Because this wasn't some random APK downloaded directly from the internet and thrown onto a phone after the 'APKs from the internet might harm your security' message.
It was uploaded to Android Market and provided by Google, who as an arbiter of content, should realize that 'collect phone data' isn't an appropriate permission for a wallpaper.
So, Google has a responsibility to check each and every app for malicious intent by the uploader?
I really think that goes one step too far, that's exactly what apple does with their market place and I think that is a big part of the problem.
The ultimate responsibility of what you run on your computers lies with you, not with some entity providing you with a convenient way to get at a catalogue of stuff.
This application seems to be malicious, and it seems that the security model is not broken, after all it asks for the permissions very explicitly.
Now if only people would read those warnings and think for a bit before clicking 'ok'.
This is analogous to people receiving an email that instructs them to open a malware attachment.
It's simple, if you haven't inspected the source and it doesn't come from a source that has inspected the code and that gives you a guarantee that you can trust the stuff you download then you can not trust it.
Pushing the responsibility to Google is utterly unfair, they could never in a lifetime review the source code of every application that every android app developer throws out there.
> So, Google has a responsibility to check each and every app for malicious intent by the uploader?
Yes, that's very much the point of an official, curated application store. Especially when you can sideload applications or use third-party store, the official first-party store being loose and un-trustable makes it not very useful.
> The ultimate responsibility of what you run on your computers lies with you
Most users have absolutely no sense of IT responsibility, and barely even understand how the thing is supposed to work.
> Pushing the responsibility to Google is utterly unfair
Not really. It's their store, branded by themselves. To regular users, they're the trusted authority/overseer.
I thought the main point was to provide a centralised repository, not to have a 'stamp of approval' and a guarantee of being 'malware free'.
For the life of me I can't see how google could begin to put a dent in evaluating each and every application at that level.
Do they refuse applications according to some publicised rule set ?
Each and every one of the closed source downloads that has ever been done from download.com could turn out to be malware tomorrow morning, I find it hard to believe we should hold download.com as the place where we 'got it' responsible for stuff like that.
In the end, you should trust the creator of the software, emphatically not the place where you downloaded the code. Whether it's a big site maintained by a big name or a smaller one, if it isn't open source you basically can't trust it.
> So, Google has a responsibility to check each and every app for malicious intent by the uploader?
(...)
> The ultimate responsibility of what you run on your computers lies with you, (...)
This touches on something that has been nipping at my brain lately. There seems to be a widespread assumption among many developers that end users need to be more educated about technology, that it is not the developers who need to make these things simpler to use, but end users who need to understand the underlying system better. In other words, that the general public needs to catch up to technology instead of technology being more usable for the general public.
I think that is very wrong headed.
> Now if only people would read those warnings and think for a bit before clicking 'ok'.
Well, it only tells you it wants to read your address book, not that it wants to read your address book so it can spam all your friends (as an example). Joe Somebody wouldn't be stupid to allow a wallpaper app to read his address book if he was under the assumption that the app would just use that data to let him email nice wallpapers to friends.
> This is analogous to people receiving an email that instructs them to open a malware attachment.
Only if every app the user installs requires following email instructions and opening an attachment, and that's the point. There is little to discern the malicious permissions from the beneficial ones unless you are intimate with how the app is supposed to work. This is why a higher, more knowledgeable authority should at least give apps some level of review.
That's the high road to trusted computing, but that doesn't mean the destination is any better. Think the 'ministry of automation' giving you a license to develop or something like that.
As I'm sure they'll pull these when the right people at google are alerted to the problem.
But there will be more instances of this and I think that there simply ought to be a strict procedure to report malware so it can be responded to quickly rather than to lay the blame with google.
Then if such a procedure is in place and if google would consistently refuse to pull clearly identified malware you'd get in to a situation where you could lay some blame.
As it is I find it premature to do this, the Android application market is still developing as are the procedures to deal with applications that behave in 'unexpected' ways, the first competent user that installed this stuff should have had a way to provide feedback about the perceived security risks.
Having anything submitted to the 'Themes' category not include the permission to view your call history is automatable.
> I'm sure they'll pull these when the right people at google are alerted to the problem.
I've ported about 15 different apps to Google which were blatant cases of IP theft, and one of search results gaming. They're all still there, with zero response. They might be better with handling malware but I doubt it.
Tall people are not responsible for the things that are placed on high shelves just because they can reach them, but it is nice of them to help shorter people manipulate those things.
I think Google is going out of their way not to be an arbiter of content. Just as on Youtube, they can grow faster and avoid legal headaches if they're not actively involved in the process.
As with many things in this area Apple has ridiculous mindshare so app store means control for many people, and that extends to imagining that Apple scrutinizes for security issues such as this (rather than censoring cartoons displaying alternate lifestyles).
It was uploaded to Android Market and provided by Google, who as an arbiter of content, should realize that 'collect phone data' isn't an appropriate permission for a wallpaper.