so what were the security permissions requested by this app at the time of installation? i have to imagine that if it was taking web browsing history that it would have needed more permissions than just "uses network data".
android's fine-grained security permissions, where the author has to explicitly request each type (network use, prevent the screen from turning off, etc.) and the user is shown the list of permissions requested before installing, is good from a security standpoint, but i think it's ended up being like windows vista. users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue. even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue.
True. That's sort of ok as long as advanced users can tell when something fishy is going on and flag the app.
even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
Also true. The Internet and SD card permissions are all-or-nothing, and therefore essentially useless. Apps should be able to declare that they only contact specific hosts or access specific directories, and there should be a standardized directory for per-app storage, like "Application Support" on OS X.
It's a rarity to see any Android app that doesn't require half a dozen different permissions. I just installed the Google Maps update and it requires 9 including the ability to read my phone call logs (??)
And it DID request more than that. The thing is, that these wannabes like to paint themselves as "security experts", so they conceal facts and tell the story to the masses of non-techie users and scare them. Then, they sell a bogus security app.
Just out of curiosity, when an android app is updated, how are permissions handled? Do you receive a prompt to allow new privileges, or does it assume you approve of it already?
You bring up an astute point on the vague "network access" permission, but there's really not an easy answer to this. How would you fix it? Ask the developer to simply say what the access will be used for? In an malicious app, they'd obviously just lie. Short of actually displaying what data an app is sending, I don't see an easy answer.
Again since the article doesn't mention which app was malicious it's hard to say but when I looked up the wallpaper apps developed by "jackeey,wallpaper" I see the apps requiring the following permissions:
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.SET_WALLPAPER
android.permission.WRITE_EXTERNAL_STORAGE
It seems strange for a wallpaper app to require internet access.
1. Google has failed to tell any of us this,
2. I don't even know if I had any of the vendor's applications in the past, as they have been removed entirely, AND
3. Google has failed to tell any of us this!
I mean what the hell, at least send us an email telling us that because we downloaded AppXYZ, our data has been compromised by some low-life(s) in China. I'm going to end up being a lot less likely to download random apps now, not only because of this really sketchy incident, but because of the lack of transparency on Google's part.
Does Android have the ability to remotely kill applications like iOS? If so, perhaps they did that, so your app just disappeared if you had it.
I was going to say "I can't imagine Google hushing up a security issue", but it does have the potential to get thrown in their face by Apple, "See, our walled garden is a good thing." (Not that I believe for an instant that Apple's approval would catch something like this.)
It's quite clearly stated, when you install an app from the market, what permissions is it requesting. If your wallpaper app wants to know your location, SMS content etc etc, and you still install it, more fool you.
A typical case of overblown 'user failure', not Android security model failure. If a wallpaper app wants internet access and you allow it you really only have yourself to blame.
Wallpaper, cursors packages, screen savers and other dumb 'customisation' gadgets have been malware vectors on the windows platform for about 15 years now, why would phone platforms be any different ?
Because this wasn't some random APK downloaded directly from the internet and thrown onto a phone after the 'APKs from the internet might harm your security' message.
It was uploaded to Android Market and provided by Google, who as an arbiter of content, should realize that 'collect phone data' isn't an appropriate permission for a wallpaper.
I'm pretty sure the article is not entirely accurate. There are several apps from "Jackeey Wallpaper" in the Android Market, all of which seem to be apps to download wallpapers of various themes. The dozen or so I've checked have these permissions:
- "modify/delete SD card contents"
- "coarse (network based) location"
- "full Internet access"
- "read phone state and identity"
As far as I know none of those allow reading your browser history or text messages, and certainly not your voicemail password. We need to see a network capture of what was sent to their site.
1. The current approach (which made it possible for the wallpaper app to steal user data from millions of users)
2. Prevent apps from accessing data such as voicemail-password, web-browsing history etc. (but it is possible that some apps may have a legitimate reason to do this and blocking these apps may not be fully consistent with the open platform goals)
3. Throw a big warning message EVERY time an app tries to access sensitive data (or perhaps for the first 10 times and the first 10 days...). It is a compromise solution, but users may find this annoying.
