One of the things I like about Google’s Android operating system is that it’s an open platform. Anyone can write an application and, unlike Apple’s tight hold on iPhone and iPod apps, you don’t need Google’s permission to distribute an app in the Android marketplace.
Yet there is a potential downside to such openness. Without a “big brother” to vet applications, there is a greater possibility of improperly written and ill-behaving programs, programs that compromise user privacy and just plain malicious software designed to corrupt your device or steal your information.
A recent report from SMobile Systems suggests that these concerns are not without merit. The security company performed a “threat analysis” that “indicates that there are thousands of applications that exist in the market that grant access to personal information, location data or access to services that could be used for nefarious purposes.”
While the report concludes that “a majority of these applications were written with the best of intentions” and are unlikely to compromise user data, it nevertheless paints a relatively scary picture of the potential threat of errant mobile phone apps.
The report said about 20 percent of the 48,000 apps “request permission to access private or sensitive information that an attacker could for malicious purposes.”
SMobile produces security software for mobile devices and has a vested interest in raising concerns, but that doesn’t mean we should ignore the warnings.
SMobile points out that the Android Marketplace relies on users to report applications that malfunction or are malicious, and it’s certainly true that a community policing model can be effective in helping to identify dangerous apps.
But because it’s an after-the-fact methodology, the company argues that there will always be a window between when an app is released and when its dangers have been identified and the app removed from the market. During that window, unsuspecting users could wind up being harmed.
The report cites the example of “Droid 09,” a phishing application that said it would allow Android users to conduct banking activities from their phone. It’s not clear what if anything the app did with banking credentials but it certainly raised concern among online banking professionals.
Via e-mail, a Google representative said the “report falsely suggests that Android users don’t have control over which apps access their data. Not only must each Android app gets users’ permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious.”
And in a telephone interview, Google spokesman Jay Nancarrow said “the Android team was aware of what it would mean to not have a formal vetting process” and that the company relies on user feedback and a rating system. He said Google wanted to make sure it was “keeping innovation flowing” by not putting up too many barriers for developers.
In addition to knowing your location, the SMobile report said that applications can also get permission to initiate a phone call, get a list of the accounts associated with your phone, access the Internet, monitor, modify or abort outgoing calls, read the user’s calendar data, read contact lists, read data about the phone’s owner, read text messages, send or receive text messages.
The main issue is that many Android applications ask permission for certain privileges such as access to the user’s GPS location data, the ability to access the Internet or, in some cases, access to the user’s contact list. And while users have the ability to deny access, SMobile Chief Technology Officer Dan Hoffman said in an interview that users often grant those permissions without fully understanding what they are permitting the application to do.
“The majority of users don’t look at it. They say, ‘I don’t know what it means and maybe I care, maybe I don’t, but it’s not going to stop me from installing the application.’ ”
He also said the issue applies to other smartphones but worries that the problem could be worse with Android. “When it comes from a developer who developed it in their basement and there’s no vetting process, then that should be concerning to users.”
When I download apps on Android or on the Apple App store, I do look at the permissions they request and think about whether they make sense in terms of what the app does. For example, if you were to download an app like Glympse or Foursquare — which are designed to enable you to share your location — it would make perfect sense to permit those apps to know your location, but if it were an app that had no obvious reason to know your location, you might want to think twice before enabling it.
There is always going to be a battle between security and freedom. Apple’s tight control over iPhone apps probably does help protect customers by assuring that apps are working properly and behaving ethically, but there is a cost associated with that as well. Some perfectly safe apps have been rejected and some developers have accused Apple of rejecting apps for business reasons.
Google’s more open process feels a lot more democratic but, like democracy itself, requires a bit more vigilance on the part of its “citizens.”