The wait to get apps on the Apple App Store thanks to the long vetting process Apple uses on all apps allowed to run on the iPhone has been the source of much developer and user ire. That vetting process is looking good today after reports that millions of Android users may have had data stolen by a nefarious app.
AppleInsider reports that an app that was on the Android Market that offered custom background pictures was downloaded in the range of 1.1 million to 4.6 million times. The exact number of downloads is unknown because the data isn’t offered.
The app was actually a malicious program that collected the users browsing history, text messages, SIM card number, and voice mail password among other things. All of that data was then forwarded to servers in China. It’s not clear what the app was called, but if you downloaded anything like that, it’s time to change passwords.
And the Apple vetting process doesn't look all that much better since a kid was able to sneak a tethering app into the market as a flashlight. So what else is in the Apple market that Apple doesn't know about. Apple only found out about that from outside. If you look at the article that this Android security story is coming from it also says that there are even more Apple apps getting access to your contacts and personal data behind the scenes than there are Android apps. On iOS you can't see what permissions the apps are asking for so there could potentially be all kinds of data theft going on in the walled garden. But I'd think an Android site would do a tiny bit of research first.
It's like saying "4 million people bought poisoned meat at the store, but we don't know what kind of meat or what brand." Good way to scare folks.
At least the first comment suggests a name of the company, but it's not clear what the app is.
If the app's that bad, maybe Google would/should exercise that remote kill switch that made all the news a few weeks ago.
As for the vetting process with Apple, talkbackdroid's right, who knows what's slipping past Apple given the multiple apps that have been pulled post-release because of things hidden in them that Apple didn't catch.
However, Android's warnings about what access the app you're installing have are so overkill that the vast majority of users surely just say okay no matter what. After all, they want the app. Virtually every app I install pops up warnings about access to my data, hardware, whatever. I think this is false sense of security to think that these warnings are doing any good for the bulk of users.
sent from SVGS using the Almighty "Android" app
Anyways, it's wallpapers by jakeey. The guys who found the stuff are cautious to actually say malicious activity, but they're saying it's odd to have a wallpaper app phone home with your contact information. I certainly agree with that.
It can (among other things):
So as it stands right there, that's enough to grab all your contact information (names, address, date of births, pictures of them, etc), and everything on your SD card that includes stuff other apps store like caches of Tweets, emails, or anything else stored by an app if you use Apps2SD. It could then send all that to anywhere on the internet.
But that's not all...
Remember this article: http://androidandme.com/2010/06/news...eth-apps-away/
Which brings me to my next point... if this were true, I'm sure Google would have used that REMOVE_ASSET features already, especially given their already strained relationship with China and user privacy.
It can (among other things):
So as it stands right there, that's enough to grab all your contact information (names, address, date of births, pictures of them, etc), and everything on your SD card that includes stuff other apps store like caches of Tweets, emails, or anything else stored by an app if you use Apps2SD. It could then send all that to anywhere on the internet.
But that's not all...
Remember this article: http://androidandme.com/2010/06/news...eth-apps-away/
In other words, any app with full internet access can retrieve new executable code that can do anything it likes, and run it without the user ever being aware, as demonstrated by the app mentioned in the article I linked, and as removed by Google remotely using their remote REMOVE_ASSET command.
Which brings me to my next point... if this were true, I'm sure Google would have used that REMOVE_ASSET features already, especially given their already strained relationship with China and user privacy.
"If ignorance is bliss..then knock the smile off my face" RATM
U wouldn't believe the amount of people that d load blindly..
Sent from my Nexus One using Android Community App
He actually downloaded one of that guys apps last night. I just checked n uninstalled it. Then showed him the ppermissions. I doubt it will help.
I work on computers and fix PCs for a part time job and you would be amazed at how much dumb **** and unsafe things people do and have on there computers.. as android gets bigger Google will need to implement some sort of approval process eventually. I'm guessing.
Interesting story. Still seems pretty meh and overdone.
Anyway, she sat down to view a few web pages. Including one I've never even heard of before that she used to find torrents, which can only be downloaded if you click a bunch of adverts. Of course her browser popped up a security warning. Did she read it? Did she click Cancel? Did she hell! I watched in HORROR as she quickly (very practised, you see) clicked Accept, and then when Windows popped up its access control warning she instantly clicked on Continue to allow it to run as Admin. She then started complaining that "It's doing that thing again!".
Sent from my Nexus One using Android Community App
And all we know is the author of the app is "jackeey,wallpaper". You can see a list of all of their apps here: http://www.androidzoom.com/android_d...aper_bofz.html
And all we know is the author of the app is "jackeey,wallpaper". You can see a list of all of their apps here: http://www.androidzoom.com/android_d...aper_bofz.html
Sent from my Nexus One using Android Community App