so what were the security permissions requested by this app at the time of installation? i have to imagine that if it was taking web browsing history that it would have needed more permissions than just "uses network data".
android's fine-grained security permissions, where the author has to explicitly request each type (network use, prevent the screen from turning off, etc.) and the user is shown the list of permissions requested before installing, is good from a security standpoint, but i think it's ended up being like windows vista. users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue. even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue.
True. That's sort of ok as long as advanced users can tell when something fishy is going on and flag the app.
even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
Also true. The Internet and SD card permissions are all-or-nothing, and therefore essentially useless. Apps should be able to declare that they only contact specific hosts or access specific directories, and there should be a standardized directory for per-app storage, like "Application Support" on OS X.
It's really not even safe to have an app without strong credentials and audit trail bringing in ads. There's no protection against objectionable ads, or those doing things like taking advantage of Flash vulnerabilities etc.
Isn't the Apple approach to host the ads themselves? While app developers still get data access, at least there's a healthy isolation between the client and the advertiser. Apple can certainly provide things like basic client stats and direct ads appropriately based on location.
The Windows anti-virus / anti-spyware model is too flawed to be trusted. It's like having a bouncer at the door of a party that keeps out offenders from previous parties. The default is to trust everything else, so every zero day attack can get through. Defaulting to not trusting things and only allowing what's known okay would be far more effective. If apps had to request all net connections through IPs stored at Apple/Google etc, the potential to direct to some hostile developer or botnet would be greatly reduced. Although the plans may be for video and other high bandwidth content streaming, that huge server city Apple is building could certainly host any static non-generic content apps need, and perhaps be a proxy for much of the rest (news sites etc). Google certainly has the infrastructure to do something similar. Granted Google is better set to do that on a global level.
Even advanced users can be tricked if granting access for something trivial opens the gates to something nasty.
At least on a consumer device it makes sense to protect users from themselves. Limiting hosts and local directories is certainly prudent.
It's a rarity to see any Android app that doesn't require half a dozen different permissions. I just installed the Google Maps update and it requires 9 including the ability to read my phone call logs (??)
The google apps are an outlier in my experience so far. They tend to ask for many indepth permissions. Most apps just want full network access (for ad's) and sometimes phone call state/sdcard access etc.
maybe on-demand permission requests would be better for many of those things, like apple ios does when an app requests your location.
if i did something in google maps and it popped up a dialog asking for access to my call logs, i would certainly deny it, but i just did that update this morning and didn't even notice anything about it accessing my call logs.
Cancel doesn't give them APPLICATION NOW, so it's just training them to reflex-click allow. It's a pavlovian reaction: Cancel -> no application; Allow -> application. If they launched the application, they probably want to see what's in it.
And it DID request more than that. The thing is, that these wannabes like to paint themselves as "security experts", so they conceal facts and tell the story to the masses of non-techie users and scare them. Then, they sell a bogus security app.
If a wallpaper app requests access to your contacts and millions of users install it anyways that is a flaw in Android's security model. After a while you become conditioned to just hitting Install without even looking at the permissions being requested. Just because users are lazy or even stupid is not an excuse for leaving them vulnerable.
I agree it's a flaw. I do think it is better than iOS but it is still a huge problem. It is one of simultaneously too much and too little granularity. If you provide too much granularity it overwhelms users, while if you provide too little it forces people to approve too wide a scope.
For example, the music app I just installed wants access to the phone state and identity. At first I baulked and said WTF does a music app need that for? And of course, the answer is it wants to make the music quieter / pause when a call comes in. But to do that it needs access to the identity of my phone because that seems to be lumped into the same bucket as the "state" of my phone. It also needs internet access because it wants to download album art. So these completely innocuous features also mean it could be tracking my location and reporting it to the web. How do I tell an evil app from a good one? I don't know - all I do is read the comments.
I think Android needs to make the model richer while also streamlining certain sets of permissions into standard profiles that people can understand. For example, the set of minimal permissions to support ads in an app should be simply presented as "to present location based ads", not a set of 5 permissions that overwhelm people. This should in turn be honed by Google into a minimal set of permissions internally so that an app that just wants to present ads can't actually track me and report my location to arbitrary web sites.
I hope Google is thinking about this stuff. I think it's in a reasonable state at the moment if it is just on a development curve. If this is how Google thinks it should stay then it is not enough and is going to become a serious problem.
