One in five apps insecure...

Yelnahs

From the Komplett blog...

In a worrying development for any Android worshippers out there, security software experts SMobile Systems has released a report which claims that one in five Android mobile phone applications is insecure.

"Some of the apps could make calls and send text messages without the mobile user doing anything."

SMobile Systems said that 20% of the 48,000 apps in the Android marketplace allow a third-party application access to sensitive or private information.

Dan Hoffman, CTO at SMobile Systems warned that just because it’s coming from a known location like the Android market or the Apple App Store that doesn’t mean you can assume that the app isn’t malicious or that it has undergone a proper vetting process.

An Inquirer report on the matter tells how, “Some of the apps could make calls and send text messages without the mobile user doing anything, the report said. Also, more than five% of the apps can place calls to any number and two% can allow an app to send unknown SMS messages to premium numbers. SMobile Systems said that dozens of apps were found to have the same type of access to sensitive information as spyware.”

As the Inquirer notes, a report like this from a company such as SMobile is usually all done to sell more security software but the findings are still interesting nonetheless. Indeed, the area of apps security will be a well trodden subject over the next year to 18 months.

Abelloid

Have they named any of the apps in question?

Yelnahs

They seemed to have done a case study based on the "Girlfriend Text Message Viewer", "SMS MESSAGE SPY PRO/LITE" and "THEFT AWARE" apps which have such flaws.

As far as I can see these are the only named apps.

The full whitepaper can be found here...

Keano

As the Inquirer notes, a report like this from a company such as SMobile is usually all done to sell more security software but the findings are still interesting nonetheless

...

Abelloid

Yelnahs wrote: »

They seemed to have done a case study based on the "Girlfriend Text Message Viewer", "SMS MESSAGE SPY PRO/LITE" and "THEFT AWARE" apps which have such flaws.

As far as I can see these are the only named apps.

The full whitepaper can be found here...

Thanks, I'll give that a read.

jimmycrackcorm

Don't all apps have to specify their required permissions in the deployment manifest so that you get notified when you install?

I think that the user should be asked if and when the app first tries to make a call or send a text. It's to easy to ignore the notification when installing.

BeciMester

jimmycrackcorm wrote: »

I think that the user should be asked if and when the app first tries to make a call or send a text. It's to easy to ignore the notification when installing.

I dunno if it's the same thing but Estrong file browser is granted access to Bluetooth when installing, yet when I try to use it from within the app, Android (not the app) asks for permission. I think it's in there.

Knasher

In fairness all the apps they list have to ask for permission to preform any of the activities they mention during the install phase. So its not like people could accidentally install one of these, probably just a third party who wants to spy on the user for whatever reason. Additionally even though the permissions they are talking about can be used for nefarious purposes, 99% or the apps that request them do so for good reason (one of the apps in the paper preforms functions similar to apples find my phone service), and I suspect that they still count those apps in the 20% of insecure apps count.

I guess it comes down to a choice between security and openness, I personally prefer the freedom to do whatever I want with my devices. It falls on me not to allow people I don't trust access to my phone, or indeed any of my stuff. Admittedly a lot of those apps won't function on the iPhone but at the same time they lose a lot of useful functionality. There are also instances where Apples tight grip on the app store will benefit the customer (such as if any malware ever shows up on it) and times when it will put them at a disadvantage, so chose your poison.

One feature that probably should be added to Android is if an app requests certain security features (perhaps any of the orange ones) then the user would have to authenticate to install that app. At least then you would avoid people installing this specific type of spyware behind your back.

Bluefoam

The statistics are basically ridiculed here:
http://www.theregister.co.uk/2010/06/23/android_security/

sound like apple comissioned the survey...

hightower1

TBH its not the apps that are unsecure, as its been said that when installing the apps it needs permission and is very clear in the description that it will access outbound comms using mail or text.... thats the whole point of these.

The real issue is your partner / sibling / friend tampering with your handset!

hobochris

These so called security flaws are the beauty of android.