Do the security dialogs reflect the differing levels of importance of the data you're providing access to? If an app is requesting access to my voice mail password, I'd expect a pretty big red strobe light stuck on the dialog; something to really catch your attention, especially if you're trying to 'yes' your way through 9 (number stated by jsz0 for Google Maps) of the things
This scared me. I just installed a wallpaper app yesterday and while doing so thought "that's weird, why does it my personal information, phone calls etcs". But I still got the app. I guess my excuse is being used to my iphone, I didn't think about exactly how much access I was granting to this random app.
Anyway, I just checked, and the wallpaper app I had wasn't from jackeey. It's a top free app on the marketplace named Backgrounds by Stylem Media. And, it requires access to network communication, personal information, storage, phone calls, and system tools.
I have no idea how the warnings are generated.
Maybe devs are just including random libraries in their app (copy paste?) which are setting off these warnings? If not, why does this wallpaper app need my personal info?
Anyway, good wake up call, I will definitely be more careful wrt what I install on my phone.
EDIT: App request: something that logs/polices information going out from my phone. Firewall? we'll be needing a anti-virus next :(
So the iPhone is too closed, and Android is too open.
In my opinion, they should have a quality assured Market, but keep the ability to load .apk files whenever you want (and also the ability for others to create their own marked).
Quality assurance on market should mainly be about maliciousness of applications.
It sounds stupid arguing for android to be more closed, but really Google is very slack with their Market.
QA at Apple would not have stopped this. I'm not surprised that people fall for this BS. Apple would have caught this just like Apple would have caught a flashlight with a SOCKS tunnel right?
If the App requests permission, wtf do you expect? I don't think Google even has an obligation to remove or crackdown on these types of apps.
If you search the market for "Jackeey" you'll get several dozen wallpaper apps. I think the article is treating all of them as a single app, which explains the "1.1 to 4.6 million" downloads: they just added up the lower and upper bounds of the ranges for each individual app. And as I said above, they don't appear to be requesting permissions that would let them do most of the nasty things described.
I've gotten very selective about which android apps I install. It seems like some apps ask for more access than I would like to give them and what I think they need.
[+] [-] there|15 years ago|reply
android's fine-grained security permissions, where the author has to explicitly request each type (network use, prevent the screen from turning off, etc.) and the user is shown the list of permissions requested before installing, is good from a security standpoint, but i think it's ended up being like windows vista. users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue. even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
[+] [-] orangecat|15 years ago|reply
True. That's sort of ok as long as advanced users can tell when something fishy is going on and flag the app.
even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
Also true. The Internet and SD card permissions are all-or-nothing, and therefore essentially useless. Apps should be able to declare that they only contact specific hosts or access specific directories, and there should be a standardized directory for per-app storage, like "Application Support" on OS X.
[+] [-] jsz0|15 years ago|reply
[+] [-] shirtless_coder|15 years ago|reply
[+] [-] maxjg|15 years ago|reply
You bring up an astute point on the vague "network access" permission, but there's really not an easy answer to this. How would you fix it? Ask the developer to simply say what the access will be used for? In an malicious app, they'd obviously just lie. Short of actually displaying what data an app is sending, I don't see an easy answer.
[+] [-] cludwin|15 years ago|reply
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.SET_WALLPAPER
android.permission.WRITE_EXTERNAL_STORAGE
It seems strange for a wallpaper app to require internet access.
[+] [-] jlgosse|15 years ago|reply
1. Google has failed to tell any of us this, 2. I don't even know if I had any of the vendor's applications in the past, as they have been removed entirely, AND 3. Google has failed to tell any of us this!
