Better Mobile App

Should there be any worries about security?

Im still pretty new to the smartphone world. But after looking at various apps I noticed the app declares a list of permissions it will need to certain files on the phone. Im just concerned that any one of these apps are gathering sensitive information like our contacts or notes on our phones. How do we know exactly what is being accessed and sent out. I just realized an app like mixzing sends the developers information about the songs we listen to, our playlists, etc.. Now Im not too concerned about this in particular, but how do we know what other information they or any other developer are grabbing from our phones? On a PC you atleast have a firewall, router, security sofware, etc..

Its interesting that someone finally asked this question. I asked this very thing since i.had my G1.
I am in infomation security and as a security researcher, ive used a rooted device and the shark app which is like wireshark for packet captures from your phone. You could always stick your vibrant on your wireless network and watch the packets there as well.
Take a peek at this screengrab from an alt keyboard install from the sticky page. I would not trust any app at all
On a side note, if you saw the forensics app for these phones...wow
Sent from my SGH-T959 using XDA App

there have been apps said to collect sensitive data that it doesnt need to function... In russia there was also a tip calculator that sent sms messages to various numbers without your knowledge... at the moment there is no virus, or worm, or trojan for android atleast not on this side of the world...
Just be careful what you download, always read the apps permissions..

Or download a app that scans applications, I personally use Lookout. Not because im paranoid about viruses but there are other features implemented such as losnig your phone and includes tracking.
It's on the market, "Lookout."

Lookout is a great tool to have. I use it on all my phones, out scan every app as you install, if its bad, it'll tell you
Sent from my SGH-T959 using Tapatalk

paradox4286 said:
Lookout is a great tool to have. I use it on all my phones, out scan every app as you install, if its bad, it'll tell you
Sent from my SGH-T959 using Tapatalk
Click to expand...
Click to collapse
SO how man y, if any, bad apps have you encountered? I havnt bought into the whole AV for mobile phones yet. I understand the potential risk, but the real world risk seems minimal to nearly nonexistant at this moment. Now I will probably be one of the first ones to go palm to face when the first virus makes its way around and I get it, but for now i'll stick with the ignorance is bliss unless this lookout app is actually kicking back potential risks.

Chief Geek said:
SO how man y, if any, bad apps have you encountered? I havnt bought into the whole AV for mobile phones yet. I understand the potential risk, but the real world risk seems minimal to nearly nonexistant at this moment. Now I will probably be one of the first ones to go palm to face when the first virus makes its way around and I get it, but for now i'll stick with the ignorance is bliss unless this lookout app is actually kicking back potential risks.
Click to expand...
Click to collapse
It's 0.. I use it mainly incase I lose my phone. That's the thing about Lookout, it isn't intrusive at all. It runs weekly scans (disabled if you want), and scans when you install a new application.
It has a lot of other functionality other than scanning for malicious applications.

Is your app spying on you?

Most of the app now require acces to the phone calls..even a news app requires it, sms app such as go sms also requires it. So I want to know after knowing that an app will be able to acces your phone call you still download it? And does anyone in what way the developers use such info?
Sent from my E10i using XDA App

Excellent topic, I'm really troubled by this. The business world makes a whole lot of money based on the average persons inertia - their lack of information or willingness when it comes to the products and services they use and the money they use to pay for them. Particular mobile phone network providers come to mind, who are happy to charge the most expensive prices because people don't know or don't care.
This lazy attitude is seeping into the Android app world. It will be a small per centage of us who will realize this threat and do something about it - exactly like cookies and public wifi privacy etc.
For those of us already interested, are there websites or apps which can guide us on this?

I had thought about it before but it seemed to be all apps out there at least need to access your internet, calls, phonebook and etc.. Not sure really if some of these nasty apps has the evil purpose to steal our vital informations in the phone... say if we're checking our bank account or something similar..
What I practice:
1) Installed AVG pro and do scan regularly, and set to scan every newly installed apps.
2) Use both cache cleaner and history eraser to clean up all traces once a day.
3) Hope they don't see me as a target.

Don't worry.
I think access to the phone calls is just to minimize the running app in case you receive a call. In other case you would not even realize an incoming call?!

