Related
After the recent article on apps that are sharing our personal information, it occurred to me that this should be an easy problem to fix. All we need is a good personal firewall app. Heck, iptables would be a great start, but it can be hard to implement that on an app by app basis. It will be hard to set up for apps that have legitimate needs to connect over port 80 for legitimate needs, but also uses that same port for less than legitimate needs. So I guess it will also take some blacklisting of certain servers, perhaps along the lines of the ad blockers apps that modify the hosts file.
Or does such an app already exist?
Skip
Here you go:
http://www.appbrain.com/app/droidwall-android-firewall/com.googlecode.droidwall.free
MrGibbage said:
After the recent article on apps that are sharing our personal information, it occurred to me that this should be an easy problem to fix. All we need is a good personal firewall app. Heck, iptables would be a great start, but it can be hard to implement that on an app by app basis. It will be hard to set up for apps that have legitimate needs to connect over port 80 for legitimate needs, but also uses that same port for less than legitimate needs. So I guess it will also take some blacklisting of certain servers, perhaps along the lines of the ad blockers apps that modify the hosts file.
Or does such an app already exist?
Skip
Click to expand...
Click to collapse
1. There's already a couple adblock apps like Adfree which block a lot of stuff.
2. If you read the permissions for the apps you CHOOSE to download, then you'll know exactly what access to data they'll have. If you don't like that PaperToss wants access to your device ID, then just don't install PaperToss.
And of course, such an app would undoubtedly cause more issues than the perception of "security" it would provide, since you'd probably not be able to use half the apps anymore. Or they'd stop being ad-supported, and would begin to charge instead.
From the article:
Google requires Android apps to notify users, before they download the app, of the data sources the app intends to access. Possible sources include the phone's camera, memory, contact list, and more than 100 others. If users don't like what a particular app wants to access, they can choose not to install the app, Google says.
Click to expand...
Click to collapse
Just read the app permissions. That tells you almost everything you need to know.
The problem is, the app permissions don't tell you what you need to know. Here are the permissions for Paper Toss by Backflip Studios:
Your Location (coarse network-based location)
Network communication-full internet access
Phone Calls - read phone state
While the Location permission would be suspect, and would cause me to question whether or not I should download this app, the other two permissions are not so immediately obvious that they are "bad". Network communications is a permission needed by every app that has in-game ads such as AdMob. And I don't know why this app needs the Phone Calls permission, but almost every single app in the market uses that permission. At least it isn't asking for access to the address book or anything like that.
What I would like is for the app to tell us what it needs internet access for, and to tell us what information it is sending to third parties.
MrGibbage said:
The problem is, the app permissions don't tell you what you need to know. Here are the permissions for Paper Toss by Backflip Studios:
Your Location (coarse network-based location)
Network communication-full internet access
Phone Calls - read phone state
While the Location permission would be suspect, and would cause me to question whether or not I should download this app, the other two permissions are not so immediately obvious that they are "bad". Network communications is a permission needed by every app that has in-game ads such as AdMob. And I don't know why this app needs the Phone Calls permission, but almost every single app in the market uses that permission. At least it isn't asking for access to the address book or anything like that.
What I would like is for the app to tell us what it needs internet access for, and to tell us what information it is sending to third parties.
Click to expand...
Click to collapse
Maybe to detect a phone call and pause the game.
Sent from my SGH-T959 using XDA App
MrGibbage said:
The problem is, the app permissions don't tell you what you need to know. Here are the permissions for Paper Toss by Backflip Studios:
Your Location (coarse network-based location)
Network communication-full internet access
Phone Calls - read phone state
While the Location permission would be suspect, and would cause me to question whether or not I should download this app, the other two permissions are not so immediately obvious that they are "bad". Network communications is a permission needed by every app that has in-game ads such as AdMob. And I don't know why this app needs the Phone Calls permission, but almost every single app in the market uses that permission. At least it isn't asking for access to the address book or anything like that.
What I would like is for the app to tell us what it needs internet access for, and to tell us what information it is sending to third parties.