User testing has shown, over and over again, that users do not read pop-up boxes. Why would anyone expect security warnings would be any different than error messages? MS dialed down granularity from Vista to 7 and the UAC is still a joke.
What's needed is something different. I don't know what that thing is, but pop-up boxes are not it.
My pet theory atm is "services". When an app installs, it can register as knowing what to do with certain data. Say, GPS coordinates or contacts.
If a user wants their wallpaper to have access to that data, they'll open their GPS, or contacts app and explicitly allow the behavior.
That way, an app only has access to those data sources if the user explicitly sets out to grant it to them. If it's a conscious multi-step process, it should be pretty hard for people to accidentally grant a wallpaper access to all their personal data.
And given the competitiveness of mobile app stores, I doubt any app would survive that sits functionless and nagging until the user explicitly grants it a half-dozen permissions. So they'd quickly end up asking for less, or at least delivering as much as they can with as little as they're given.
I know "services" hardly goes all the way. But my point remains that no level of granularity will make the pop-up approach 'work'.
That is not a flaw in android's security model. That is a flaw in the user.
If a salesman approached your door and said "I will own your first born child, and your boat, if you sign this contract to get a 90% discount on a time share in Bermuda" and then several people agreed, just because they didn't listen to the first part of the sentence, who's fault is this? The salesman or the 'victim'? It's the victim's fault, because he DIDN'T LISTEN, and AGREED ANYWAY.
Any lawyer (or layman for that matter) will tell you that if someone signs a contract they DON'T READ that they're still required to uphold it.
When you are installing an application and it asks you to AGREE to the application doing X,Y,Z and you say 'OK' then YOU are responsible.
No Pavlovian behaviorist hogwash is going to convince me otherwise.
Just out of curiosity, when an android app is updated, how are permissions handled? Do you receive a prompt to allow new privileges, or does it assume you approve of it already?
You bring up an astute point on the vague "network access" permission, but there's really not an easy answer to this. How would you fix it? Ask the developer to simply say what the access will be used for? In an malicious app, they'd obviously just lie. Short of actually displaying what data an app is sending, I don't see an easy answer.
Maybe treating any ad network component as a "sub-app" with separate permissions would make it more obvious when a request for network access is unwarranted. As to how something like that might be implemented... I have no idea.
froyo (finally) has an automatic update feature, so most apps update on their own. i have noticed a few that say they require manual updating, but i didn't know if it was due to a download failure or if it was for a changed set of permissions. it does show you the full permission list again before updating manually.
How would you fix it? Ask the developer to simply say what the access will be used for? In an malicious app, they'd obviously just lie. Short of actually displaying what data an app is sending, I don't see an easy answer.
maybe show a list of domains it's allowed to resolve/contact? i guess that wouldn't make it any easier for most users to decipher though. i think a lot of free apps require network access just to download ads; maybe there is a better way (in the android api) of handling that to segment it away from full-blown network access?
maybe have a set of permissions common to each category? it's expected that a web browser app has access to do a lot of things, but if you have an app in a wallpaper category that requires those same set of permissions, it should be raising a red flag somewhere.
perhaps apple's app review process wasn't so crazy after all...
Again since the article doesn't mention which app was malicious it's hard to say but when I looked up the wallpaper apps developed by "jackeey,wallpaper" I see the apps requiring the following permissions:
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.SET_WALLPAPER
android.permission.WRITE_EXTERNAL_STORAGE
It seems strange for a wallpaper app to require internet access.
A typical case of overblown 'user failure', not Android security model failure. If a wallpaper app wants internet access and you allow it you really only have yourself to blame.
Wallpaper, cursors packages, screen savers and other dumb 'customisation' gadgets have been malware vectors on the windows platform for about 15 years now, why would phone platforms be any different ?
Because this wasn't some random APK downloaded directly from the internet and thrown onto a phone after the 'APKs from the internet might harm your security' message.
It was uploaded to Android Market and provided by Google, who as an arbiter of content, should realize that 'collect phone data' isn't an appropriate permission for a wallpaper.
So, Google has a responsibility to check each and every app for malicious intent by the uploader?
I really think that goes one step too far, that's exactly what apple does with their market place and I think that is a big part of the problem.
The ultimate responsibility of what you run on your computers lies with you, not with some entity providing you with a convenient way to get at a catalogue of stuff.
