Security Holes: Is this the cost of an open source Mobile OS?

Is your data safe? With so many people using smart phones now, it’s only a matter of time before evil deeds begin to unravel. We trust our smart phones with so much private, sensitive info about our lives. We have all our friends and families contact data in there, many have their credit cards and passwords stuffed into notes and applications, banking apps legitimately transmitting your financial data. It’s really scary how much we can stand to share with the wrong folks if a malicious app mines our data. It might not be anything too serious right now, but an article on arstechnica paints a scary picture.

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user.

This is quite shocking and scary to say the least. It brings back memories of an app earlier this year that was sending users cell numbers to a server in China. That might have been a big misunderstanding, but I’d be willing to be that a ton of developers would love to mine data from smartphones for their gain. The MMO gaming industry is full of scams trying to get into your game accounts to sell off your in game goods. Imagine what the marketing data from 1000’s of teens and young adults phones would fetch in the right market. This type of thing, harmless or not, is what makes Apple’s and soon enough, Microsoft’s closed OS more attractive. We complain about how Apple evaluates and scrutinizes each app submitted, but preventing something like this makes me feel better about the process. Would Apple’s reviewers actually catch something like this? I would hope so, but I suppose that some could make it through. With Android becoming more popular each day, thanks in part to Motorola and Verizon’s brilliant marketing, it becomes more of a target to hackers and viruses.

So, according to arstechnica, these researchers developed an app called TaintDroid and proceeded to test 30 popular free Android apps. They found that half of the apps were sending private data to ad servers. This info included GPS data and phone numbers. They also reported that some of them were reporting as frequent as every 30 seconds. Imagine what that does to you phone’s battery.

How can you protect yourself from these types of applications? Well, it’s not as simple as saying yes or no. I guess Google requires the developers to let the user know during installation that the app wants to use your location data, etc. The problem is, sometimes this request doesn’t seem out of line for the type app you are installing. I’ve never seen an app pop up a confirmation box that says, “AppX wants to share your phone number and GPS location with advertisers. Is this ok?”. I guess the best advice to protect yourself is to be careful.

  • Don’t install apps from companies you do not trust.
  • If an app that you know has zero reason to use your location info asks for permission to use it, run away.
  • If you suddenly start experiencing less than average battery performance, evaluate the recent app additions and do some homework online. Maybe something you installed is sending data.

I am sure more on this will come out soon since arstechnica says that these results are being presented next week at the Usenix OSDI conference.

Update: Looks like Engadget has some new info regarding this report, including the list of apps and a corporate mumbo jumbo response from Google on the matter.

16 Comments

  1. Rob C

    10/01/2010 at 6:26 am

    You would think a site that complains about the mis-reporting of the nonexistance of Windows slates would not conflate open source software with a (relatively) open ecosystem and market, versus a closed and tightly controlled ecosystem and market.

    Android is an open source operating system.

    The applications you’re complaining about ARE NOT open source software. If they were, one could inspect the source code & readily identify the privacy issues that concern you. One could even remive the offending bits and redistribute the new version.

    The open-ness you complain about really is nothing new (Windows is open in that sense, as well as Mac OS, as well as any web 2.0 app or any web site whose privacy statement you don’t read) and has NOTHING to do with open source software.

    Please, don’t perpetuate this musunderstanding.

    Reply

  2. shauns

    10/01/2010 at 6:30 am

    Honestly, this has nothing at all to do with open source.

    It happens on all mobile operating systems. It doesn’t matter whether you use Android, iOS, WP7 or anything else. Applications can and do collect and share data, on any OS.

    Sure, other than Google, Apple CAN prevent apps from doing this. But they don’t.

    Apple has even been collecting location data without the users’ knowledge (!) for years – long before they inroduced iAds.

    Apple may be quick to reject apps they don’t like, but their AppStore is equally full of “spy” apps.

    The best solution would be informing the user which data is collected and who it is sent to.

    Android (as opposed to other systems) at least shows what kinds of data an app CAN collect, but there should be a way to find out whether the data is sent to advertisers.

    Reply

  3. Rob C

    10/01/2010 at 7:01 am

    Q: Security Holes: Is this the cost of an open source Mobile OS?

    A: No

    Reply

  4. Chris Leckness

    10/01/2010 at 7:22 am

    Ok, maybe the title should have been:
    Security Holes: Is this the cost of an open ecosystem

    Regardless of what the title is, the facts still remain that transmission of user data without consent is no good.

