enough to allow myself to have an opinion on these things*. I appreciated being able to buy a train ticket in flight and avoid the 32 million people at the station ticket machines/windows, so I rate that as excellent service. I was on a flight out of GVA last week and it was on time and efficiently handled.

            All in all, I may have to even stop calling them SleazyJet(tm) if this keeps up

            * DIsclaimer, I stopped counting when million got an s on it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Those free apps

      That's why I don't mind paying for privacy. Specially when it's open source and based out of Iceland.

      I love the fact that all these new companies are popping up now. This is a good leading indicator that privacy is beginning to matter more and more, and people are willing to pay for it, just like any other service.

      Who says open source can't make money? www.fortknox.is

  7. Alexander Hanff 1

    Windows Phone

    You should include stats for Windows Phone apps too if you can find them - in my experience every single app I wanted to install on Windows Phone required access to location and after researching this it turns out this is down to the advertising platforms that app developers are forced to use.

  8. Andy Pearce

    Not convinced about this iOS study

    I can't find any source for this study, but this one seems similar: https://www.appthority.com/appreport.pdf

    Certainly that study also uses the 96% figure, but this time it claims that they "share data with advertising networks and/or analytics companies", which could just mean anonymised data about the usage of the app. Not ideal, perhaps, but that's quite different from sharing location and contacts information.

    What these studies fail to do, however, is take account of the fundamentally different approach to permissioning between iOS and Android - iOS allows you to install an app but then deny permission later, so it's quite possible that most users simply deny the permission - this would skew the results quite significantly. I've used plenty of apps which function quite happily if denied access to optional services such as contacts lists.

    This article discusses this issue in more detail: http://www.theguardian.com/technology/2013/dec/20/android-apps-permission-app-ops

  9. Mark .

    "can" is not the same as "does".

    This study seems meaningless without knowing what those applications do. So an app requires location permission - but if it's an app which requires location by its very nature, then why is this an issue? Admittedly 1/3 seems rather high, but then I have no idea what the distribution of application types is.

    "locate and open private photographs on smartphones"

    If private is in an application's private space, I'm not sure this is true. If private just means in the standard picture folders on Android, then yes, they're accessible to all applications. Just like I can open up my picture in GIMP on Windows or Linux. Perhaps there are better ways to do this (e.g., marking folders as only accessible to a whitelist of apps? But then there's also the trouble of making it user-friendly) but I don't know of any OS that's done this kind of thing yet - the study seems to regard any access of data by an app as "bad", without understanding how almost all OSs currently work.

    "can divulge email addresses over the internet"

    Does this mean they have Internet and email address book permissions, or that they are actually doing this?

    "Sutton credited Apple at least with acting to address the problem."

    Because clearly it's better that we're all wrapped in cotton wool and can only run on "our" device if someone else lets us. It's this kind of attitude that's led to making it increasingly difficult to run software without extra "Yes I'm really sure" clicks.

    1. MrXavia

      I agree, many apps ask for lots of permissions but do nothing with them its inexperienced developers.

      What is needed is a way for android users to install an app and deny permissions requested so you can use the app but protect privacy at the same time, most apps would work fine with little else but network access...

      1. Charles 9

        How do you do that without breaking the permission model that convinced devs to come to Android in the first place? Break the model and fewer Deva may develop for Android. There are still plenty of apps only available in the Apple store.

      2. Bsquared

        A previous El Reg thread on a similar topic led me to this - Xprivacy and Xposed. It's a faff to install, and you do need to be rooted, but it's worth it. Oh yes.....

        Every time an app gets updated, Xprivacy encourages me to re-check all the permissions, and gives me granular control over what it can and cannot access.

        1. Charles 9

          Trouble is, the Xposed framework needed for Xprivacy breaks on the new Android Runtime. Bet you it becomes standard next version. Also bet they find a way to block the permission blockers with under the hood changes, too.

  10. Steve Knox
    FAIL

    Selective Specificity

    Analysis of 836,021 Play Store Android applications...

    more than one in 20 (5 per cent) ... can locate and open private photographs ...

    One in 30 (3 per cent) ... can divulge email addresses over the internet.

    Meanwhi[le], 1,749 uploaded the address over an encrypted connection and a further 1,661 did so over an unencrypted connection where traffic can be easily harvested.

    Almost 10 per cent of apps tested included permissions to read contact lists.

    I'll ignore the vague use of can, as Mark did a perfectly acceptable job covering that. Instead I want to focus on these numbers. See above how specific they are when talking about general access, about what the apps have rights to do. Nowhere there do they talk about motive though. That's the interesting stuff. How many of these apps are actually intrusive?

    Many have a legitimate need for this data but others are clearly intrusive.

    Oh. Thanks for the detail, guys.

  11. Pat 11

    Android is leaky by design

    Android is made by Google to harvest rich data on the user so of course it is very leaky. Their approach of getting users to approve permissions for apps on installation is broken, only the most extreme control nut bothers to check everything and anyway it's a choice between give these permissions or don't install the app. Most just install, Google know this. And of course their own preinstalled apps never even throw up the question.