This application seems to be malicious, and it seems that the security model is not broken, after all it asks for the permissions very explicitly.
Now if only people would read those warnings and think for a bit before clicking 'ok'.
This is analogous to people receiving an email that instructs them to open a malware attachment.
It's simple, if you haven't inspected the source and it doesn't come from a source that has inspected the code and that gives you a guarantee that you can trust the stuff you download then you can not trust it.
Pushing the responsibility to Google is utterly unfair, they could never in a lifetime review the source code of every application that every android app developer throws out there.
> So, Google has a responsibility to check each and every app for malicious intent by the uploader?
Yes, that's very much the point of an official, curated application store. Especially when you can sideload applications or use third-party store, the official first-party store being loose and un-trustable makes it not very useful.
> The ultimate responsibility of what you run on your computers lies with you
Most users have absolutely no sense of IT responsibility, and barely even understand how the thing is supposed to work.
> Pushing the responsibility to Google is utterly unfair
Not really. It's their store, branded by themselves. To regular users, they're the trusted authority/overseer.
I thought the main point was to provide a centralised repository, not to have a 'stamp of approval' and a guarantee of being 'malware free'.
For the life of me I can't see how google could begin to put a dent in evaluating each and every application at that level.
Do they refuse applications according to some publicised rule set ?
Each and every one of the closed source downloads that has ever been done from download.com could turn out to be malware tomorrow morning, I find it hard to believe we should hold download.com as the place where we 'got it' responsible for stuff like that.
In the end, you should trust the creator of the software, emphatically not the place where you downloaded the code. Whether it's a big site maintained by a big name or a smaller one, if it isn't open source you basically can't trust it.
> So, Google has a responsibility to check each and every app for malicious intent by the uploader?
(...)
> The ultimate responsibility of what you run on your computers lies with you, (...)
This touches on something that has been nipping at my brain lately. There seems to be a widespread assumption among many developers that end users need to be more educated about technology, that it is not the developers who need to make these things simpler to use, but end users who need to understand the underlying system better. In other words, that the general public needs to catch up to technology instead of technology being more usable for the general public.
I think that is very wrong headed.
> Now if only people would read those warnings and think for a bit before clicking 'ok'.
Well, it only tells you it wants to read your address book, not that it wants to read your address book so it can spam all your friends (as an example). Joe Somebody wouldn't be stupid to allow a wallpaper app to read his address book if he was under the assumption that the app would just use that data to let him email nice wallpapers to friends.
> This is analogous to people receiving an email that instructs them to open a malware attachment.
Only if every app the user installs requires following email instructions and opening an attachment, and that's the point. There is little to discern the malicious permissions from the beneficial ones unless you are intimate with how the app is supposed to work. This is why a higher, more knowledgeable authority should at least give apps some level of review.
That's the high road to trusted computing, but that doesn't mean the destination is any better. Think the 'ministry of automation' giving you a license to develop or something like that.
As I'm sure they'll pull these when the right people at google are alerted to the problem.
But there will be more instances of this and I think that there simply ought to be a strict procedure to report malware so it can be responded to quickly rather than to lay the blame with google.
Then if such a procedure is in place and if google would consistently refuse to pull clearly identified malware you'd get in to a situation where you could lay some blame.
As it is I find it premature to do this, the Android application market is still developing as are the procedures to deal with applications that behave in 'unexpected' ways, the first competent user that installed this stuff should have had a way to provide feedback about the perceived security risks.
Having anything submitted to the 'Themes' category not include the permission to view your call history is automatable.
> I'm sure they'll pull these when the right people at google are alerted to the problem.
I've ported about 15 different apps to Google which were blatant cases of IP theft, and one of search results gaming. They're all still there, with zero response. They might be better with handling malware but I doubt it.
Tall people are not responsible for the things that are placed on high shelves just because they can reach them, but it is nice of them to help shorter people manipulate those things.
I think Google is going out of their way not to be an arbiter of content. Just as on Youtube, they can grow faster and avoid legal headaches if they're not actively involved in the process.
As with many things in this area Apple has ridiculous mindshare so app store means control for many people, and that extends to imagining that Apple scrutinizes for security issues such as this (rather than censoring cartoons displaying alternate lifestyles).