Click to expand...
Click to collapse
All free apps will collect some information .... so they know what ads to aim your way ..... so they can make money ... Every one does this .... on your computer its the same as your cookies .... and only the really paranoid will set their browser cookies settings to "ultimate :block all cookies "...
Here's the difference, android openness will allow others to research and publish their findings, un like others that are closed and will not allow research, and if anyway is found to get the research. done the publication will be deleted from the web ......
The openness is why you see soooooo many articles on this issue over n over, none of them mentioning that the paid versions of these apps don't collect any thing .....
How much personal information are you planning on storing in the paper toss game?
Consider this in your answer, android system runs apps in sand box mode meaning, one app cannot access another without YOUR permission, or if an app is infected with malware, that malware will only operate in that app, unlike your windows machine where it would have a free for all .....
ferhanmm said:
Maybe to detect a phone call and pause the game.
Sent from my SGH-T959 using XDA App
Click to expand...
Click to collapse
That's my point. That would be a legitimate need for access to the phone state. However, granting that permission also gives the app permission to make phone phone calls. I still think the apps need to be more specific about the permissions they need.
The bottom line is, these phones are great, they can run all kinds of awesome software, but the people writing the software need to make a living too. If someone really wants to prevent their phone from sending out personal information, then they should not install any software, and maybe shouldn't even be using the phone at all. But I still see a need for a firewall app (possibly DroidWall, as mentioned above) to help us prevent this type of thing from happening.
A permissions firewall would be much more interesting and useful in my opinion.
Being able to block a certain thing like "read contact data" for all apps and only permit access with a white list would be very useful to me.
Most of the app now require acces to the phone calls..even a news app requires it, sms app such as go sms also requires it. So I want to know after knowing that an app will be able to acces your phone call you still download it? And does anyone in what way the developers use such info?
Sent from my E10i using XDA App
Excellent topic, I'm really troubled by this. The business world makes a whole lot of money based on the average persons inertia - their lack of information or willingness when it comes to the products and services they use and the money they use to pay for them. Particular mobile phone network providers come to mind, who are happy to charge the most expensive prices because people don't know or don't care.
This lazy attitude is seeping into the Android app world. It will be a small per centage of us who will realize this threat and do something about it - exactly like cookies and public wifi privacy etc.
For those of us already interested, are there websites or apps which can guide us on this?
I had thought about it before but it seemed to be all apps out there at least need to access your internet, calls, phonebook and etc.. Not sure really if some of these nasty apps has the evil purpose to steal our vital informations in the phone... say if we're checking our bank account or something similar..
What I practice:
1) Installed AVG pro and do scan regularly, and set to scan every newly installed apps.
2) Use both cache cleaner and history eraser to clean up all traces once a day.
3) Hope they don't see me as a target.
Don't worry.
I think access to the phone calls is just to minimize the running app in case you receive a call. In other case you would not even realize an incoming call?!
Deehee3 said:
Don't worry.
I think access to the phone calls is just to minimize the running app in case you receive a call. In other case you would not even realize an incoming call?!
Click to expand...
Click to collapse
What about data? When you install an app in most cases you allow data access to it.
Searching for updates or viewing developers homepage maybe?
Sent from my U20i using XDA App
Deehee3 said:
Searching for updates or viewing developers homepage maybe?
Sent from my U20i using XDA App
Click to expand...
Click to collapse
What if not? What if app you´ve installed is spying on you and sending info to hackers. How would you know?
On android we have the luck that there are a lot of applications that are open source. When I have to choose an application, I always choose and support the open projects!
You will notice that most of those applications don't need all that personal information! Makes you wonder...
On other systems, apps usually have an user/administrator scheme, where the 'user' has access to some things and 'administrator' has access to everything.
There is no such thing on Android (except if you have a rooted phone and some app asks for superuser access, but you get a requester asking for permissions as well).
Each app has to specifically ask for permissions or the system will deny it. A spyware has to ask for those permissions or it won't work.
Some permission requests to look out for:
- "Call phone"
can be used by the application to silently dial some "premium" numbers
- "Send SMS"
can be used to send SMS to special "premium" numbers
- "Record phone calls"
can be harmful if associated with "internet access" permission
- "Access fine location"/"access coarse location" and "internet access"
can be used for tracking purposes
Many apps ask for:
- "Phone identity" / "internet access"
they use it for "statistics purposes" (flurry.com mostly) but it is bad. The developer should always inform the user about those.
BTW, that an app is open source makes no difference. Someone can always (willingly or not) tamper with the final build. And not everyone reviews open source apps.
zapek666 said:
A spyware has to ask for those permissions or it won't work.
Click to expand...
Click to collapse
Sure. But if an app legitimately ask for data transmission and file system access, AND you grant it, how would you know it is not using the granted rights for something else?
ppirate said:
On android we have the luck that there are a lot of applications that are open source. When I have to choose an application, I always choose and support the open projects!
You will notice that most of those applications don't need all that personal information! Makes you wonder...
Click to expand...
Click to collapse
Don´t tell me that you evaluate the source code of each application you load from the market. And even so, how would you know the difference between what is shown to you and the final build, available on the market?
vlissine said:
Sure. But if an app legitimately ask for data transmission and file system access, AND you grant it, how would you know it is not using the granted rights for something else?
Click to expand...
Click to collapse
Filesystem access are limited to the external memory card. An app with such permission cannot access other apps' private data (which are stored on the phone).
Android apps are all sandboxed into their own homes.
A good example of a suspicious application is HTML5 Reference.
"This HTML5 reference lists all tags supported in the HTML5 specification.", fine. Let's look at the permissions:
Network communication: full Internet access
Phone calls: read phone state and identity
While the first 2 could be produced as a side effect of the developer implementing some "statistics library" (flurry.com or so), the next 2:
Your location: fine (GPS) location
Your personal information: read sensitive log data
Are a giveaway that this app does a bit more than just listing HTML reference tags
zapek666 said:
Filesystem access are limited to the external memory card. An app with such permission cannot access other apps' private data (which are stored on the phone).
Click to expand...
Click to collapse
Ok, how about a picture viewer, which usually picks pictures from each and every
directory, no matter if you want it (and not only from memory card).
Hey vlissine and zapek666. You both have a point.
One individual cannot review every code he or she uses. And also one does not only uses his or her own builds of the projects. But every now and then, I have to go into a project, mostly to add functionality. During that time, I usually have to go over a lot of code to understand the program. It is no guarantee, but you can imagine that some strange code will stand out.
I'm surely not the only person. So while one individual is not capable of such an endeavor. A lot are.
Your other point is as valid as can be. But here again, builds are comparable.
Surely, one does not have to find himself or herself obliged to use certain kind of projects. But to me, when I have the change, I use and support the open source project. One important reason is because of the concern raised by the original poster!
http://googlemobile.blogspot.com/2011/03/update-on-android-market-security.html
Apparently we were not that paranoid, thinking of spying apps
Two options:
1) To avoid being spy and get super paranoid about it... ditch your smartphone and get those early 2000 phones with only calls and sms capable.
2) Use the smart phone eg: X10 mini/pro or any android phones and ignore these spying scene and live with it like nothing ever going to happen since this new technologies really live up our life nowadays..
farsight73 said:
Two options:
1) To avoid being spy and get super paranoid about it... ditch your smartphone and get those early 2000 phones with only calls and sms capable.
2) Use the smart phone eg: X10 mini/pro or any android phones and ignore these spying scene and live with it like nothing ever going to happen since this new technologies really live up our life nowadays..
Click to expand...
Click to collapse
One more option - stop giving stupid advises when you have nothing to say.
maybe apps need to call functions or need it to run?
write them your self if your that bothered?
...
Sent from my E10i using the XDA mobile application powered by Tapatalk
Before beginning, I'm outlining two application permissions for future reference.
These were pulled from this article. It also outlines other permissions.
