WSJ: Apps Go Too Far In Sharing Your Info To Third Parties - General Topics

A list of popular Phone spyware. http://blogs.wsj.com/wtk-mobile/

boogieTilt said:
A list of popular Phone spyware. http://blogs.wsj.com/wtk-mobile/
Click to expand...
Click to collapse
(Bump)
CategoryUtility
PlatformAndroid
Author / PublisherZedge
TypeFree
Has a privacy policy?Yes, in the app and on the website.
The Journal tested 101 popular smartphone apps to see what data about the phones, their users, and their locations they gathered and revealed to others. The Journal also reviewed what information the app tells users it will collect, and whether it has a privacy policy. Here is a summary of those findings.
Explicitly Asks Permission to Access
Read Contact Data (access data in your address book)
Read Internet's history and bookmarks (Web browsing information)
Full internet access (Can send data out about you)
Read phone state and identity (access unique IDs on your phone)
Read system log files (access to files on how you use the phone and apps)
Coarse (network-based) location (based on Wi-Fi and cell phone towers)
Fine (GPS) location (based on global positioning system)
Sends to Third Parties
Phone ID
Zedge says the application requests to read and write contact data in order to set contact ringtones, and that it does not store this information.
« Previous
YouTube (Android)

Related

Apps requiring access to the following information

Your Location (Coarse)
Your Personal Information (Read Contact Data)
Phone calls (Read phone state and identity)
Storage (Modify/Delete SD Card Contacts)
System Tools (Modify Global System Settings)
Can someone explain to me why some apps like Sky News etc require personal information such as contact data etc?
And can someone explain each of the above in detail and what they are actually allowing access to? (i.e If I download Sky News will they then have access to all my contacts in my phonebook etc or is it something innocent?)
Thanks
My guess is that it's because it's compatible with Android 1.5. All 1.5 compatible apps are automatically given those permissions, even if the author doesn't ask for them.
If the app is not compatible with 1.6, then it will not be given those permissions unless it asks for them.

[APP][2.2+] The best solution for data protection, Mobile StrongBOX FREE

Hello to ALL!
After almost 2 years since the first Symbian release, I have ported my application,Mobile StrongBOX, to Android (finaly ).
It is available on Google Play, but since I'm new on this forum I ca not post the link to it. The best way to find it is to search for "strongbox" in Google Play.
Mobile StrongBOX is designed for the secure storage of private information, such as photos or videos, passwords, data for bank accounts, documents and anything else you want to protect. The application uses a strong public-key crypto-system that is optimized for mobile phones.
Today we take our phones everywhere we go and we can have our private data with us. Take, for example, private photos: we all have them on our phones, but in case we lose our phone we are in trouble because someone else can view our private photos! The same problem is for any private data that we store on our devices like passwords, bank account information, private documents etc. Mobile StrongBOX is designed to solve this problem, it offers protection so we do not fear any more to take our private data with us.
Encryption is the best type of data protection. There are many solutions that in case of stolen phone allow you to wipe the data on the device, BUT from the point when you lose your phone until you realize that, it can be too late!
Mobile StrongBOX uses strong 256-bit AES (Advanced Encryption Standard) encryption for data and 1024-bit RSA encryption for keys. Any kind of information can be secured with Mobile StrongBOX. It does protect your data, but also helps you if you have many things to memorize like passwords and credit card PINs. With Mobile StrongBOX you will not have to worry about these things any more!
Storing passwords, PINs, credit card numbers, membership info, login credentials etc. is now very easy and safe. Photos, videos, documents and folders can also be added to strongbox, keeping the hierarchical structure of folders (for example you can encrypt your private photos and videos so no one else can view them).
Key features and advantages over similar apps:
- very strong encryption: 256 AES + 1024 RSA
- not only encrypts items like passwords but files like private documents and photos/videos, too.
- every file or item is encrypted with different a AES key, automatically generated.
- customizable templates: add/remove/rename fields, you can change icons, add your own templates.
- multiple files or folders import(encrypt) / export(decrypt) in one operation.
- you can create sub-folders and group files/items however you like.
- no export needed to view files, view them directly from the app.
- secure erasing of imported files, if you want to.
- search, auto-lock, trash
- you can have multiple strongboxes and switch between them.
- does not contain ads, does not have INTERNET permission
With Mobile StrongBOX you have your private information encrypted in your pocket anywhere, ON-THE-GO.