I mean what the hell, at least send us an email telling us that because we downloaded AppXYZ, our data has been compromised by some low-life(s) in China. I'm going to end up being a lot less likely to download random apps now, not only because of this really sketchy incident, but because of the lack of transparency on Google's part.
Damn.
[+] [-] SoftwareMaven|15 years ago|reply
I was going to say "I can't imagine Google hushing up a security issue", but it does have the potential to get thrown in their face by Apple, "See, our walled garden is a good thing." (Not that I believe for an instant that Apple's approval would catch something like this.)
[+] [-] TeHCrAzY|15 years ago|reply
[+] [-] jacquesm|15 years ago|reply
Wallpaper, cursors packages, screen savers and other dumb 'customisation' gadgets have been malware vectors on the windows platform for about 15 years now, why would phone platforms be any different ?
[+] [-] nailer|15 years ago|reply
It was uploaded to Android Market and provided by Google, who as an arbiter of content, should realize that 'collect phone data' isn't an appropriate permission for a wallpaper.
[+] [-] orangecat|15 years ago|reply
As far as I know none of those allow reading your browser history or text messages, and certainly not your voicemail password. We need to see a network capture of what was sent to their site.
[+] [-] tlrobinson|15 years ago|reply
[+] [-] credo|15 years ago|reply
1. The current approach (which made it possible for the wallpaper app to steal user data from millions of users)
2. Prevent apps from accessing data such as voicemail-password, web-browsing history etc. (but it is possible that some apps may have a legitimate reason to do this and blocking these apps may not be fully consistent with the open platform goals)
3. Throw a big warning message EVERY time an app tries to access sensitive data (or perhaps for the first 10 times and the first 10 days...). It is a compromise solution, but users may find this annoying.
Either way, this is a somewhat tough problem.
[+] [-] cubicle67|15 years ago|reply
Do the security dialogs reflect the differing levels of importance of the data you're providing access to? If an app is requesting access to my voice mail password, I'd expect a pretty big red strobe light stuck on the dialog; something to really catch your attention, especially if you're trying to 'yes' your way through 9 (number stated by jsz0 for Google Maps) of the things
[+] [-] srjk|15 years ago|reply
Anyway, I just checked, and the wallpaper app I had wasn't from jackeey. It's a top free app on the marketplace named Backgrounds by Stylem Media. And, it requires access to network communication, personal information, storage, phone calls, and system tools.
I have no idea how the warnings are generated. Maybe devs are just including random libraries in their app (copy paste?) which are setting off these warnings? If not, why does this wallpaper app need my personal info?
Anyway, good wake up call, I will definitely be more careful wrt what I install on my phone.
EDIT: App request: something that logs/polices information going out from my phone. Firewall? we'll be needing a anti-virus next :(
[+] [-] argsv|15 years ago|reply
This seems like a clear warning to me for wallpaper app. Would you install such an app on your PC/Mac?
[+] [-] rodh257|15 years ago|reply
In my opinion, they should have a quality assured Market, but keep the ability to load .apk files whenever you want (and also the ability for others to create their own marked).
Quality assurance on market should mainly be about maliciousness of applications.
It sounds stupid arguing for android to be more closed, but really Google is very slack with their Market.
[+] [-] drivebyacct2|15 years ago|reply
If the App requests permission, wtf do you expect? I don't think Google even has an obligation to remove or crackdown on these types of apps.
[+] [-] papertiger|15 years ago|reply
Does anyone know the app name?
[+] [-] cludwin|15 years ago|reply
The article doesn't mention which app was malicious however they did mention that the app publisher went by the name of "jackeey,wallpaper".
I ran some queries and it seems like the developer that publishes apps under "jackeey,wallpaper" also publishes under "jackeey.wu".
A list of the apps published by this developer are here (most of which are wallpaper apps):
http://andbot.com/developer/jackeeywallpaper
http://andbot.com/developer/jackeey-wu
http://andbot.com/developer/jackeeywu
[+] [-] orangecat|15 years ago|reply
[+] [-] jim_h|15 years ago|reply