Spyware: A Real Problem on Android or Just Media Hype?

Earlier today Chuong reported on Lookout's App Genome Project. According to their report, a number of Android apps "could have the potential to be spyware".

While spyware (and other forms of malware) have been a problem on desktop computers, Android was built from the ground-up with a different architecture to help expose what permissions you're giving to a particular app, before you install it.

This is a bigger deal than it sounds. Every time you install an app you're told what access that app will have, and asked if that's okay. If it's not, you're given the chance to "Cancel" the installation.

The problem with this approach is human nature. You find a cool app, you want it on your phone, and you just tap "OK" to start it installing -- without reading and understanding the permissions to which the app is asking for.

Take Google's My Tracks, for example. This is an app that tracks your location and plots it using Google Maps to show where you've gone. Bikers and hikers love this app because it can report distance traveled, altitude traversal, and make a map of their routes and trails. It can even save this information to your Google Account. Cool, huh?

To do this, the app needs access to your location, network communications (to download the map images and upload your position points, etc.), your account information (to be able to save your "Tracks" to your Google Docs account, and some system tools (to keep your phone from going to sleep so the app can monitor your position). Before you install this app all of these permissions are presented to you, and you're asked if you still want to install the app.

That's the "human nature" problem I'm talking about. It's a cool app, you want it, so you tap "OK" without asking "Why". In this case, all those permissions are needed. If you're okay with allowing the app to have access to that information, tap "OK".

Some apps, such as some wallpaper apps, have been asking for all sorts of permissions. Permissions that don't seem to be in-line with their intended purpose. This should raise some red-flags in your mind. Why would a wallpaper need access to your accounts? Your location? Your sdcard? Why would it need to know your phone number, and be able to make phone calls or send sms messages? Why would it need network access?

That's not to say that all wallpaper apps ask for those permissions, but you should be able to answer these questions to your own satisfaction before you tap "OK" to install the app. LevelUp Studios' Beautiful Wallpaper, for example, needs to know where you are because it shows you the weather in your location. In this case it makes sense that a wallpaper should have access to your location. Another app may download new wallpapers for you on a scheduled basis, and therefore need access to your network communication and your sdcard (if it's storing the images there).

Why would a wallpaper app need access to your phone number, be able to make calls, or send text messages? I honestly don't know. There might be a legitimate reason, but unless I know that reason, I'm going to say "Cancel" until I find out. How? Ask the developer. If you don't get a response, you're probably saver to move along to another app. If the response doesn't "feel" right, move along. If you get a good answer that makes sense, it's up to you.

Lastly, what words mean is important. An app that harvests your phone number and sends it to China may, at first, seem like spyware. After asking the developer why he does this, he may explain that it's to backup your wallpaper preferences so when you reinstall the app after a wipe (or after getting a new phone) your preferences are remembered and restored. Google saw this as an issue and has enabled apps to store such information in your Google account -- with Android 2.2 (Froyo). Not all phones have Froyo, so this can't be implemented across the board yet. Some developers have been creative with duplicating this functionality on non-Froyo devices.

This last scenario would be more a case of "over-zealous" information collecting than it is "spyware", but reports like Lookout's don't make this differentiation. Then major news sources run with the story without doing actual "journalism" and the "problem" is sensationalized.

Don't be taken in by media hype. Android is giving you all the information you need to know about what your apps have access to. Read and understand the warnings, ask questions, and make informed decisions. When all else fails, ask the developer.

Via: (PocketNow)

No comments:

Post a Comment