Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

One in five apps insecure...

  • 23-06-2010 10:43am
    #1
    Registered Users, Registered Users 2 Posts: 234 ✭✭


    From the Komplett blog...

    In a worrying development for any Android worshippers out there, security software experts SMobile Systems has released a report which claims that one in five Android mobile phone applications is insecure.

    "Some of the apps could make calls and send text messages without the mobile user doing anything."

    SMobile Systems said that 20% of the 48,000 apps in the Android marketplace allow a third-party application access to sensitive or private information.

    Dan Hoffman, CTO at SMobile Systems warned that just because it’s coming from a known location like the Android market or the Apple App Store that doesn’t mean you can assume that the app isn’t malicious or that it has undergone a proper vetting process.

    An Inquirer report on the matter tells how, “Some of the apps could make calls and send text messages without the mobile user doing anything, the report said. Also, more than five% of the apps can place calls to any number and two% can allow an app to send unknown SMS messages to premium numbers. SMobile Systems said that dozens of apps were found to have the same type of access to sensitive information as spyware.”

    As the Inquirer notes, a report like this from a company such as SMobile is usually all done to sell more security software but the findings are still interesting nonetheless. Indeed, the area of apps security will be a well trodden subject over the next year to 18 months.


Comments

  • Registered Users, Registered Users 2 Posts: 3,495 ✭✭✭Abelloid


    Have they named any of the apps in question?


  • Registered Users, Registered Users 2 Posts: 234 ✭✭Yelnahs


    They seemed to have done a case study based on the "Girlfriend Text Message Viewer", "SMS MESSAGE SPY PRO/LITE" and "THEFT AWARE" apps which have such flaws.

    As far as I can see these are the only named apps.

    The full whitepaper can be found here...


  • Moderators, Recreation & Hobbies Moderators, Social & Fun Moderators, Sports Moderators Posts: 12,808 Mod ✭✭✭✭Keano


    As the Inquirer notes, a report like this from a company such as SMobile is usually all done to sell more security software but the findings are still interesting nonetheless

    ...


  • Registered Users, Registered Users 2 Posts: 3,495 ✭✭✭Abelloid


    Yelnahs wrote: »
    They seemed to have done a case study based on the "Girlfriend Text Message Viewer", "SMS MESSAGE SPY PRO/LITE" and "THEFT AWARE" apps which have such flaws.

    As far as I can see these are the only named apps.

    The full whitepaper can be found here...

    Thanks, I'll give that a read.


  • Registered Users, Registered Users 2 Posts: 14,378 ✭✭✭✭jimmycrackcorm


    Don't all apps have to specify their required permissions in the deployment manifest so that you get notified when you install?

    I think that the user should be asked if and when the app first tries to make a call or send a text. It's to easy to ignore the notification when installing.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 280 ✭✭BeciMester


    I think that the user should be asked if and when the app first tries to make a call or send a text. It's to easy to ignore the notification when installing.
    I dunno if it's the same thing but Estrong file browser is granted access to Bluetooth when installing, yet when I try to use it from within the app, Android (not the app) asks for permission. I think it's in there.


  • Registered Users, Registered Users 2 Posts: 2,370 ✭✭✭Knasher


    In fairness all the apps they list have to ask for permission to preform any of the activities they mention during the install phase. So its not like people could accidentally install one of these, probably just a third party who wants to spy on the user for whatever reason. Additionally even though the permissions they are talking about can be used for nefarious purposes, 99% or the apps that request them do so for good reason (one of the apps in the paper preforms functions similar to apples find my phone service), and I suspect that they still count those apps in the 20% of insecure apps count.

    I guess it comes down to a choice between security and openness, I personally prefer the freedom to do whatever I want with my devices. It falls on me not to allow people I don't trust access to my phone, or indeed any of my stuff. Admittedly a lot of those apps won't function on the iPhone but at the same time they lose a lot of useful functionality. There are also instances where Apples tight grip on the app store will benefit the customer (such as if any malware ever shows up on it) and times when it will put them at a disadvantage, so chose your poison.

    One feature that probably should be added to Android is if an app requests certain security features (perhaps any of the orange ones) then the user would have to authenticate to install that app. At least then you would avoid people installing this specific type of spyware behind your back.


  • Registered Users, Registered Users 2 Posts: 7,753 ✭✭✭Bluefoam


    The statistics are basically ridiculed here:
    http://www.theregister.co.uk/2010/06/23/android_security/

    sound like apple comissioned the survey...


  • Registered Users, Registered Users 2 Posts: 3,207 ✭✭✭hightower1


    TBH its not the apps that are unsecure, as its been said that when installing the apps it needs permission and is very clear in the description that it will access outbound comms using mail or text.... thats the whole point of these.

    The real issue is your partner / sibling / friend tampering with your handset!


  • Registered Users, Registered Users 2 Posts: 2,164 ✭✭✭hobochris


    These so called security flaws are the beauty of android.

