Be aware of what your Android app does | InSecurity. Updated 4:30 p.m.
PDT to change headline to reflect that SMobile says it isn't criticizing the Android model and Updated 10:30 a.m. PDT to change misleading headline and add information throughout stating that users are granting permission to apps when they download them. About 20 percent of the 48,000 apps in the Android marketplace allow a third-party application access to sensitive or private information, according to a report released on Tuesday. And some of the apps were found to have the ability to do things like make calls and send text messages without requiring interaction from the mobile user. For instance, 5 percent of the apps can place calls to any number and 2 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges, security firm SMobile Systems concluded in its Android market threat report.
Google Launches Licensing Service For Android Applications. Google has just announced a new licensing service allowing Android developers to better protect their applications from unauthorized use.
The free service is utilizes a secure mechanism to access to all paid apps on the Android Market, available for apps running on Android 1.5 firmwares or higher. To protect their work, developers must include a set of libraries provided by Google that query the Android Market upon launch to determine the license status of the apps users. The service then returns information on the user if they are authorized to access the app based on stored sales records. The service provides a real time solution to protecting a developers work, without having to enforce copy protection, something that Apple deploys on iOS with its Fairplay DRM. [EXCLUSIVE] Report: Google’s Android Market License Verification Easily Circumvented, Will Not Stop Pirates | Android News, Reviews, Applications, Games, Phones, Devices, Tips, Hacks, Videos, Podcasts - Android Police.
[Update: 8/24/10 @ 7:45 PM EST by Aaron] Tim Bray responded to Justin's article, but seems to have misunderstood the goal.
Thus, Justin has written a follow-up article here. Preface This article was not written to teach people how to pirate or ridicule Google's Android License Verification Library (LVL) that handles communication with Google's Android Market Licensing Service. I am very much against piracy, and very much pro-Google. Google’s new Android Market piracy prevention system circumvented. At the end of July we reported on a new anti-piracy measure from Google that was aimed at cutting the number of pirate apps available for download outside of the Android Market.
It appears that the new licensing service has been circumvented already, allowing a would-be application cracker to completely strip an app of any licensing protection, opening them up for unofficial distribution and pirating. Android Police has an explanation of how the licensing system can be bypassed which centers on disassembling an application using a .APK disassembler called smali/baksmali. Because the licensing verification library is not part of the app itself, developers have to include it inside their apps, meaning that an “attacker” can manually strip out the library, reassemble the app and then distribute it as he/she sees fit. At the moment, the process is a simple proof of concept. 2 out of 3 Android apps use private data 'suspiciously' High performance access to file storage Google's Android operating system doesn't provide controls to adequately protect users' sensitive data, according to a study that found two-thirds of applications monitored used phone numbers, geolocation, and other information “suspiciously.”
The study – by computer scientists at Pennsylvania State University, Duke University, and Intel Labs – randomly selected 30 of the most popular apps from Google's Android Market that access personal information and closely tracked how much of it they transmitted. Fifteen of the apps reported users' locations to remote advertising servers and seven applications broadcast the handset's device number or phone number to outside servers. In almost all the cases, the information was collected without informing users about what was happening. In some cases, information was reported as frequently as every 30 seconds.