1. Google has failed to tell any of us this,
2. I don't even know if I had any of the vendor's applications in the past, as they have been removed entirely, AND
3. Google has failed to tell any of us this!
I mean what the hell, at least send us an email telling us that because we downloaded AppXYZ, our data has been compromised by some low-life(s) in China. I'm going to end up being a lot less likely to download random apps now, not only because of this really sketchy incident, but because of the lack of transparency on Google's part.
Does Android have the ability to remotely kill applications like iOS? If so, perhaps they did that, so your app just disappeared if you had it.
I was going to say "I can't imagine Google hushing up a security issue", but it does have the potential to get thrown in their face by Apple, "See, our walled garden is a good thing." (Not that I believe for an instant that Apple's approval would catch something like this.)
It's quite clearly stated, when you install an app from the market, what permissions is it requesting. If your wallpaper app wants to know your location, SMS content etc etc, and you still install it, more fool you.
I'm pretty sure the article is not entirely accurate. There are several apps from "Jackeey Wallpaper" in the Android Market, all of which seem to be apps to download wallpapers of various themes. The dozen or so I've checked have these permissions:
- "modify/delete SD card contents"
- "coarse (network based) location"
- "full Internet access"
- "read phone state and identity"
As far as I know none of those allow reading your browser history or text messages, and certainly not your voicemail password. We need to see a network capture of what was sent to their site.
1. The current approach (which made it possible for the wallpaper app to steal user data from millions of users)
2. Prevent apps from accessing data such as voicemail-password, web-browsing history etc. (but it is possible that some apps may have a legitimate reason to do this and blocking these apps may not be fully consistent with the open platform goals)
3. Throw a big warning message EVERY time an app tries to access sensitive data (or perhaps for the first 10 times and the first 10 days...). It is a compromise solution, but users may find this annoying.
Do the security dialogs reflect the differing levels of importance of the data you're providing access to? If an app is requesting access to my voice mail password, I'd expect a pretty big red strobe light stuck on the dialog; something to really catch your attention, especially if you're trying to 'yes' your way through 9 (number stated by jsz0 for Google Maps) of the things
This scared me. I just installed a wallpaper app yesterday and while doing so thought "that's weird, why does it my personal information, phone calls etcs". But I still got the app. I guess my excuse is being used to my iphone, I didn't think about exactly how much access I was granting to this random app.
Anyway, I just checked, and the wallpaper app I had wasn't from jackeey. It's a top free app on the marketplace named Backgrounds by Stylem Media. And, it requires access to network communication, personal information, storage, phone calls, and system tools.
I have no idea how the warnings are generated.
Maybe devs are just including random libraries in their app (copy paste?) which are setting off these warnings? If not, why does this wallpaper app need my personal info?
Anyway, good wake up call, I will definitely be more careful wrt what I install on my phone.
EDIT: App request: something that logs/polices information going out from my phone. Firewall? we'll be needing a anti-virus next :(
So the iPhone is too closed, and Android is too open.
In my opinion, they should have a quality assured Market, but keep the ability to load .apk files whenever you want (and also the ability for others to create their own marked).
Quality assurance on market should mainly be about maliciousness of applications.
It sounds stupid arguing for android to be more closed, but really Google is very slack with their Market.
QA at Apple would not have stopped this. I'm not surprised that people fall for this BS. Apple would have caught this just like Apple would have caught a flashlight with a SOCKS tunnel right?
If the App requests permission, wtf do you expect? I don't think Google even has an obligation to remove or crackdown on these types of apps.
every app asks for permissions, thats the problem. If I didn't use apps that had permissions which could possibly be exploited I would have barely any apps.
At the very least malicious apps need to be removed quickly, along with spam + scam apps.
If you search the market for "Jackeey" you'll get several dozen wallpaper apps. I think the article is treating all of them as a single app, which explains the "1.1 to 4.6 million" downloads: they just added up the lower and upper bounds of the ranges for each individual app. And as I said above, they don't appear to be requesting permissions that would let them do most of the nasty things described.
I've gotten very selective about which android apps I install. It seems like some apps ask for more access than I would like to give them and what I think they need.
android's fine-grained security permissions, where the author has to explicitly request each type (network use, prevent the screen from turning off, etc.) and the user is shown the list of permissions requested before installing, is good from a security standpoint, but i think it's ended up being like windows vista. users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue. even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.