    Shauns – Could you point me in the direction of a report that shows that some iPhone apps transmit data without the users knowledge? I am not saying that there are not apps that can and will, but I am fairly sure that no iPhone app is sitting their dormant pings your details out every 30 seconds or so since Apple won’t allow apps to run in the background. (not 100% sure how permissions are in iOS 4.x though)

    Reply

  5. Rob C

    10/01/2010 at 9:30 am

    No, not maybe. In fact, why haven’t you changed the title? It’s a factual error as a result of a writer being uninformedvin his own field, noy a matter of opinion. The type of thing you expect to seebin your local paper, not what purports to be a tech blog.

    It reminds me of an article I read in Byte during its dying days that referred to “IDE (integrated development enviromment) drives”.

    Reply

  6. Mike

    10/01/2010 at 11:28 pm

    The title of this, as others have said, is ill conceived and reactionary.

    Having said that, I would like to see Google close such capabilities down. It would be nice if android (or any systems) had an easy to use logger that showed exactly which applications were transmitting and how much they were transmitting.
    It could also provide some specific areas of memory for storage of sensitive data and log what applications are accessing that and when.
    Something akin to a firewall which not only showed the information but allowed the blocking of such activity both for net transmission and for access to this restricted memory area.

    It would be a nice addition.

    Reply

  7. Rob C

    10/02/2010 at 3:17 am

    Since you’re such a stickler for the journalistic method and demand sources, Chris – wouldn’t want to get anything wrong or essentially rephrase what someone else said and slap a random headline on it – how about the study reference in this article from July:

    http://www.mobilemarketer.com/cms/news/research/6941.html

    Please note that this article makes no mention of open source nature of Android (because it’s irrelevant) and concludea that Google and Android provide better controls for how code accesses private data, which is important because the issue typically isn’t malevolent developers (are you really concerned about Evernote selling yor data to the mafia? Then perhaps you shouldn’t be using their service at all, because its very purpose is to store your personal and sensitive data on their servers.)

    Back to your headline and article: the study you originally referenced looked at Android. It didn’t look at Iphone apps and give them a clean bill of health. You drew your own conclusion based on speculation, essentially resatated it as fact, then put an inaccurate headline on it to not only drive your speculation home as fact, but to incorrectly drag the open source/closed source debate into it. Google open source software security and Windows vulnerabilities; educate yourself a little.

    Quoting from _More iPhone than Android apps can access sensitive user information_:

    The App Genome Project has scanned almost 300,000 applications and fully mapped close to 100,000 in order to understand how applications are interacting with personal data on phones and identify prominent security threats.

    So far, findings suggest that Android applications tap into sensitive data, such as contact lists, less often than comparable applications for the iPhone.

    While more free Android applications (47 percent) include third-party code than comparable iPhone applications (23 percent), Lookout says that the permission model of the iPhone platform makes it easier for such code to cause applications to access sensitive data.

    Reply

  8. Dale Lane

    10/02/2010 at 12:15 pm

    It’s been said in the comments already, but while the headline remains unchanged it’s worth another comment – the existence of spyware and malware for a platform has nothing to do with the platform being open source.

    There is a ton of spyware out there for Windows. Do we call Windows an open source OS now?

    Change the headline – it’s a ridiculous tabloid question that risks misleading readers.

    Reply

  9. acerbic

    10/04/2010 at 12:18 pm

    Killer Androids! Shocking! Scary!

    …And Now for Something Completely Different – the hypeless facts and perspective:

    http://www.pcworld.com/businesscenter/blogs/bizfeed/206744/androids_openness_doesnt_mean_its_less_secure.html?tk=rss_news

    Reply

  10. Gun2hd

    10/17/2010 at 10:15 am

    Comments kills, Apple fan boy. Lmao

    Reply

  11. Can I just say what a comfort to find an individual who really knows what they are
    talking about on the net. You definitely know how to bring a problem to light and make it important.
    More people have to check this out and understand this side of the story.
    I can’t believe you aren’t more popular
    given that you certainly have the gift.

    Reply

  12. I am actually glad to read this website posts which consists of tons of helpful
    data, thanks for providing these kinds of information.

    Reply

  13. Its not my first time to go to see this web page, i am visiting this website dailly and get nice data from here all the
    time.

    Reply

  14. nuevo tratamiento alopecia

    03/05/2017 at 9:34 pm

    8m :;See my blog … https://plus.google.com/u/0/116234227149731951964/posts/PyYoAacBDAi 5m:-;;
    5f -;See my blog;_ CLINICA ESTÉTICA MARBELLA 2y:-::

    Hey just wanted to give you a quick heads up and let you know a few of the images aren’t loading properly.

    I’m not sure why but I think its a linking issue.

    I’ve tried it in two different internet browsers and both show the same
    results.

    Reply

  15. I blog quite often and I genuinely appreciate your
    information. This article has truly peaked my interest.
    I’m going to take a note of your blog and keep checking for new information about once a week.
    I subscribed to your RSS feed too.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *