I saw the following article on Tech Republic today on "leaky" free-apps from the Android Market and thought it would be interesting to get everyone's comments on it:
http://www.techrepublic.com/blog/security/taintdroid-warns-about-android-apps-leaking-sensitive-data/7724?tag=nl.e036
Basically, researchers at NC State went through a random sample of 30 of the top free apps in each category in the Play Store (Market? not sure when it was done) and found that, in short (quote from article between **):
**“Our study revealed that two-thirds of the applications in our study exhibit suspicious handling of sensitive data, and that 15 of the 30 applications reported users’ locations to remote advertising servers. Our findings demonstrate the effectiveness and value of enhancing smartphone platforms with monitoring tools such as TaintDroid.”
Francis: The conclusion — in my opinion — is to be expected. The research team is saying half of the applications in the study sent location or user data to a remote ad network.**
These included apps such as flashlight apps and others that really have no need for fine GPS location, other than to send your info to an ad server. Food for thought for sure on all those free apps on my Galaxy SII SkyRocket right now...
I'm new to Android development, mainly because I've been trying to find a small enough project that was reasonable to bite off as a first foray but interesting enough to keep me engaged. I finally found something I think would be a reasonably sized project for starting out and would also actually be useful to me. Unfortunately, in researching it, I ran in to the fact that there is no API for Google Now.
To back track a bit, the app/functionality I want to implement is a modification to cards, or to one of the data feeds Google pulls from to populate Now cards. I commute in and out of NYC via Metro North, but walk to and from the station on both ends, so what I really need is the information for the next 5 trains scheduled inbound in the morning and outbound in the evening between Grand Central and my home stop, along with the track number the train is slated to leave from. This data is available from a datafeed provided by the MTA (and already utilized by an Android app I already use). The transit and commute Now cards don't provide me the information I need.
Since there's no Google Now API, the direct root is not available to me, so I started to try to look in to alternative methods. I came across the Places API and was thinking of trying to use it as a back door to populating the data I'm interested in in to Now (by having a service that pulls the train info I'm interested in from the MTA feed and pushes it to Now as Events at the stations I'm interested in), but since custom Places data is tied to an app ID and only made available to requests from that app, it seems to me that that angle is a non-starter, since I'm not going to have the Now app ID.
I've been trying to poke around for any other viable approaches to the problem, but my search has thus far come up dry, so I have come here. Has anyone come up with any ways to feed info in to Now cards? Are there even any promising areas of investigation, short of hacking Now itself?
Edit: I also considered trying to push the train schedule data to my calendar so it would bubble up in to Now, but that is just a bit too clunky and spammy, imo.
Does anyone know of anything interesting being done in this area? I'm thinking some sort of integration with calendar is the only way to go...
Okay, so, I summed up some 5 articles on this subject - in the hope of starting a discussion about device security. I hope you will find this interesting and meaningful and perhaps you will find out about some of the risks of using Android.
2 months ago Juniper Networks, one of the two biggest network equipment manufactures, published a blog post (1) about an intensive research their mobile threat department had on the Android market place.
In essence they analyzed over 1.7 million apps in Google Play, revealing frightening results and prompting a hard reality check for all of us.
One of the worrying findings is that a significant number of applications contain capabilities that could expose sensitive information to 3rd parties. For example, neither Apple nor Google requires apps to ask permission to access some forms of the device ID, or to send it to outsiders. A Wall Street Journal examination (2) of 101 popular Android (and iPhone) apps found that showed that 56 — that's half — of the apps tested transmitted the phone's unique device ID to other companies without users' awareness or consent. 47 apps — again, almost a half — transmitted the phone's location to other companies.
That means that the apps installed in your phone are 50% likely to clandestinely collect and sell information about you without your knowledge nor your consent. For example when you give permission to an app to see your location, most apps don't disclose if they will pass the location to ad companies.
Moving on to more severe Android vulnerabilities. Many applications perform functions not needed for the apps to work — and they do it under the radar! The lack of transparency about who is collecting information and how it is used is a big problem for us.
Juniper warns, that some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device. I am of course talking about the famous and infamous US Navy PlaceRaider (3).
Thankfully the Navy hasn't released this code but who knows if someone hadn't already jumped on the wagon and started making their own pocket sp?. CIO magazine (4) somewhat reassures us though, that the "highly curated nature of [smartphone] application stores makes it far less likely that such an app would "sneak through" and be available for download."
A summary by The Register (5) of the Juniper Networks audit reads that Juniper discovered that free applications are five times more likely to track user location and a whopping 314 percent more likely to access user address books than paid counterparts. 314%!!!