Deehee3 said:
Don't worry.
I think access to the phone calls is just to minimize the running app in case you receive a call. In other case you would not even realize an incoming call?!
Click to expand...
Click to collapse
What about data? When you install an app in most cases you allow data access to it.

Searching for updates or viewing developers homepage maybe?
Sent from my U20i using XDA App

Deehee3 said:
Searching for updates or viewing developers homepage maybe?
Sent from my U20i using XDA App
Click to expand...
Click to collapse
What if not? What if app you´ve installed is spying on you and sending info to hackers. How would you know?

On android we have the luck that there are a lot of applications that are open source. When I have to choose an application, I always choose and support the open projects!
You will notice that most of those applications don't need all that personal information! Makes you wonder...

On other systems, apps usually have an user/administrator scheme, where the 'user' has access to some things and 'administrator' has access to everything.
There is no such thing on Android (except if you have a rooted phone and some app asks for superuser access, but you get a requester asking for permissions as well).
Each app has to specifically ask for permissions or the system will deny it. A spyware has to ask for those permissions or it won't work.
Some permission requests to look out for:
- "Call phone"
can be used by the application to silently dial some "premium" numbers
- "Send SMS"
can be used to send SMS to special "premium" numbers
- "Record phone calls"
can be harmful if associated with "internet access" permission
- "Access fine location"/"access coarse location" and "internet access"
can be used for tracking purposes
Many apps ask for:
- "Phone identity" / "internet access"
they use it for "statistics purposes" (flurry.com mostly) but it is bad. The developer should always inform the user about those.
BTW, that an app is open source makes no difference. Someone can always (willingly or not) tamper with the final build. And not everyone reviews open source apps.

zapek666 said:
A spyware has to ask for those permissions or it won't work.
Click to expand...
Click to collapse
Sure. But if an app legitimately ask for data transmission and file system access, AND you grant it, how would you know it is not using the granted rights for something else?

ppirate said:
On android we have the luck that there are a lot of applications that are open source. When I have to choose an application, I always choose and support the open projects!
You will notice that most of those applications don't need all that personal information! Makes you wonder...
Click to expand...
Click to collapse
Don´t tell me that you evaluate the source code of each application you load from the market. And even so, how would you know the difference between what is shown to you and the final build, available on the market?

vlissine said:
Sure. But if an app legitimately ask for data transmission and file system access, AND you grant it, how would you know it is not using the granted rights for something else?
Click to expand...
Click to collapse
Filesystem access are limited to the external memory card. An app with such permission cannot access other apps' private data (which are stored on the phone).
Android apps are all sandboxed into their own homes.
A good example of a suspicious application is HTML5 Reference.
"This HTML5 reference lists all tags supported in the HTML5 specification.", fine. Let's look at the permissions:
Network communication: full Internet access
Phone calls: read phone state and identity
While the first 2 could be produced as a side effect of the developer implementing some "statistics library" (flurry.com or so), the next 2:
Your location: fine (GPS) location
Your personal information: read sensitive log data
Are a giveaway that this app does a bit more than just listing HTML reference tags

zapek666 said:
Filesystem access are limited to the external memory card. An app with such permission cannot access other apps' private data (which are stored on the phone).
Click to expand...
Click to collapse
Ok, how about a picture viewer, which usually picks pictures from each and every
directory, no matter if you want it (and not only from memory card).

Hey vlissine and zapek666. You both have a point.
One individual cannot review every code he or she uses. And also one does not only uses his or her own builds of the projects. But every now and then, I have to go into a project, mostly to add functionality. During that time, I usually have to go over a lot of code to understand the program. It is no guarantee, but you can imagine that some strange code will stand out.
I'm surely not the only person. So while one individual is not capable of such an endeavor. A lot are.
Your other point is as valid as can be. But here again, builds are comparable.
Surely, one does not have to find himself or herself obliged to use certain kind of projects. But to me, when I have the change, I use and support the open source project. One important reason is because of the concern raised by the original poster!

http://googlemobile.blogspot.com/2011/03/update-on-android-market-security.html
Apparently we were not that paranoid, thinking of spying apps

Two options:
1) To avoid being spy and get super paranoid about it... ditch your smartphone and get those early 2000 phones with only calls and sms capable.
2) Use the smart phone eg: X10 mini/pro or any android phones and ignore these spying scene and live with it like nothing ever going to happen since this new technologies really live up our life nowadays..

