It's a whitepaper by a security firm. Using my HouseAbsolute behavior-based detection methodology, I have used various heuristics to detect that this study is possibly BS. Some key factors in this detection, with exclamation points showing how concerning an individual flaw is (! is the least, !!! is the most. Note that all these points are regarding the researchers' whitepaper itself.):
!!! The article makes a big deal out of a specific spyware application. This wouldn't be very much of a problem if the application weren't openly described by its authors as one whose sole purpose is spying on the phone's user. So why make a big deal out of it!?
!! The article makes a big deal of the fact that some applications have requested the same set of permission that some spyware apps have. I can think of no conceivable specific combination of permissions that alone would give much information at all about whether or not an app is spyware. It also makes a big deal of how nine applications can brick the phone without going into any detail about the nominal purpose of these apps (i.e. does it make sense that such an app behaving as described in the market entry for this app should need to brick the phone).
! This article seems to imply that one would need any of these permissions to harm the user. From my understanding of Android development, I believe that any application can raise an intent to open a webpage in the browser, and the url of that page could easily be used to transmit sensitive information even with no permission at all. (I could be wrong on this one.)
!!! Any app that requests two of the permissions they label as sensitive is marked as suspicious. This means that any app wanting to both access the internet and do any of the following is considered suspicious according to this study:
- Access coarse location.
- Write to the external storage.
- Send an SMS.
! The company behind this paper is trying to sell something that you would be more likely to buy if you believed its results.
I enjoy RWR, but it's a bit sensationalist to use "seize" in that headline when what they really mean is "access" and by access they mean "access after explicit permission has been granted."
I do think there are issues to be addressed, and the article mentions apps which can send premium text messages, an exploit vector which is more concerning.
Not to mention that in a lot of situations this is exactly the point. Twitter can access contact data so it can add a person's twitter account into their contact information. You might use a solution to synchronize your contacts with a CRM so that you can follow up on potential leads. That's "seizing" you're data, but that exactly what you want it to do in that case. This is pure sensationalism and is exactly why journalism shouldn't be the pratice of copying press releases for the sake of some hits.
The constant chasing after traffic is not a good thing for the new media ecosystem, it leads to sites that glory in lots of low quality attention, and a boring sameness to the novelties on parade. We need to find a way to compensate creators based on the quality of their audience, rather than mere quantity.
The only functional forces pushing in that direction at present are patronage amd pride. Patronage from the audience and pride from the performers.
This seems to be a PR piece written by SMobile Systems ("enabling Secure mobility") promoting their "new behavior-based detection methodology", leveraging "heuristic-style technology".
One of their conclusions appears to be that "one must look at the permissions it has requested to determine what the application's true capabilities might be". Very heuristic.
Ugh, sensationalist fluff. Android's permissions system is very clear and very easy for the end user to understand. "This app might cost you money" on install is pretty darned clear!
The way this article has been titled, it screams "SENSATIONAL!!11 READ ME!!!". Comes across as applications lock all your photos and messages and charge a dollar a peek.
>>Finally, 3% of all of the Market submissions that have been analyzed could allow an application to send unknown premium SMS messages without the user's interaction or authorization.<<
Could an independent Android developer comment on whether this is in fact true?
I'm not privy to any statistics on the matter, but simply as an Android user I can tell you that Android applications can't dial numbers, send SMS, etc., unless you explicitly grant them permission to do so -- and Android will tell you, plain as day, that the application wants privilege to access "Services that can cost you money".
!!! The article makes a big deal out of a specific spyware application. This wouldn't be very much of a problem if the application weren't openly described by its authors as one whose sole purpose is spying on the phone's user. So why make a big deal out of it!?
!! The article makes a big deal of the fact that some applications have requested the same set of permission that some spyware apps have. I can think of no conceivable specific combination of permissions that alone would give much information at all about whether or not an app is spyware. It also makes a big deal of how nine applications can brick the phone without going into any detail about the nominal purpose of these apps (i.e. does it make sense that such an app behaving as described in the market entry for this app should need to brick the phone).
! This article seems to imply that one would need any of these permissions to harm the user. From my understanding of Android development, I believe that any application can raise an intent to open a webpage in the browser, and the url of that page could easily be used to transmit sensitive information even with no permission at all. (I could be wrong on this one.)
!!! Any app that requests two of the permissions they label as sensitive is marked as suspicious. This means that any app wanting to both access the internet and do any of the following is considered suspicious according to this study:
- Access coarse location.
- Write to the external storage.
- Send an SMS.
! The company behind this paper is trying to sell something that you would be more likely to buy if you believed its results.