so what were the security permissions requested by this app at the time of installation? i have to imagine that if it was taking web browsing history that it would have needed more permissions than just "uses network data".<p>android's fine-grained security permissions, where the author has to explicitly request each type (network use, prevent the screen from turning off, etc.) and the user is shown the list of permissions requested before installing, is good from a security standpoint, but i think it's ended up being like windows vista. users either don't read, don't care, or don't understand what is being asked of them and they just click whatever is needed to continue. even an advanced user can't tell the difference between a free app requesting network access to download advertisements and a malicious one using it to upload private information.
If this is true, I'm disturbed by the fact that:<p>1. Google has failed to tell any of us this,
2. I don't even know if I had any of the vendor's applications in the past, as they have been removed entirely, AND
3. Google has failed to tell any of us this!<p>I mean what the hell, at least send us an email telling us that because we downloaded AppXYZ, our data has been compromised by some low-life(s) in China. I'm going to end up being a lot less likely to download random apps now, not only because of this really sketchy incident, but because of the lack of transparency on Google's part.<p>Damn.
A typical case of overblown 'user failure', not Android security model failure. If a wallpaper app wants internet access and you allow it you really only have yourself to blame.<p>Wallpaper, cursors packages, screen savers and other dumb 'customisation' gadgets have been malware vectors on the windows platform for about 15 years now, why would phone platforms be any different ?
I'm pretty sure the article is not entirely accurate. There are several apps from "Jackeey Wallpaper" in the Android Market, all of which seem to be apps to download wallpapers of various themes. The dozen or so I've checked have these permissions:
- "modify/delete SD card contents"
- "coarse (network based) location"
- "full Internet access"
- "read phone state and identity"<p>As far as I know none of those allow reading your browser history or text messages, and certainly not your voicemail password. We need to see a network capture of what was sent to their site.
It seems like Android has three choices<p>1. The current approach (which made it possible for the wallpaper app to steal user data from millions of users)<p>2. Prevent apps from accessing data such as voicemail-password, web-browsing history etc. (but it is possible that some apps may have a legitimate reason to do this and blocking these apps may not be fully consistent with the open platform goals)<p>3. Throw a big warning message EVERY time an app tries to access sensitive data (or perhaps for the first 10 times and the first 10 days...). It is a compromise solution, but users may find this annoying.<p>Either way, this is a somewhat tough problem.
<i>It collects ... your voice mail password</i><p>Do the security dialogs reflect the differing levels of importance of the data you're providing access to? If an app is requesting access to my voice mail password, I'd expect a pretty big red strobe light stuck on the dialog; something to really catch your attention, especially if you're trying to 'yes' your way through 9 (number stated by jsz0 for Google Maps) of the things
This scared me. I just installed a wallpaper app yesterday and while doing so thought "that's weird, why does it my personal information, phone calls etcs". But I still got the app. I guess my excuse is being used to my iphone, I didn't think about exactly how much access I was granting to this random app.<p>Anyway, I just checked, and the wallpaper app I had wasn't from jackeey. It's a top free app on the marketplace named Backgrounds by Stylem Media. And, it requires access to network communication, personal information, storage, phone calls, and system tools.<p>I have no idea how the warnings are generated.
Maybe devs are just including random libraries in their app (copy paste?) which are setting off these warnings? If not, why does this wallpaper app need my personal info?<p>Anyway, good wake up call, I will definitely be more careful wrt what I install on my phone.<p>EDIT: App request: something that logs/polices information going out from my phone. Firewall? we'll be needing a anti-virus next :(
So the iPhone is too closed, and Android is too open.<p>In my opinion, they should have a quality assured Market, but keep the ability to load .apk files whenever you want (and also the ability for others to create their own marked).<p>Quality assurance on market should mainly be about maliciousness of applications.<p>It sounds stupid arguing for android to be more closed, but really Google is very slack with their Market.
I've gotten very selective about which android apps I install. It seems like some apps ask for more access than I would like to give them and what I think they need.