farsight73 said:
Two options:
1) To avoid being spy and get super paranoid about it... ditch your smartphone and get those early 2000 phones with only calls and sms capable.
2) Use the smart phone eg: X10 mini/pro or any android phones and ignore these spying scene and live with it like nothing ever going to happen since this new technologies really live up our life nowadays..
Click to expand...
Click to collapse
One more option - stop giving stupid advises when you have nothing to say.

maybe apps need to call functions or need it to run?
write them your self if your that bothered?
...
Sent from my E10i using the XDA mobile application powered by Tapatalk

Researcher Says That 8% of Android Apps Are Leaking Private Information

http://digitizor.com/2011/07/21/android-malware/
Android has had its fair share of malware problems. Whenever malware are detected, Google reacts swiftly and remove them. However, according to security researcher Neil Daswani, around 8% of the apps on the Android market are leaking private user data.
Neil Daswani, who is also the CTO of security firm Dasient, says that they have studied around 10,000 Android apps and have found that 800 of them are leaking private information of the user to an unauthorized server. Neil Daswani is scheduled to present the full findings at the Black Hat Conference in Las Vegas which starts on July 30th.
The Dasient researchers also found out that 11 of the apps they have examined are sending unwanted SMS messages.
Google needs to take charge
This malware problem on Android has become too much. One of the main reason that we see malicious apps in the market is because of the lack of regulation in the apps that get into the Android Market.
Sure, the lack of regulation can be good. It means that developers can make their apps without worrying if Google will accept their apps or not. It fits into the pre-existing application distribution model where anyone can develop and publish their own apps.
However, this comes at a price - the malware problem. Yes, most of the problems with these malicious apps can be avoided if only users read the permission requirements of the apps. But, what percentage of the users actually read the permission requirements of all the apps they download?
I think that it is time that Google make approval of the apps a requirement before it gets into the Market. They do not need to do it like Apple, but a basic security check before an app gets on the market will be nice.
If nothing is done about and this problem is allowed to grow, it will end up killing the platform.

Ur a good man
Sent from my PG86100 using XDA Premium App

Get an iPhone then.

Don't know if apple should approve or disaproove since that can slow down the release of new apps, but they need to check, that's for sure.

Yeah, just read permissions when installing applications. A lot of them will state access to personal data (such as contacts, browser history, etc.)
Such apps like MP3 downloaders contain ALOT of this malware.

if you're that paranoid.....LBE Privacy Guard + Droidwall = #winning

This article is very true in sense of lacking of control on big G part. My friend developed an app and he was able to get it into market almost instantly. I was very shocked to find that no scanning or checking was done.
Therefore, it's a risk that we take everyday to use these apps, specially, custom ROMs because who knows what it installed really. Users just need to be aware of their action, and don't use bank apps on rooted devices, or corporate email on rooted devices, or email yourself passwords to your online banking from your rooted devices. My thought is that, if it's out there then somebody can get it these days with all the technologies.

A little bit of common sense when installing apps can go a long way. You stifle the market too much when you cater to the lowest common denominator but then if you don't you get stuff like this.
+1 on Droidwall too, great app. Just don't turn it on and then forget about it before getting it set up properly, it's a pain figuring out why you can't use the internet on anything lol

xHausx said:
A little bit of common sense when installing apps can go a long way. You stifle the market too much when you cater to the lowest common denominator but then if you don't you get stuff like this.
+1 on Droidwall too, great app. Just don't turn it on and then forget about it before getting it set up properly, it's a pain figuring out why you can't use the internet on anything lol
Click to expand...
Click to collapse
hahaha, was tryna to download a new app and wondering why it just stalled kept on saying, downloading..... downloading paused....blah blah!!! lol
turns out it was droidwall (even with market enabled) lol

Yea when a simple clock widget wants to read your contact, data and location but has no ads or settings, I avoided that one.

I prefer the risk of an open system to the purgatory that is a closed system ruled by a draconian company any day.

Oh look iOS does this too.
/troll

DoctorComrade said:
Oh look iOS does this too.
/troll
Click to expand...
Click to collapse
hah, they're at almost 50%

[Q] smart device Manager by location labs

I have an Update for Smart device manager in the android market... But i am unaware of what it does or what it is for... can some explain this to me.

