Android app stole private data from millions

[rpm]

Mobile phone app stole private data from millions

A free application that allowed users to change the background image on their Android smartphones actually stole private data from as many as 4 million people and transmitted it to China, security experts have revealed.

 

[The_Unbeliever]

Be careful out there...

 

[Fudzy]

I wonder if you can access that app on unrooted phones.

 

[d0b33]

And here I am stuck with a phone locked into Apple's appstore that protects me from this, *sigh* woe is me.

 

[Fudzy]

Well that's what I want to establish whether it's an app from the AndroidMarket or one of the ones you can download from a rooted phone. I'd imagine jailbroken iPhone would be at as much risk by non-authorised developers.

Also, does the iPhone warn you what parts of the phone the app is using?

 

[Pyro]

From Blog.Lookout.com, where this originates:

Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)

The full reveal was said to happen at the black hat conference which is currently in progress... wonder if anything else came out? This doesn't seem like all that much :/

 

[d0b33]

Well that's what I want to establish whether it's an app from the AndroidMarket or one of the ones you can download from a rooted phone. I'd imagine jailbroken iPhone would be at as much risk by non-authorised developers.

Also, does the iPhone warn you what parts of the phone the app is using?

Was just a slight jab, I'm only joking Jailbroken iPhones are just as risky I know.

 

[HawkiesZA]

I'm sorry, but I don't like how people compare Android vs iPhone with stories like this.

This contrasts with applications for Apple's iPhone, which are vetted and authorized by Apple before being made available to users.

While this may be true, it does not mean they are immune to, or catch all instances of data collection. In fact:

http://blog.mylookout.com/2010/07/introducing-the-app-genome-project/ shows some other data that you might find interesting:

• 29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone
• Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)

I understand that the breach with Jackeey is pretty bad. That's one instance and is not enough to make it sound like Android does nothing.

Also, does the iPhone warn you what parts of the phone the app is using?

Not so much. From Engadget:

If you're an iPhone user, the only privacy notice you'll see from an app regards your current location -- as much a warning about the associated battery hit from the GPS pinging as anything.

Android does, however. It gives a very good breakdown of what the app accesses, people just don't read it.

 

[Pyro]

"I understand that the breach with Jackeey is pretty bad. That's one instance and is not enough to make it sound like Android does nothing."

As bad as the breach might be - it reveals only your Phone number, Sim number and - if it's stored - your voicemail password.

It was also only downloaded by 'south of 250 000 users'.

---

The main thing to keep in mind, is that Android DOES actually warn you about these things, with Apple you can only hope that they picked it up while vetting the app. There is no evidence that their process is good enough to catch a data leak alongside Wallpaper software.

Do they inspect the packets being sent? For all they might know, the phone sends this data in an encrypted format to the webserver where the wallpapers are stored. It could look like an identification string. Heck - on the phones they are testing, there's a good chance the voicemail password isn't even stored, so they won't even have a chance to pick up that kind of flaw.

 

[Kilgore_Trout_Redux]

This would be easily resolved if modern smart phones prompted you before allowing an app to connect to the internet like Symbian used to.

 

[Easter Bunny]

This would be easily resolved if modern smart phones prompted you before allowing an app to connect to the internet like Symbian used to.

that wouldn't necessarily stop it from sending out your data, becayse it would need to connect to the internets to download the wallpapers/cartoons/nudie pics/lolcats. while it's doing that, it could secretly be sending out your info.

like they said above, the best thing would be to look at what your new app is needing to access on your phone just before you download it.

 

[Valerion]

This would be easily resolved if modern smart phones prompted you before allowing an app to connect to the internet like Symbian used to.

Phones are becoming more and more connected to the Internet and cloud services.

The problem then is that you

• Still don't know why the app is connecting (I need to check for updates to the wallpaper vs. I want to send your information)
• Several apps are ad-supported on mobile platforms now, requiring you to click "Yes" to a lot of prompts, especially if the app shuts down when you switch
• There are background services that periodically poll for data (Android's sync, Exchange ActiveSync, Android Market updates, etc).

I found that if there's enough "Yes/No" prompts that stop you from getting your work done, eventually you train yourself to just click "Yes" without reading.

 

[midkemia]

What I would like on my phone, is a "whitelist" application. This application would tell me that another app should be deleted, or will go as far as to remove it itself.

 

[Hackson]

Yep its coming

Android developer seminar is coming to my school for the first one in South Africa. This I hope will promote the building of better more useful apps since we Mzanzi peeps live according to Ubuntu and we will build no stealing apps.

 

[murraybiscuit]

moral of the story...
don't click anything which says "download free virus scanner / wallpapers / smilies"
as it is in the desktop world, so shall it be in the mobile world.

 

[icyrus]

The main thing to keep in mind, is that Android DOES actually warn you about these things, with Apple you can only hope that they picked it up while vetting the app. There is no evidence that their process is good enough to catch a data leak alongside Wallpaper software.

Do they inspect the packets being sent? For all they might know, the phone sends this data in an encrypted format to the webserver where the wallpapers are stored. It could look like an identification string. Heck - on the phones they are testing, there's a good chance the voicemail password isn't even stored, so they won't even have a chance to pick up that kind of flaw.

Apple's review process examines all the API calls an application makes, no need for packet inspection.

 

[Globetrotter]

Mobile phone app stole private data from millions

A free application that allowed users to change the background image on their Android smartphones actually stole private data from as many as 4 million people and transmitted it to China, security experts have revealed.

Wrong. This story has been blown completely out of proportion with some sensationalist reports. The developer of the wallpaper app refuted the claims. Security software maker, Lookout, who initially accused the wallpaper app developer has since updated their blog admitting there's no proof of any malicious behaviour.

 

[Pyro]

Apple's review process examines all the API calls an application makes, no need for packet inspection.

What is the difference between an api call to send and receive data and send and receive wallpaper?

Apps could excuse their access to your call logs by rotating backgrounds after a call, or even changing backgrounds depending on who called.

The API calls themselves won't tell a complete story any more than the access requirements for an Android device would.

---

I'm definitely going to check out Lookout's blog for more details - thanks GlobeTrotter!

 

[icyrus]

What is the difference between an api call to send and receive data and send and receive wallpaper?

Apps could excuse their access to your call logs by rotating backgrounds after a call, or even changing backgrounds depending on who called.

The API calls themselves won't tell a complete story any more than the access requirements for an Android device would.

In order to get the information the app wants to collect in would have to do an API call. In short, when a background app is doing API calls to get you phone number, device ID, etc people might start to wonder.

 

[Pyro]

In order to get the information the app wants to collect in would have to do an API call. In short, when a background app is doing API calls to get you phone number, device ID, etc people might start to wonder.

Read the links Globetrotter provided. Android does inform you of such details direcly, but there could be good reason to do it, as per the developer's response.