OS and Software > All Things Macintosh > something to be said for tight controls (itunes)

something to be said for tight controls (itunes)

--
Nothin' left to do but smile smile smile

The Applestore app in question linked to an external website which acted as the conduit for theft. Thieves are not the most brilliant bunch....charging back to iTunes just made it all transparent. That's a bit different than theft which occurs directly through the app. Apple has increased their vigilance WRT in app weblinks so this is unlikely to happen again. That's an important consideration. AFAIK Google isn't vetting apps. Any action Google takes will be reactive going forward, not proactive like Apple is now doing.

One incident is a learning experience, it's the second that is going to be viewed *very* differently.
--
Where's my flying car? It's 2010, they promised me there'd be flying cars.

reply to Nancymca

reply to dellsweig
Mobile security is the new frontier. Android is growing balls to the wall right now (last I heard around 5 mil installs/month) and these issues - inherent in an "open" ecosystem - will only get worse. Eventually you will see them be forced to implement some method of culling apps, well beyond simply removing an offending application after some period of time when a third-party investigative unit finds flaws and privacy concerns.

Apple isn't perfect, and they're not innocent. There have been a few cases of apps improperly gaining access to contact information, for example. Of course I'd much rather sacrifice my contact list on the phone rather than bank accounts and other far more critical data which we're storing more and more of on these devices. It's a huge security issue.

All in all I prefer the Apple model, despite various reservations and grumblings from time to time. Android just doesn't suit me; If it does you, that's great. But be careful!

Another take on this:

»www.tuaw.com/2010/07/29/why-appl···od-idea/
--
Nothin' left to do but smile smile smile

reply to dellsweig
Here is Androidcentral's report on the program

»www.androidcentral.com/rogue-and···ity-firm

quote:

---

Update: Lookout got back to us during the overnight to clarify a few things as reported in the Mobile Beat story. They're not going quite so far as to call the app "malicious," but questions remain. Read Lookout's e-mail to us after the break. We've e-mailed the apps' developer for further explanation.

Hi Jerry,

I wanted to reach out to you regarding the wallpaper app we recently discussed at Blackhat to clarify a few things.

Specifically, the wallpaper applications we analyzed proved to send several pieces of sensitive data to a server, including a device's phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device's SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password).

Also, it's important to note that the applications were estimated by androidlib to have between 1 and 4 million downloads (not necessarily the same thing as 1-4 million users).

Finally, while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.

I'm happy to answer any more questions you have.

Thanks,
Kevin

Kevin Mahaffey
Founder, CTO
Lookout, Inc.

---

Here is more of the story

»www.androidcentral.com/android-p···response

quote:

---

The developer responds

We've been in contact with the wallpaper applications' developer today and asked exactly what information the apps collect, and why any information would be sent to a server. (That the server is in China likely is irrelevant.)

You can read the entire response below, much of which is rendered moot by Lookout's previous clarification that text message and browsing history indeed was not collected. As for what was collected, the developer told us the following:

quote:

---

I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.

---

So, that's where we stand. And this isn't necessarily a new thing for Android. Apps can have access to parts of your phone they don't necessarily need, but with no malice intended. (That's where these recent "X percent of Android apps can get at your personal data!!!" stories have come from.) It's just a matter of coding and intent, right? That said, you do need to pay attention to the the warning you get every time you install an app. Our previous example rings true: If, say, a calculator said it needed to see my text messages, I'd worry. A lot. It's either a poorly coded app, or it's up to no good. Either way, I don't want it on my phone.

Is this all FUD? When a security company says we need to be wary, we're wary -- and the fact that a security company makes its money selling security software is not lost on us. But take your time and read MaHaffey's post again. And read the developer's response again below.

The moral of the story is mind what you download, read as much as you can, and keep on top of things. Lookout's MaHaffey says so as well, ending with "Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience."

Indeed.

---

reply to dellsweig
Sad thing is:
Why buy wallpaper?
There are plenty of free wallpapers on the net. And you can make your own as well.

reply to RiseAbove

reply to dellsweig
And when you do get your account on iTunes compromised, don't expect Apple to be of any assistance whatsoever.
--
Religion is a hatecrime

And if someone users a stolen credit card to buy a TV at Best Buy...don't expect Best Buy to give you your money back.

reply to Nancymca

reply to dellsweig
Something from the security forum to add to this discussion

»Lookout for android phones
--
Nothin' left to do but smile smile smile

reply to Z80A

Perfect analogy. Quit acting like Apple can do no right.