Rather then have to get a Midlet signed to use certain features at great expense(symbian), or put your App up at the mercy of someone, who at a whim can decide to reject it for poops and giggles (Apple), Android lets the user know what the resources such as call access and texts ect.. The App uses and allows the user to make a decision.

Oh noes, Android doesn't subscribe to the constrictive security methodology of other mobile Operating systems, which in turn puts them at an advantage, quick lets commission a Skewed Hysterical report to discredit it. :rolleyes:


Hmm... wonder who's bankrolling this?

Knasher

Whats amusing is that whatever security stuff they offer would probably have to request a lot of the same permissions, and would therefore add to the 20% insecure figure.

RonMexico

Bluefoam wrote: »

The statistics are basically ridiculed here:
http://www.theregister.co.uk/2010/06/23/android_security/

sound like apple comissioned the survey...

Bingo we have a winner!

I was having a conversation with a guy who works for apple, h is involved with overseeing the app store and when I dared question the worth of their newest toy the first thing he threw at me was the app security for android. Thankfully I had read the above article and shut him up pretty quickly with it.

Slightly off topic: On TV3 last night they said the new iphone costs £500 in the North :eek:

Mr E

Google can automatically remove dodgy apps remotely too (and they've done it to two apps).

Krusty_Clown

Mr E wrote: »

Google can automatically remove dodgy apps remotely too (and they've done it to two apps).

Presumably only apps that you install from the market. I mean any other apps that you self-install couldn't violate the market's terms and conditions, right, so Google wouldn't have the means (or the motivation) to remove them.

Abelloid

Mr E wrote: »

Google can automatically remove dodgy apps remotely too (and they've done it to two apps).

Jebus. Does Obama know about these 'kill switches'? :pac:

TomDork

Yelnahs wrote: »

They seemed to have done a case study based on the "Girlfriend Text Message Viewer", "SMS MESSAGE SPY PRO/LITE" and "THEFT AWARE" apps which have such flaws.

As far as I can see these are the only named apps.

Hi all!

I am member of the Theftaware Team. We also read that article.
What the writer claims is, that if Theft Aware is used in the
wrong way, like for spying, it could be considered spyware.
However if you use Theft Aware in the way it is INTENDED to
be - just install it on your own phone - it is NOT. So - there is no
flaw.

Some how it's like blaming a kitchenknife to be an instrument
of murder.It depends on how the customer uses it.

We state clearly that it is FORBIDDEN to use our tool for spying
on other people as this is ILLEGAL.

I hope this clarifies the situation.

We also appreciate the openness and "pro-choice"-way of Android.
The user has to take some responsibility but gains a lot of
functionallity in exchange.

...and of course: give theftaware a try - you'll like it too

Edit:
CNET wrote about that whitepaper too - a few days later they tetracted their article since the whitepaper was merely a marketing gag.
CNET retracts article on Android app privacy threat

Bluefoam

It seems that people can hijack your iTunes acoount and spend your money if you have an iPhone - seems to be fairly common:

http://www.theregister.co.uk/2010/07/05/itunes_app_store_manipulation/

TomDork

Bluefoam wrote: »

It seems that people can hijack your iTunes acoount and spend your money if you have an iPhone - seems to be fairly common:
http://www.theregister.co.uk/2010/07/05/itunes_app_store_manipulation/

...and this is of interest on the android board because...?

partyatmygaff

TomDork wrote: »

...and this is of interest on the android board because...?

It seems likely that Apple may have pushed for this "study" to be carried out.

TomDork

...and steve jobs molests aliens in his cellar. (we are on the same level of proof and guessing here)

Inquitus

Its a flawed report, it merely states that 20% of apps are insecure in respect of the fact that you allow them powers that could be misused.

It ignores the fact that you have to allow the programs the privileges on install, and that these Apps need these permissions to do what you downloaded them for. Pray tell just how would messaging apps like Handscent be able to work if they weren't "insecure"?

Its a BS report compiled to scare people into the arms the the companies like the one who commissioned it who work in phone security.