Why does an Android keyboard need to see your camera and log files – and why does it phone home to China? Security biz Pentest is sounding alarms after it found an Android app it says has been downloaded 50 millions times despite being "little more than malware." UK-based Pentest said a whitepaper study [PDF] of the popular Flash Keyboard found that the Android app is "abusing" OS permissions, inserting potentially malicious ads, …
This post has been deleted by its author
Phoning home to China leaves your phone open to being completely taken over. Any connections that cross the "Great Firewall" can be intercepted. Google is not going to install malware or sling ads on your lockscreen. This keyboard app is still in playstore, and one of the multitude of permissions is, "download files with out notice" . Helloooow? Does that alone but bother you. Perhaps it would be best if you did a little homework before embarrassing yourself.
Well requiring an open source code repository for all apps discourages the Asian scammers up front plus the apps are free. The drawback is of course a much more limited selection of fart apps (and admittedly other apps as well). To be honest a teen girl social butterfly couldn't probably get by with just F-Droid but its perfect for a back up out of warranty after market rom phone on which you don't want to have any sign on accounts.
@King Jack,
@ bazza Please can we stop using that stupid argument
Ooo, touchy! Been stung by some Android malware recently?
As you blatantly ignored my innocent call for debate on my question, I'll kick it off.
So what's worse? An app whose permissions are blatantly and clearly more acquisitive than necessary?
Or Google's lengthy EULA which grants them far more rights, yet goes unread by and largely unexplained to end users?
Google are fundamentally no more or less trustworthy than any other US company. Arguably they're less trustworthy than a European company who operate in a much stronger data protection legal environment. Google operate in a data protection legal vacuum by comparison.
But they're just another company, and one who are on a mission to get more of your private data so as to screw more advertising revenue from that market. So far they have managed to be far more successful at it than most others so far.
Granting them special access to ones private data is fine if that's what one wants. But having done that it's inconsistent to then whinge about an app that quite openly and clearly (by means of its permissions) tries to do the same thing but on a more limited basis. Especially as it can be avoided entirely, simply by not installing it.
Sure, an app such as this keyboard seems particularly slimy (but then so is Google's EULA), and it is kinda crazy to install it. But millions of installers seem not too worried about the permissions that were put before their very eyes.
Difficult Challenge For Google
It might be that this kind of thing gets installed because people don't care, which in turn may be because they don't put anything they really care about on their phones.
Yet Google wants them to trust their entire lives to their mobile (so they can extract advertising cues from it). However if people are deliberately withholding data from them that's going to limit how much Google can grow their business.
And then there'll always be those people who find the whole Google-sees-everything nature of Android utterly repulsive. And given Apple's success, you have to conclude that there's a monied majority (majority as in Apple have made more money than Google) who'd rather not join Google's club. And then you get the BB10 users such as myself...
No.... ok, Betteridge's law of headlines does not apply here apparently.
I'm sure the publisher will claim ignorance. "oops, we had those things on for testing and forgot to disable them".
The bigger question is, why would anyone use a keyboard app that requested those permissions? User education is the only way to keep users safe. Otherwise, we'll all be playing in an empty sandbox wearing safety helmets and drinking out of sippie cups, because, you know, we don't want poor Johnny to feel left out of group activities.
Johnny here is the moron who's too stupid to know that you shouldn't install anything from China that requires internet, camera, contacts, etc... Don't be Johnny!
>The bigger question is, why would anyone use a keyboard app that requested those permissions?
Um because Grandma isn't an expert on app permissions which is another reason why Apple can charge the premium they do. They do a better job sippy cup or not of protecting users from their own ignorance.
And even if she has she doesn't have any way or not giving the permission other than not installing the app. I have a lot of apps that require more privileges than I like to give but I can't revoke them. For instance Kitchen Timer needs rwd access to my SD card and a Latin English dictionary demand the right to read phone status (it's on a tablet without phone capability and still works so it plainly isn't a necessity).
Where was your USB or bluetooth keyboard made? Is it China? Now, what would you do if there was malware built into your keyboard that could secretly activate itself at random times and also gathered and forwarded your info? Do you know how to decode a USB connection stream and monitor it for this kind of weird activity? Me neither, but that's my next security project for home; what are my Chinese keyboards doing when I'm not looking? Please continue typing, people. Nothing to fear, so far.