Raju PP said:
fine (GPS) location
While not a danger for stealing any of your personal information, this will allow an application to track where you are. Typical applications that might need this include (but are not limited to) restaurant directories, movie theater finders, and mapping applications.
Click to expand...
Click to collapse
Raju PP said:
coarse (network-based) location
This setting is almost identical to the above GPS location permission, except that it is less precise when tracking your location.
Click to expand...
Click to collapse
Recently, I've taken an interest in privacy concerns with application permissions. I'm sure several of you are guilty of being unaware of unnecessary app permissions. I have apps on my device that I've had since migrating to Android, long before I concerned myself with privacy. In my recent hunt of cleaning up my application list, I've discovered that many applications have permissions that aren't necessary for it to function. The most common, unnecessary permission I've come across is coarse (network-based) location. As its name describes, this permission allows an app to determine your approximate location (e.g., the large location area shown by Google Maps when GPS is not on).
An example. I use a Wifi Login application to automatically enter login information for campus internet access (it was cumbersome to enter it manually each time). It works wonderfully, but it has this permission (coarse location). I asked myself, "what function of the app needs to access location??" I only need the app to access the internet, nothing else. I also noticed that each day, there was a location service wakelock despite having all location refreshing services turned off (in other apps, latitude, etc.). Upon removing its ability to obtain approximate location, the location service wakelock disappeared and functionality was not affected.
So, there are two concerns: privacy and unnecessary battery usage. While the link between the two is not often made, I'm making it here. Not only was the app (presumably) sharing my location, but in doing so, my battery took a hit. Before someone panics, I don't believe most apps use this maliciously. My guess is that app developers use it for demographic purposes to determine where in the U.S. their application is being used. Obviously not necessary, but an interesting tidbit for the creator of an app. So my question is, are you ok with apps accessing your approximate location? I've seen several games that have location permissions and in no way can that be justified.
Going beyond location permissions, there are obviously other privacy concerns. A number of app developers I've seen list why an application needs certain permissions. In the example provided above, the developer doesn't mention permission uses. In post 2, I will provide methods for identifying and removing app permissions (by using other apps lol - ironic, I know). Below is a good read about applications' additional "costs."
Free apps not truly 'free'
I use two applications to identify permissions: Appbrain Ad Detector and Avast Mobile Security. Appbrain Ad Detector has the ability to notify you when an app you install has "concerns." Avast Mobile Security has a lot of very useful features, one of them being "privacy advisor." Using one or both of these will allow you to determine what permissions are necessary and which ones are not. For what it's worth, I've only had a few apps that I felt had unnecessary permissions. You obviously don't want to revoke Tango access to the camera lol.
EDIT: I was going to suggest getting an application called "App Shield," (has the ability to remove app permissions) but it appears that it is no longer available on the market. It was a paid app that was just under 2 bucks, if I remember correctly. Due to this development, you'll have to find either App Shield or another method to accomplish this.
You can always just email the app creator and ask why they have the permission included. It (usually) takes more than one questionable permission to be truly dangerous.
From what I've read the majority of apps that use coarse location is for determining the ads you see in the app. Better chance of them being relevant to you.
Just like that article you linked, I think it was brought up on an xda portal article (either that or lifehacker love that site) that because of ad supported apps using coarse location, the battery use was higher, and paid apps that remove the ads will lower your battery drain. Not a huge difference, but it can add up.
gr8hairy1 said:
. . .
From what I've read the majority of apps that use coarse location is for determining the ads you see in the app. Better chance of them being relevant to you.
. . .
Click to expand...
Click to collapse
Makes sense. Coincidentally, the example I used is a paid app. The app itself had the permission, as well as the "pro" activation apk. Though it's no longer an issue, I may consider contacting the app developer out of curiosity.
Definitely do that. I have a large amount of apps on my phone, and it's not too uncommon to get an update for an app that removes a permission. Many times it's done because people contact the developer and the developer realizes it's not needed. Most times I see that happen is in paid apps, only sometimes with the free apps.
