30
Sep
TotRH__The_PiRat_by_dunwich7

 Researchers from Intel, Penn State, and Duke teamed up to study just how secure the apps in the Android market are. Specifically, they wanted to see what private data was collected by apps, and what the apps then did with said data. The results: 15 out of 30 "popular" applications sent geographic data, 7 sent unique hardware information, and a few sent info such as phone number and SIM serial to developers. Scary stuff indeed.

This isn't the first time we've heard that Android apps are insecure - in late July, Lookout released similar findings. However, Taintdroid takes things a bit further - albeit, from a smaller sample. Whereas Lookout's App Genome Project analyzed 300,000 applications from the Apple App Store and Android Market, Taintdroid is (thus far) Android only, and only analyzes the apps installed on the device. That said, it provides detailed information on what happens - more concrete than the nebulous results Lookout shared.

taintdroid1 taintdroid2

As the video below shows, the Taintdroid app sits in the background and monitors data flow. During the demo, a simple wallpaper app is opened but no actions are taken within the app. Upon returning to the home screen, there is a notification from Taintdroid: the phone number, IMEI number, and SIM card ID were all sent to a third party. They then reopen the app and open the "Favorites" tab. Once again, they return to the homescreen and find Taintdroid notifying them that their IMEI was sent once again.

Taintdroid has yet to be publicly released, but the team plans on doing so at some point down the road.

[Source: AppAnalysis.org, Thumbnail Image: dunwich7]

Aaron Gingrich
Aaron is a geek who has always had a passion for technology. When not working or writing, he can be found spending time with his family, playing a game, or watching a movie.

  • bjordan

    Great app and great idea. It's always good to be skeptical of things and it's awesome to have the tools to monitor what's going on, on our devices.

    In the wallpaper case however. The developer already responded with the reason for the information being sent:

    "I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
    I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone."

    From AC Article here:
    http://www.androidcentral.com/android-privacy-concern-lookout-response

    While there are probably better ways for him to do this it certainly seems that it's not intended to be malicious.

    I love the idea of Taintdroid and will be following it closely to see when it's released.

    • Aaron Gingrich

      Yup, I actually saw his response after the Lookout thing. Thus, I was careful not to say or (hopefully) imply that the data was being used maliciously :).

      Still, I'm not sure how comfortable I am with an app collecting data like my IMEI or phone number - in fact, especially my phone number. I fail to see how him having my number improves the app?

      • http://tech.shantanugoel.com/ Shantanu

        If you are not comfortable with it, then why are you allowing the app to access that data in the first place? Honestly, when a wallpaper app asked you that it wants to access your phone data and contacts before installing, you should be stopping right there rather than waiting for some security company to come out and point out the obvious and rake in money in the process.
        1. They are again taking the same example of the wallpaper guy who was questioned and came out clean during the lookout mobile report
        2. That data is not being sent to advertisers
        3. Any app on android cannot do this without the user accepting the PERMISSIONS.

        These guys are just trying to create a lot of FUD by blowing things out of proportions and then reaping the benefits. Just look at the statistics of lookout's app. After their report, their downloads have sky rocketed and they must be sitting over a million downloads by now..

        • Aaron Gingrich

          1) Neither AppAnalysis nor myself accused anyone of doing anything illicit. They proved he was collecting the data, that's all. As their app isn't on the market yet, and when it is it will be released open-source, I doubt they're looking to generate publicity.

          2) If his motives are pure, why does he need a phone number?

          3) I wouldn't exactly say that the "give this app access?" screen is descriptive - I would imagine that when most people accept that, they assume the motives are pure and that personal data won't necessarily be transmitted.

          4) I don't use the app... but thanks for the insightful suggestion.

  • http://www.tracylynnp.com/wp-content/uploads/2010/09/stop-at-AP.jpg Tracy Lynn

    I agree, they have no right to my phone #. I will be watching for Taintdroid and will use it, even if it's a paid app.

  • Poor

    This whole issue is a joke, I agree something to monitor outgoing information would be great, I doubt however it would be sent out unencrypted so catching this may not be easy at all..

    As for this new episode of the WallPaperGate again, the info this application send is common on any platform, if you ever paid for an app on handhango or such site, the first thing they do is to ask your imei so that the app can be linked (ie DRM) to your phone... in this case the guy use imei as a cookie so that he can offer the correct screen resolution.

    I would like to point out that one of the sponsor of this "studies" that target only android device is Intel who have interest into many thing including MeeGo and off course MeeGo is much safer than android...

    My 2 cents...

  • Christopher

    Apparently the wallpaper app developer should read this:
    http://android-developers.blogspot.com/2010/08/best-practices-for-handling-android.html

    Especially the section that deals with exactly what he has done in his application "Case study: user preferencs".