    Rather then have to get a Midlet signed to use certain features at great expense(symbian), or put your App up at the mercy of someone, who at a whim can decide to reject it for poops and giggles (Apple), Android lets the user know what the resources such as call access and texts ect.. The App uses and allows the user to make a decision.

    Oh noes, Android doesn't subscribe to the constrictive security methodology of other mobile Operating systems, which in turn puts them at an advantage, quick lets commission a Skewed Hysterical report to discredit it. :rolleyes:


    Hmm... wonder who's bankrolling this?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,370 ✭✭✭Knasher


    Whats amusing is that whatever security stuff they offer would probably have to request a lot of the same permissions, and would therefore add to the 20% insecure figure.


  • Closed Accounts Posts: 2,916 ✭✭✭RonMexico


    Bluefoam wrote: »
    The statistics are basically ridiculed here:
    http://www.theregister.co.uk/2010/06/23/android_security/

    sound like apple comissioned the survey...

    Bingo we have a winner!

    I was having a conversation with a guy who works for apple, h is involved with overseeing the app store and when I dared question the worth of their newest toy the first thing he threw at me was the app security for android. Thankfully I had read the above article and shut him up pretty quickly with it.

    Slightly off topic: On TV3 last night they said the new iphone costs £500 in the North :eek:


  • Registered Users, Registered Users 2 Posts: 55,571 ✭✭✭✭Mr E


    Google can automatically remove dodgy apps remotely too (and they've done it to two apps).


  • Registered Users, Registered Users 2 Posts: 19,550 ✭✭✭✭Krusty_Clown


    Mr E wrote: »
    Google can automatically remove dodgy apps remotely too (and they've done it to two apps).
    Presumably only apps that you install from the market. I mean any other apps that you self-install couldn't violate the market's terms and conditions, right, so Google wouldn't have the means (or the motivation) to remove them.


  • Registered Users, Registered Users 2 Posts: 3,495 ✭✭✭Abelloid


    Mr E wrote: »
    Google can automatically remove dodgy apps remotely too (and they've done it to two apps).

    Jebus. Does Obama know about these 'kill switches'? :pac:


  • Closed Accounts Posts: 3 TomDork


    Yelnahs wrote: »
    They seemed to have done a case study based on the "Girlfriend Text Message Viewer", "SMS MESSAGE SPY PRO/LITE" and "THEFT AWARE" apps which have such flaws.

    As far as I can see these are the only named apps.

    Hi all!

    I am member of the Theftaware Team. We also read that article.
    What the writer claims is, that if Theft Aware is used in the
    wrong way, like for spying, it could be considered spyware.
    However if you use Theft Aware in the way it is INTENDED to
    be - just install it on your own phone - it is NOT. So - there is no
    flaw.

    Some how it's like blaming a kitchenknife to be an instrument
    of murder.It depends on how the customer uses it.

    We state clearly that it is FORBIDDEN to use our tool for spying
    on other people as this is ILLEGAL.

    I hope this clarifies the situation.

    We also appreciate the openness and "pro-choice"-way of Android.
    The user has to take some responsibility but gains a lot of
    functionallity in exchange.

    ...and of course: give theftaware a try - you'll like it too

    Edit:
    CNET wrote about that whitepaper too - a few days later they tetracted their article since the whitepaper was merely a marketing gag.
    CNET retracts article on Android app privacy threat


  • Registered Users, Registered Users 2 Posts: 7,753 ✭✭✭Bluefoam


    It seems that people can hijack your iTunes acoount and spend your money if you have an iPhone - seems to be fairly common:

    http://www.theregister.co.uk/2010/07/05/itunes_app_store_manipulation/


  • Closed Accounts Posts: 3 TomDork


    Bluefoam wrote: »
    It seems that people can hijack your iTunes acoount and spend your money if you have an iPhone - seems to be fairly common:
    http://www.theregister.co.uk/2010/07/05/itunes_app_store_manipulation/

    ...and this is of interest on the android board because...?


  • Registered Users, Registered Users 2 Posts: 10,992 ✭✭✭✭partyatmygaff


    TomDork wrote: »
    ...and this is of interest on the android board because...?
    It seems likely that Apple may have pushed for this "study" to be carried out.


  • Closed Accounts Posts: 3 TomDork


    ...and steve jobs molests aliens in his cellar. (we are on the same level of proof and guessing here)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 13,763 ✭✭✭✭Inquitus


    Its a flawed report, it merely states that 20% of apps are insecure in respect of the fact that you allow them powers that could be misused.

    It ignores the fact that you have to allow the programs the privileges on install, and that these Apps need these permissions to do what you downloaded them for. Pray tell just how would messaging apps like Handscent be able to work if they weren't "insecure"?

    Its a BS report compiled to scare people into the arms the the companies like the one who commissioned it who work in phone security.


Advertisement