- closed -

Please, close this thread.
Now it's on DevDB: http://forum.xda-developers.com/android/apps-games/app-gps-to-sms-location-sharing-t2994187
reserved
@tralchonok will this send location name or just cordinates and also does this app works without internet?
@thahim Internet access is not required. App will send latitude and longitude separated by comma. You can also configure the prefix to be inserted before the coordinates (it may be the link on Google Maps for example). Anyway, I recommend you to send only coordinates via SMS due to its length limitation. Sharing via third-party apps has more details.
P.S.: to retrieve location name it's necessary to have Internet access or some sort of offline locations database inside the app. I tried to make as internet independent app as possible though (it even doesn't ask the network permissions).
P.P.S: Actual thread is here now: http://forum.xda-developers.com/android/apps-games/app-gps-to-sms-location-sharing-t2994187

Fitbit/Jawbone/... hack

Hi,
With our smartphones and apps we already send quite a lot of data to third parties.
I am interested by a wearable device such as a Fitbit or Jawbone (to mention only popular ones) to track my daily activities but I don't want to send more data to more third parties. In addition, if one of these companies decides to stop some products or shut down their servers, these devices would probably stop working.
As they all provide an Android app to sync the smartphone and the device to fetch the data and display it, I am wondering why it would be requested to send data to their servers. Does anyone know if these app is working properly without an active connection to these servers? Is there any way to block these connections without a rooted phone? If rooted, do you think updating the hosts file would be enough to block connection?
Aside it, I am wondering if it would be possible to redirect this traffic to a personal server to fill a personal database? Is the traffic secured, via SSL for example, between the app and the server? We can imagine creating an open source project to be installed on our personal RaspberryPi (for example) to display data in a more friendly way on desktop without giving access to private data to big companies.

Can the work profile have access to my browsing history, device files, etc.?

I was recently admitted to a company, and as an ease of accessing my e-mails and work schedule, the android "work profile" was made available so that I could have access to company information (such as e-mails, calendar, information and others) without having to receive a corporate cell phone.
However, my biggest concern is with the organization's access to my data. My organization that created the work profile, can have access to my browsing history, data on the device (such as photos, application files, etc.), time I spend using my cell phone, contacts, call logs, and other data personal profile?
I have already visited the google instructions page, but I was still unsure because my organization installed some network certificates and the warning "Your organization can monitor network traffic ..."
Another question:
If I leave a work profile app open in the background, and use my personal profile at the same time, can my organization have access to network traffic and consequently my personal information?
All questions, however redundant, are intended to clarify the details of the organization's access to my personal information
From now on, I am immensely grateful for the help and time you spent reading my questions.
You are holding a phone in your hands for which an organization has concluded a data plan contract and is paying for it. They therefore will have a legitimate interest in the network traffic on this device, unless it is a contract for unlimted bandwidth. Network traffic is triggered by apps / services , which can actually be read out: they simply have to install a HTTP/S proxy what is intercepting the HTTP/S traffic on any app housed on the phone.
jwoegerbauer said:
You are holding a phone in your hands for which an organization has concluded a data plan contract and is paying for it. They therefore will have a legitimate interest in the network traffic on this device, unless it is a contract for unlimted bandwidth. Network traffic is triggered by apps / services , which can actually be read out: they simply have to install a HTTP/S proxy what is intercepting the HTTP/S traffic on any app housed on the phone.
Click to expand...
Click to collapse
The phone is mine, and there is no plan
of internet hired by the company.
It's my personal cell phone, and for me to get
view emails and talk to people from
within the organization, I had to enable
the "work profile".
So I had my personal and work profile
on my personal device.
My question is: my company can see
my personal files and my online activity
in the "PERSONAL PROFILE"?
Fred964 said:
The phone is mine, and there is no plan
of internet hired by the company.
It's my personal cell phone, and for me to get
view emails and talk to people from
within the organization, I had to enable
the "work profile".
So I had my personal and work profile
on my personal device.
My question is: my company can see
my personal files and my online activity
in the "PERSONAL PROFILE"?
Click to expand...
Click to collapse
I created a second user on my phone named "Company".
If I do this it asks me if I wan't to turn on phone calls and SMS and then warns that
Call and SMS history will be shared with this user.
Click to expand...
Click to collapse
That makes sense, since I (as the owner) can decide whether or not other users of my phone can access that data.
I tried to access owners files via filemanager from "Company" account. I couldn't see anything.
I tried the same but via adb using a root shell -> I had full access to owners files.
Owner has a VPN active. I tried to access that VPN from within "Company". Didn't work.
Tried to access apps from within "Company" -> no luck.
Checked settings -> some are gone, some aren't. E.g. I can see my paired devices (paired from owner) when I'm in "Company" account.
Soo, to answer your question:
Fred964 said:
My organization that created the work profile, can have access to my browsing history, data on the device (such as photos, application files, etc.), time I spend using my cell phone, contacts, call logs, and other data personal profile?
I have already visited the google instructions page, but I was still unsure because my organization installed some network certificates and the warning "Your organization can monitor network traffic ..."
Click to expand...
Click to collapse
Access to browsing history, data, contacts? No.
Time spend? I don't know but in battery usage settings I can see how much battery has been used by the owner account.
Call logs? Yes, If you accepted that.
Your language? Yes.
About certificates: I don't know excactly what they do (I figured if you turn them off your device cannot connect to the internet anymore if that certificate is needed for that connection attempt) but you can go to Security -> Encryption & credentials -> Trusted credentials and turn them off while your in your personal account.
However: One questions remains: Does the profile your company created somehow differ from the one you can create manually via settings? I don't think so, so above things should be valid.
If that's an option you could also ask your company directly (even though I can understand if you might not want to trust them).

Categories

Resources