Yea I noticed that update too. I'd like to know if I should update it as well.

You guys might want to look at this link: https://market.android.com/developer?pub=Location+Labs

That is just a list of there applications... that does not tell me what it is ... thank you though...

http://www.locationlabs.com/
You're being tracked.
editater>
More...
Integrate to a single cloud API, and get the location 300MM+ mobile phones across multiple Tier 1 carrier networks – all mobile phones can be located (both smartphones and feature phones) with no app download required.
WE TALK TO THE CARRIERS SO YOU DON’T HAVE TO
ULS does the heavy lifting for developers, and saves you loads of time and money – we hook directly into the location infrastructure of all Tier 1 carrier networks so you don’t have to.
UNMATCHED CARRIER COVERAGE
ULS is the only cross-carrier location platform with coverage across all major US carriers – AT&T, Sprint, T-Mobile, and Verizon – enabling developers to remotely access the location of over 300MM mobile phones today. Don’t believe us? Try it yourself.
PRIVACY WITH NO PROBLEMS
Concerned about location privacy and the ins-and-outs of CTIA and MMA guidelines? ULS handles this for you. We’re not only a location platform, but a privacy-as-a-service platform as well.
FAR MORE THAN JUST “APPS”
Add mobile phone locations to any kind of service – web, mobile web, SMS, voice. We’re not limited to just downloadable smartphone apps!
Click to expand...
Click to collapse

it could be 'carrier id' or simply the app that allows you to do 'parental controls'.. Sprint allows you to track your children's phones etc...
just sayin'

I've noticed that after I updated this app, I've been randomly receiving text messages filled with random text. I'm tempted to uninstall it but I don't know if there will be repercussions.

gollyzila said:
I've noticed that after I updated this app, I've been randomly receiving text messages filled with random text. I'm tempted to uninstall it but I don't know if there will be repercussions.
Click to expand...
Click to collapse
back up the .apk if you can, remove it and if it craps out your phone, re-install..
or make a nandroid backup (if you're rooted) then delete it.. if it craps out, restore..

I got tired of seeing it on app brain so I updated it. Haven't had any issues. I don't even think the app is running.

daddymikey1975 said:
back up the .apk if you can, remove it and if it craps out your phone, re-install..
or make a nandroid backup (if you're rooted) then delete it.. if it craps out, restore..
Click to expand...
Click to collapse
I just got this phone and am new to Android so I don't want to mess with it too much too soon. My temporary solution was to blacklist the sender using Go SMS Pro.

Privacy - Are you ok with apps accessing your location?

Before beginning, I'm outlining two application permissions for future reference.
These were pulled from this article. It also outlines other permissions.
Raju PP said:
fine (GPS) location
While not a danger for stealing any of your personal information, this will allow an application to track where you are. Typical applications that might need this include (but are not limited to) restaurant directories, movie theater finders, and mapping applications.
Click to expand...
Click to collapse
Raju PP said:
coarse (network-based) location
This setting is almost identical to the above GPS location permission, except that it is less precise when tracking your location.
Click to expand...
Click to collapse
Recently, I've taken an interest in privacy concerns with application permissions. I'm sure several of you are guilty of being unaware of unnecessary app permissions. I have apps on my device that I've had since migrating to Android, long before I concerned myself with privacy. In my recent hunt of cleaning up my application list, I've discovered that many applications have permissions that aren't necessary for it to function. The most common, unnecessary permission I've come across is coarse (network-based) location. As its name describes, this permission allows an app to determine your approximate location (e.g., the large location area shown by Google Maps when GPS is not on).
An example. I use a Wifi Login application to automatically enter login information for campus internet access (it was cumbersome to enter it manually each time). It works wonderfully, but it has this permission (coarse location). I asked myself, "what function of the app needs to access location??" I only need the app to access the internet, nothing else. I also noticed that each day, there was a location service wakelock despite having all location refreshing services turned off (in other apps, latitude, etc.). Upon removing its ability to obtain approximate location, the location service wakelock disappeared and functionality was not affected.
So, there are two concerns: privacy and unnecessary battery usage. While the link between the two is not often made, I'm making it here. Not only was the app (presumably) sharing my location, but in doing so, my battery took a hit. Before someone panics, I don't believe most apps use this maliciously. My guess is that app developers use it for demographic purposes to determine where in the U.S. their application is being used. Obviously not necessary, but an interesting tidbit for the creator of an app. So my question is, are you ok with apps accessing your approximate location? I've seen several games that have location permissions and in no way can that be justified.
Going beyond location permissions, there are obviously other privacy concerns. A number of app developers I've seen list why an application needs certain permissions. In the example provided above, the developer doesn't mention permission uses. In post 2, I will provide methods for identifying and removing app permissions (by using other apps lol - ironic, I know). Below is a good read about applications' additional "costs."
Free apps not truly 'free'