1 in 40 (2.64%) of free apps request permission to send text messages without notifying users, 5.53 per cent of free apps have permission to access the device camera and 6.4 per cent of free apps have permission to clandestinely initiate background calls. Who knows, someone might just be recording you right now, or submitting your photo to some covert database in Czech Republic — without you even knowing that your personal identity is being compromised.
Google, by the way, is the biggest data recipient — so says The Wall Street Journal. Its AdMob, AdSense, Analytics and DoubleClick units collected data from 40% of the apps they audited. Google's main mobile-ad network is AdMob, which lets advertisers target phone users by location, type of device and "demographic data," including gender or age group.
To quote the The Register on the subjec, the issue of mobile app privacy is not new. However Juniper's research is one of the most comprehensive looks at the state of privacy across the entire Google Android application ecosystem. Don't get me wrong. I love using Google's services and I appreciate the positive effect this company has had over how I live my life. However, with a shady reputation like Google's and with it's troubling attitude towards privacy (Google Maps/Earth, Picasa's nonexistent privacy and the list goes on) I sincerely hope that after reading this you will at least think twice before installing any app.
Links: (please excuse my links I'm a new user and cannot post links)
(1) forums.juniper net/t5/Security-Mobility-Now/Exposing-Your-Personal-Information-There-s-An-App-for-That/ba-p/166058
(2) online.wsj com/article/SB10001424052748704694004576020083703574602.html
(3) technologyreview com/view/509116/best-of-2012-placeraider-the-military-smartphone-malware-designed-to-steal-your-life/
(4) cio com/article/718580/PlaceRaider_Shows_Why_Android_Phones_Are_a_Major_Security_Risk?page=2&taxonomyId=3067
(5) theregister co.uk/2012/11/01/android_app_privacy_audit/
____________________________________________________________________________________________
Now I am proposing a discussion. Starting with - do we have the possibility to monitor device activity on the phone? By monitoring device activity, such as outgoing SMSs and phone calls in the background, the camera functions and so on we can tell if our phone is being abused under the radar and against our consent. What do you think?
.
I am finding it sad and troubling but even more so ironic that nobody here cares about this stuff.
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis. Requires some setup, and the GUI is nothing fancy.. but for those worried about permissions, it is quite ideal.
Edit : http://forum.xda-developers.com/showthread.php?t=1357056
Great project, be sure to thank the dev
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Pdroid allows you to tailor your apps and what permissions your device actually allows on a per app basis
Click to expand...
Click to collapse
Sounds good for a start, I'll look it up
pilau said:
Sounds good for a start, I'll look it up
Click to expand...
Click to collapse
Okay, so I looked it up, and Pdroid does look like a fantastic solution to control what apps have access to what information on your droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
EDIT: looking at PDroid 2.0, it does exactly what I originally asked
pilau said:
Okay, so I looked it up, and Pdroid does look like a fantastic solution a control what apps have access to what information on you droid.
However, it doesn't cover monitoring hardware functions such as texts being sent, calls being placed etc. as described in the OP. Besides, it only works in Gingerbread as far as I could gather.
Click to expand...
Click to collapse
I actually first found out about it on an ics rom, so it's definitely not just gb. As for monitoring, no clue. Any sort of extra process logging would likely bog down resources or space eventually.
Sent from my ADR6425LVW using Tapatalk 2
DontPushButtons said:
Any sort of extra process logging would likely bog down resources or space eventually.
Click to expand...
Click to collapse
I definitely wouldn't know. This solution looks very complicated in first impression but on the Google play page it says 100% no performance effects.
Anyway, I looked up PDroid 2.0 here on XDA, which is the rightful successor of the original app. It does everything the original app does and also monitors many device activities! Here is the full list of features. I would add a working link but I'm still a n00b and I am restricted from doing so. Sigh....
forum.xda-developers com/showthread.php?t=1923576
PDroid 2.0 allows blocking access for any installed application to the following data separately:
Device ID (IMEI/MEID/ESN)
Subscriber ID (IMSI)
SIM serial (ICCID)
Phone and mailbox number
Incoming call number
Outgoing call number
GPS location
Network location
List of accounts (including your google e-mail address)
Account auth tokens
Contacts
Call logs
Calendar
SMS
MMS
Browser bookmarks and history
System logs
SIM info (operator, country)
Network info (operator, country)
IP Tables(until now only for Java process)
Android ID
Call Phone
Send SMS
Send MMS
Record Audio
Access Camera
Force online state (fake online state to permanent online)
Wifi Info
ICC Access (integrated circuit-card access, for reading/writing sms on ICC)
Switch network state (e.g. mobile network)
Switch Wifi State
Start on Boot (prevents that application gets the INTENT_BOOT_COMPLETE Broadcast)
I've always had the luxury of someone else integrating it into the Rom, then I just had to set it up through the app. It is time-consuming, but not very difficult at all. I say give it a shot and see if that's what you had in mind. Maybe the logging is less detrimental than I had previously thought.