As for your original topic "are you ok with apps accessing your location", I have no issue with it. Obviously if it is getting used maliciously, no, I wouldn't be ok with it.
But as it is, 'guaranteed' the Phone Carriers know where you are and where you've been. And 'guaranteed' the government knows where you are and where you've been. I will always be more worried about the government knowing everything they want about me, without my permission, than some app creator. And as it is, I'm ok with the government knowing.
I feel the same way about the government as I do Google. Until they turn evil and start enslaving mankind (search "is google skynet", hilarious and royally creepy) I'm going to keep using them and stay in the country I live in.
Conspiracy theorists feel free to chime in. Although let's be honest, the over-the-top conspiracy theorists (that make for the best/most hilarious conversations) won't likely be carrying around a device that has cameras, microphones, gps chip, and internet access that can be used to activate one or all of those remotely
I don't really care if they know my location, but now that you mentioned a possible battery drain, I am bothered by that. Someone should make a list of popular apps that may have unnecessary permissions that can be safely disabled through some sort of means.
https://play.google.com/store/apps/details?id=com.stericson.permissions
Yer welcome.
Sent from my SGH-I777 using Tapatalk 2
I don't care either. I have my GPS constantly disabled so the only location any of my apps could get is a general network location....
Honestly, I think privacy concerns are often blown out of proportion... mostly by the media. Don't get me wrong, there is nothing bad with being concerned, but I highly doubt we are going to have another Craig's list killer situation from developers releasing apps on Google Play. Knock on wood.
As mentioned before, contact the app's dev and ask for more info. If they never reply then I would be worried. As well you can always use a different one. If needed you can use "Tasker" which can allow you to build almost any function any other app has to offer all under your control. Just be warned Tasker is highly addictive for us nerds....
Anyway, and in summary, I have less trust is most banks selling my purchase history then the random app developer.... but that's just me.
Just purchased SGS3 and SGN10.1, havent downloaded any apps as of yet because I am not comfortable with the permissions issue.
I also have not rooted as I am waiting for my sandisk extreme pro sd cards, but i have some clarity i need in moving forward.
How can i best protect my phone and the info in it - mostly for the protection of my clients contact info and just the general fact that nobody needs to know my info without my knowing why.
I have been online for the last 5 days trying to understand what i need to worry about and what i dont.
I have a copy of whispercore 0.5.2 and would like to know if i can use it on my sgs3
Do i need to root my device to give optinal protection PROS/CONS
How is the avast protection
And most importantly - are these protections necessary or have i been sidewiped by chicken little?
How can i determine the best app for me - preferrably with no permissions
I really need a good mail app, document editing app, pdf app, and possibly a CAD app
I have been overwhelmed with info over the last 5 days and need some help with clarification and facts.
Thank you in advance for your help,
Confus-ed:silly:
An app with no permissions has the ability to access nothing so in essence will be of little use. Contacts are synced with Google unless you opt out that decreases security. Personally if your clients details are that sensitive use a dumb phone for work and keep your S3 for less sensitive tasks.
Sent from my GT-I9300 using Tapatalk 2
Are you trolling me?
Just running through the threads trying to increase your reply and post count?
I would appreciate that if you dont have any real information to share, dont waste my time with your non-answer.
confus-ed said:
Are you trolling me?
Just running through the threads trying to increase your reply and post count?
I would appreciate that if you dont have any real information to share, dont waste my time with your non-answer.
Click to expand...
Click to collapse
What?
He answered your question, an app that asks for no permissions can't do much, apps need to have permissions to do various tasks.
If you're that paranoid about safety don't root and just use reputable apps from Google play store.
Edit: in fact the more I read you reply to him the more I see that you have a terrible attitude.
Good luck finding help when you act like that.
Sent from my GT-I9300 using xda premium
No attitude, i thought that i had explained in my original post that i have just spent 5 days scouring the web (which included xda).
I didnt ask about permissions nor did i ask about contacts being synced with google, I understand what the permissions do, but i also have read where you have control over the permissions when you root the phone.