I use two applications to identify permissions: Appbrain Ad Detector and Avast Mobile Security. Appbrain Ad Detector has the ability to notify you when an app you install has "concerns." Avast Mobile Security has a lot of very useful features, one of them being "privacy advisor." Using one or both of these will allow you to determine what permissions are necessary and which ones are not. For what it's worth, I've only had a few apps that I felt had unnecessary permissions. You obviously don't want to revoke Tango access to the camera lol.
EDIT: I was going to suggest getting an application called "App Shield," (has the ability to remove app permissions) but it appears that it is no longer available on the market. It was a paid app that was just under 2 bucks, if I remember correctly. Due to this development, you'll have to find either App Shield or another method to accomplish this.

You can always just email the app creator and ask why they have the permission included. It (usually) takes more than one questionable permission to be truly dangerous.
From what I've read the majority of apps that use coarse location is for determining the ads you see in the app. Better chance of them being relevant to you.
Just like that article you linked, I think it was brought up on an xda portal article (either that or lifehacker love that site) that because of ad supported apps using coarse location, the battery use was higher, and paid apps that remove the ads will lower your battery drain. Not a huge difference, but it can add up.

gr8hairy1 said:
. . .
From what I've read the majority of apps that use coarse location is for determining the ads you see in the app. Better chance of them being relevant to you.
. . .
Click to expand...
Click to collapse
Makes sense. Coincidentally, the example I used is a paid app. The app itself had the permission, as well as the "pro" activation apk. Though it's no longer an issue, I may consider contacting the app developer out of curiosity.

Definitely do that. I have a large amount of apps on my phone, and it's not too uncommon to get an update for an app that removes a permission. Many times it's done because people contact the developer and the developer realizes it's not needed. Most times I see that happen is in paid apps, only sometimes with the free apps.
As for your original topic "are you ok with apps accessing your location", I have no issue with it. Obviously if it is getting used maliciously, no, I wouldn't be ok with it.
But as it is, 'guaranteed' the Phone Carriers know where you are and where you've been. And 'guaranteed' the government knows where you are and where you've been. I will always be more worried about the government knowing everything they want about me, without my permission, than some app creator. And as it is, I'm ok with the government knowing.
I feel the same way about the government as I do Google. Until they turn evil and start enslaving mankind (search "is google skynet", hilarious and royally creepy) I'm going to keep using them and stay in the country I live in.
Conspiracy theorists feel free to chime in. Although let's be honest, the over-the-top conspiracy theorists (that make for the best/most hilarious conversations) won't likely be carrying around a device that has cameras, microphones, gps chip, and internet access that can be used to activate one or all of those remotely

I don't really care if they know my location, but now that you mentioned a possible battery drain, I am bothered by that. Someone should make a list of popular apps that may have unnecessary permissions that can be safely disabled through some sort of means.

https://play.google.com/store/apps/details?id=com.stericson.permissions
Yer welcome.
Sent from my SGH-I777 using Tapatalk 2

I don't care either. I have my GPS constantly disabled so the only location any of my apps could get is a general network location....
Honestly, I think privacy concerns are often blown out of proportion... mostly by the media. Don't get me wrong, there is nothing bad with being concerned, but I highly doubt we are going to have another Craig's list killer situation from developers releasing apps on Google Play. Knock on wood.
As mentioned before, contact the app's dev and ask for more info. If they never reply then I would be worried. As well you can always use a different one. If needed you can use "Tasker" which can allow you to build almost any function any other app has to offer all under your control. Just be warned Tasker is highly addictive for us nerds....
Anyway, and in summary, I have less trust is most banks selling my purchase history then the random app developer.... but that's just me.