    A good demonstration of how easy it would be to make a more secure system is illustrated by Cyanogenmod, which allows you to turn on their Privacy Guard by default, and sends dummy data to any app that requests it. But there's no motivation for Google to produce a locked down Android.

    1. Philip Lewis

      Re: Android is leaky by design

      Yes, were i ever to own an android device, it would have Cyanogenmod android installed sans google apps and with Privacy Guard. In a perfect world, all mobole OSs would be like this by law, but alas, we live soe,where else

    2. P. Lee

      Re: Android is leaky by design

      > But there's no motivation for Google to produce a locked down Android.

      Perhaps not, but the killer app you can't get just write is GPS/Maps.

      So why aren't Nokia doing a secure version which sandbox's apps to allow better control? They can do the maps and you can access the rest of google's stuff over the web. Or Garmin perhaps.

      Someone could put together a store where you can buy apps with very restricted permissions monitored by the OS, or where there is a security patrolled API. For example, all accesses to the addressbook could be logged, all access could be logged, eg, app: mail-client, destport 443, mail.google.com, hit-count=x.

      The tricky thing is, many apps rely on privacy-infringing facilities to do their job. You want tram information? GPS is required to find out where you are. Collect enough of it and you can track someone's likely habits; you want VoIP, it will need access to your phonebook.

  12. dssf

    ACLU and EFF

    Where are you?

    Why do you not demand that Google releases be accompanied with compatible Cynogenmod binaries on release day, with simpler installation?

    If google's biz model depends on wholesale slurping of user data, and making it a royal PAIN in the ass to mod one's phone for privacy purposes, then, I dare say, it's time for google to rewrite its biz model, and tell data-slurping app developers to come up with a new income stream.

    1. Charles 9

      Re: ACLU and EFF

      The Devs will simply respond, 'OK, then. Back to the Apple store.'

      1. John Brown (no body) Silver badge

        Re: ACLU and EFF

        "The Devs will simply respond, 'OK, then. Back to the Apple store.'"

        Why? All most of the devs need is net access to get and display the ads.

        Admittedly I almost never look at ads, but I don't recall seeing "local" ads, just generic ones, so the targeting and/or location services either don't work or no one is paying the extra ad costs for the more granular location based targeted ads.

        1. Charles 9

          Re: ACLU and EFF

          And if users get control of the permission, what do you think will be among the first things turned off for adware apps (unless the app itself needs it for normal function)? Network access. This will probably start app devs packing some ads into their programs so they can't be blocked.

          The point is, the app devs want the control, so you have a tug of war between the users who want control of their device and the devs who want control of their app, and Google's position will have them favoring the devs (they pay Google more both directly and through the ad network). Apple can dictate terms since the iDevice line is vertically integrated and has that mysterious "We Must Have It, Here's Our Life Savings" draw. Google lacks that level of control and can easily lose the plot if devs decide to defect.

          1. M Gale

            Re: ACLU and EFF

            And if users get control of the permission, what do you think will be among the first things turned off for adware apps (unless the app itself needs it for normal function)? Network access. This will probably start app devs packing some ads into their programs so they can't be blocked.

            Good.

    2. Anonymous Coward
      Anonymous Coward

      @ dssf

      "If google's biz model depends on wholesale slurping of user data, and making it a royal PAIN in the ass to mod one's phone for privacy purposes, then, I dare say, it's time for google to rewrite its biz model"

      Ha-ha-ha! 'Cause why would Google possibly want to keep making billions and billions of dollars a year?

      What's the point of even making a comment like that?

  13. John Smith 19 Gold badge
    Flame

    WTF *needs* this "functionality"?

    Title says it all.

  14. ecofeco Silver badge

    First thing, turn off...

    ...the damn GPS and auto-wifi.

    Connect them manually ONLY when needed and don't forget to turn them off when you are not using them.

  15. big_D Silver badge

    Not all... I looked at one app update that was supposed to go through, the app suddenly wanted extra permissions - it wanted to "search the device for accounts", "receive data from the Internet", "retrieve running apps" and "control vibration".

    Now, the second one I can understand, they want to add an online-game mode, the last I can understand as well, a bit of haptic feedback. But why should it need to search my device for accounts? It is a game! And why does it need a list of running apps?

    Needless to say, I haven't run the update. On the other hand, I will give the company a nod for including the new permissions in the release notes that are displayed.

    1. Charles 9

      Searching for accounts sounds like a prerequisite for in-app purchases, which need an account on which to charge.

      As for retrieving running apps, it's possible it could have a tie-in to a related or other app (perhaps partner apps or other apps from the same developer).

  16. DropBear

    I have a bit of an issue with apps suddenly needing various further permissions on an update. Unfortunately, that only gets me a gridlocked queue of dozens of apps on the play store list of apps to update, stuck on a version I'm not willing to go beyond. It's certainly possible to do, but boy does it feel like p##ing against the wind...

  17. Badders

    I've used Clueful, and lo and behold, it tells me that the Register app wants access to my camera roll.

    Why?

This topic is closed for new posts.

Other stories you might like