I'm sure you could get your post count up by asking for some tips in that thread. Every forum on xda has at least one person that's EXCESSIVELY helpful, frequently more. So have a ball
Sent from my ADR6425LVW using Tapatalk 2
How many times have you forgotten where you had parked?
With this app you will not forget where you parked your car, motorbike, bike or horse...
With a simple and intuitive interface you can save the position where he parked and then get directions from wherever you are.
The application can also save the position of the vehicle automatically when you disconnect the headset, by example.
HOW IT WORKS
A button will appear in the bottom-right of the screen when the location will be fixed with the defined accuracy.
Press the button to save your car location.
When you can re-enter the app it will display the route to your vehicle and, of course, you can save the car location again.
Easier impossible!
PLAY STORE LINK
https://play.google.com/store/apps/details?id=com.ryosoftware.whereismycar
PERMISSIONS
Fine and coarse locations: Required to fix your location
Write external storage: Required by GoogleMaps API
Internet and Access network state: Required by GoogleMaps API and by Ads (in the free version)
Billing and Get Accounts: Required to manage InApp billing
Bluetooth: Required to automatically save current location when BT device disconnected (see app settings)
Vibrate: Required to vibrate when current location saved
Read phone state: To disable voice speech while incall
Only to let us know 2 rellevant dates for this app:
* May 3: I have pulled the app from the Play Store. Active users can use the app but no new installs are allowed.
* June 11: Google Maps API becomes a payment API and developers needs to create a billing account to continue using it. I do not agree with that, so I do not intend to create the billing account. I assume that the app will stop working sooner than later from that date.
Just for your information, I paste a rellevant part of the email that I have received on May 3 from Google...
Code:
Hi,
Today we are announcing important changes, including our new name - Google Maps Platform, a simplified product structure, pay as you go pricing for all, and more. Please take a few minutes to review the announcement to familiarize yourself with the upcoming changes.
We would like to highlight a few updates that may impact your implementation. Beginning June 11th, we are launching our new pricing plan and providing all users access to support. We’ll continue to offer a free tier — all developers will receive $200 of free monthly usage of our core products.
In addition, this change will require you to enable billing and associate it with all of your Google Maps Platform projects. Creating a billing account helps us better understand your usage so we can continue developing helpful products. It also allows you to scale easily with less downtime and fewer performance issues if your product grows beyond the $200 of free monthly usage. For additional visibility and control you can set daily quotas or billing alerts.
LookPoint is an application which could benefit a user in many life circumstances that location matters. The LookPoint does not need any internet connection except in a case that it runs the "Maps" application to find a target location point on the live Google "Maps" and analyze possible routes and ways. Sometimes, the "Maps" application could be used offline as well for some countries, therefore in this condition, naturally the internet consumption of your device would be zero.
All communications between LookPoint users are made by encrypted SMSs and one cheap SMS or dependent on a operator’s subscription policy, a free SMS is used to perform an operation (Submission or Request)!
Moreover, even if the user closes the LookPoint or restarts the phone, it still can accomplish the tasks perfectly!
Also, if the GPS of the target device is OFF or inaccessible within one minute, the LookPoint will access his/her location from SIMCARD's network operator.
The LookPoint consumes the phone battery in an efficient manner. You can feel free to keep the location hardware of your device always ON, because the LookPoint does not activated it unnecessarily. (In the new android versions, You have to keep the location part always ON for a normal operation and it is controlled by the android operation system itself).
Note: The LookPoint application does not require any registration and never share your personal information such as location, name, number … anywhere without your desire.
Note: Use the latest version of the Google "Maps" application and keep it updated.
Note: The customer satisfaction is important for us. Please feel free to contact us before you leave any feedback.
To get more detailed information about how to use the LookPoint, don't forget to watch the "Video Manual" through the below link:
The LookPoint application could benefit the user in many scenarios such as:
1) You lost your phone but you have no idea where it might be or if it is stolen.
2) You got lost and you are unable to describe where exactly you are.
3) Your kid possibly got lost or annoyed by somebody and unfortunately does not respond to your calls. You do not know where you should look for him.
4) You want to reach somewhere but you don't know the destination point and the best route to get there.
5) You face or are a witness of an accident and you want to inform others or emergency about its exact location.
6) You are on a trip (car, bus, train, airplane ...) and you want to inform others about your location or your relatives want to know where you are at the moment.
7) You run a transportation company and are interested to get informed about the location of your trucks.
8) You own a catering company (Food, Pizza ....) and delivery staff have difficulties in locating customers.
9) You run a taxi service company and location monitoring of your fleet is interesting for you.
and ......
No download link, thread closed.