Not paranoid, I just know the data mining that goes on and i am sure that my clients wouldnt want some random solicitation due to an app that has no need to access my contact list. such as a document editior.
My reply may have been a little short but ghost did not address any of my questions or concerns.
confus-ed said:
No attitude, i thought that i had explained in my original post that i have just spent 5 days scouring the web (which included xda).
I didnt ask about permissions nor did i ask about contacts being synced with google, I understand what the permissions do, but i also have read where you have control over the permissions when you root the phone.
Not paranoid, I just know the data mining that goes on and i am sure that my clients wouldnt want some random solicitation due to an app that has no need to access my contact list. such as a document editior.
My reply may have been a little short but ghost did not address any of my questions or concerns.
Click to expand...
Click to collapse
Yes you do have control permission when you root, but rooting is a double edged sword because root apps actually have more "power" when it comes to your system and if there is malicious code in them it will also have superuser permissions if you give the main app superuser permissions.
The safest option is not to root, if you root you are opening your system up to exploitation.
I have rooted every android phone I have ever had and never had any problems but that choice is yours.
Sent from my GT-I9300 using xda premium
nodstuff said:
Yes you do have control permission when you root, but rooting is a double edged sword because root apps actually have more "power" when it comes to your system and if there is malicious code in them it will also have superuser permissions if you give the main app superuser permissions.
The safest option is not to root, if you root you are opening your system up to exploitation.
I have rooted every android phone I have ever had and never had any problems but that choice is yours.
Click to expand...
Click to collapse
From the perspective of data mining, you're basically just as vulnerable with a non-root app, then only difference being that the non-root app will specifically ask for permissions to use your contacts.
At the end of the day, if you want decent integration between your personal data and your apps, you're going to need to accept some risk and allow someone elses code to run through your data. If you have sensitive client data, you'll most likely be safe if you stick to mainstream, popular apps, and keep a close eye on comments to make sure no one else has had issues with security. If you're really paranoid though, I would recommend you don't keep sensitive information on any device with internet access.
I would recommend LBE privacy guard it will prompt when an app is trying to access something and you decide to allow it or not, you can manage wich permissions you allow for each app, even cut it from any Internet access.
The app does require root to work
Sent from my GT-I9300 using xda app-developers app
Thank you
Hi.
I tried to search but couldn't find any solution for this issue.
I know making a real unremovable app is impossible, but I hope I'll be able to find a way to make an app harder to remove.
I want to make some kind of parental protection app.
it should be installed easily without much technical knowledge ( preferred that it will work on unrooted devices).
the app should be hard to remove or disable by the phone user.
who ever installed the app should be able to remove (probably with a password in the app settings).
I don't care if technical users will be able to easily remove the app.
I also don't care if the users will know that the app is installed on their device
I guess the simplest solution will be to some how hide the app from the app drawer.
I saw some where that Cerberus has that option but I guess it requires a root.
another solution might be if there is an option in the android os itself setting an admin password that will not allow
the user to install or remove any apps without the password.
any ideas if how to approach this ?
This is surely not a complete answer, but maybe a point to start with.
In android, you can write services: http://developer.android.com/reference/android/app/Service.html
A facility for the application to tell the system about something it wants to be doing in the background (even when the user is not directly interacting with the application). This corresponds to calls to Context.startService(), which ask the system to schedule work for the service, to be run until the service or someone else explicitly stop it.
Click to expand...
Click to collapse
And there is a possibility of receiving a message if the uninstaller of an app is started: http://developer.android.com/reference/android/content/Intent.html (ACTION_UNINSTALL_PACKAGE).
Google will probably help you on how to use these things
Thanks I'll have a look
David:D said:
This is surely not a complete answer, but maybe a point to start with.
In android, you can write services: http://developer.android.com/reference/android/app/Service.html
And there is a possibility of receiving a message if the uninstaller of an app is started: http://developer.android.com/reference/android/content/Intent.html (ACTION_UNINSTALL_PACKAGE).
Google will probably help you on how to use these things
Click to expand...
Click to collapse