Friday, July 30, 2010

Android app designer denies data theft

Concerning reports emerged late Thursday that one of the Android apps had been stealing users' information and sending the data to China. Upon discovering the issue Google were quick to shut down the app, but thousands of phones may be affected. While this affects only Android smartphones, it raises concern over apps on other types of smartphones too. Meanwhile the app developer has denied he had constructed the application to steal user data.

The discovery, on the face of it, appears to be an argument for Apple's restrictive iPhone App Store. Certainly, the Apple's approval process has an extra layer of security that the Android Market does not, even if it means that some desirable apps aren't allowed because Apple says so. But the advantage for Apple is not so clear-cut.

The issue surrounds an Android wallpaper app from Jackeey Wallpaper which offered popular brands such as My Little Pony and Star Wars, and was downloaded between 1.1 million and 4.6 million times. According to reports the app collected SIM card numbers, subscriber information and voicemail passwords if they were programmed automatically into the phone. This data was to www.imnet.us, a domain registered in Shenzhen, China.

Google said it has suspended the application while it investigates further, but it has shaken the smartphone community. While this incident might be used by Apple as ammunition to criticise Android devices, there may be issues surrounding the iPhone App Store too, so writes Yobie Benjamin at the San Francisco Chronicle.

iPhone & Android apps at risk

Benjamin highlights a lawsuit filed by Washington state resident, Michael Turner who took issue with Storm8, a developer and publisher of a very popular Vampires Live iPhone application. The lawsuit alleged the app involved the execution of "malicious software code", something not authorized by Apple. The lawsuit claimed that only "very specific and specialized software code" could do so and sought injunctive relief and damages. "Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhone user who downloads any Storm8 game... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed [SFGate].

The app from IMNet.us steals graphics from the Internet and repackages them as their own and gives out a "free application" to Android users. But in return the app harvests data from its users. The Android twitter stream is flooded with tweets from people concerned for their phone's security. And their concerns are warranted.

While it is easy to identify rogue iPhone app companies and out them, this appears less easy with Android apps which could be made and distributed by individuals or groups that are beyond the reach of US laws. Harvesting information of any sort and sending it to China is particularly interesting because of the Chinese national security apparatus. If one of the unknowing victims was some member of the US or NATO military or security apparatus, this would be even more concerning.

Apple approves iOS apps through a strict process before listing them in the App Store, while Google's Android Market app security involves simply warning the user that an app needs permissions to perform certain functions during the install. But this does not necessarily mean iOS iPhone apps cannot forward user data inappropriately.

Android and iPhones have similar problems. "Credentials" such as SIM numbers, phone numbers (source and destination), passwords, etc. can all be sent in clear and plain text. The platform does not force developers to implement cryptographic functions or encrypt information. It is the developer's choice to do or not to do so. Text messaging or SMS is always in plain text [SFGate].

Denials

So who is IMNet.us? Registered with GoDaddy, the site appears to be based in Shenzhen in Guangdong province China, known for its tech industry. Yao ShangLang is listed as the registrant while an email address points to an individual who goes by the name of Ice Ysl [whois.net].

Further investigation leads to a site on which Ice Ysl has post video content describing methods to make money from Android.

Writing on his blog, Ice Ysl says he is shocked by the accusations his code stole information. "I was on GoogleTalk with a friend today who sent a message saying that I'd been writing mobile phone wallpaper applications which steal of private user data," he says. "I could not believe this was true ... I was shocked."

He posted a reference to the Las Vegas Black Hat conference which highlighted the issue and adds further comment. "After reading this news, I immediately checked all the code and see if malicious code had been applied without my knowledge, but I found nothing," the programmer says. After a run through of his code along with a number of screen shots, Ice Ysl said he was "speechless" at the accusations.

Threat remains

Real or not, the potential threat of third party apps should be a wake up call to anyone using smartphones, be they iPhones, Android devices or even those running Symbian or Windows Mobile software. 

Viruses and malicious code can and has been written for phones. Smartphones are just computers that gives the user telephonic functions. Computers are not hard to hack. Given time, motive, determination and skill, anything can be hacked and that includes iPhones, Android phones and others. Google may now be looking at licensing after this bad publicity [CNET]. But consumers should also be vigilant.

Further reports: PCWorld / Venturebeat / WSJ / ClickNews / DailyTech / Register / Fortune / Telegraph

tvnewswatch, London, UK

1 comment:

free android app said...
This comment has been removed by a blog administrator.