This post has been deleted by its author
Because there is no existing app that doesn't require ALL the existing permissions; if you want to actually install anything at all, you learn quickly to sign away your first-born (and as many more offspring as requested) without even thinking twice about it. I should know - I refuse to do that but the price I continually pay for it is basically having nothing to install. "It's the integration, stupid" - every app has bloated into getting integration with all aspects of your phone, so it asks for everything...
demands access rights far exceeding what I consider reasonable for the job it's doing.
I sometimes think that only a small fraction of users even review the permissions, and fewer even decide against installing based on that.
I have no idea why Google yanked the Permission Manager functionality. Is it to suck up to developers who'd otherwise have to structure reasonable requests for access? Not like they're endangering their entire ecosystem by alienating a few devs who just request full access to phone/text/location for a simple flashlight app. They are however endangering their user base by allowing that bullshit to continue.
Android 6 permissions model works differently. You don't grant any permissions* until the app tries to use that feature (basically the same as iOS). You can also retrospectively revoke permissions even on legacy apps (which may cause them to crash, but my personal experience is that most of my apps survived the denial of things that are not functionally related to the app's purpose)
* admittedly that's Google's version of any, meaning it can still do network etc.
With android M, permissions are granted at runtime and the app gets an exception if it isn't granted the permission. Older apps still get their permissions up-front at install time, but a savvy user can disable them before first run. The reason the old K permissions manager was disabled was, put simply, because it broke too many things if you actually used it, and it broke them in unpredictable ways that were very difficult to debug.
As stated, of course, pretty much everything has network access permissions. But pretty much every app needs those for one reason or another (at the very least for ads in the case of the flashlight apps, which why are you even installing that if you're on L or M? It's built into the OS!). And one doesn't want to ask users about a permission that every app asks for because that just contributes to people ignoring the permissions warnings.
Unfortunately the new permissions framework on M doesn't help much since most people aren't on devices which have been upgraded to M. That's Android's real problem relative to Apple - most users don't care about permissions and privacy settings, but they do care about apps. And fewer apps get written, and they have fewer features, when only 10% of the phones have the latest OS.
"most users don't care about permissions and privacy settings"
I'm not sure that's true, or fair to most users.
I think that most of us, to one degree or another, have just surrendered.
A few decades ago people remarked on the page of dense fine print on the back of a car rental contract.
Everyone knew it was absurd, and everyone accepted that no-one ever read it, but it was part of the deal, so you just signed.
What's changed is that literally everything you do on-line forces you to "sign" a long, dense, and unread contract, and with apps, accept a more or less random demand for permissions.
People just don't have hours each day to read these things.
Even if they did, the fact remains that if you need a service like FedEx, Netflix, or any of hundreds of government sites, you have NO choice in the matter: accept the contract conditions.
Heck, even my entirely open source computer makes me click to accept the various licences.
I don't buy the "users have just surrendered". That may be true of Reg readers, but the average Android or iOS user doesn't really have a clue what it means when they are asked for permission to use location information. They'll just agree if asked, just like they will agree every time Windows 7 asks for permission to do something that needs admin rights, etc.
The thing in Apple's favor is that since this sort of permission has been required forever, app writers know they can't get away with requesting ridiculous permissions, like wanting access to contacts or photos for an app which has no earthly reason for wanting it. The average user might not know why that's a bad idea, but the ones who do give one star ratings that kill it in the app store.
Eventually the same might be true for Android, the problem is it will take many years until app writers are forced to change their ways because there will be hundreds of millions of people on Android 4.x and 5.x for years and years now. Another problem is that many Android apps simply break if a permission is denied, because they haven't been updated to expect the possibility of a permission being refused since that's so new. But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!
@ Doug S
Quote: "But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!".
Not really Googles fault (apart from them caving to pressure), they wanted to have proper permissions management in Android from day one, but developers (of the services they were typing to attract, like FB etc) didn't want to play ball, and refused to write apps for the then new Android platform if the users could just switch on/off permissions as they (the user) wanted.
So initial Android came with the horrible 'all in advance' model.
Android is big enough now (by far) to force through what Google originally wanted, and I think with all the various issues the existing process has, I don't think anybody else (FB etc) can really object in anyway without making themselves look like the issue (which of course is exactly what they were/are anyway!).
But Google is finally doing the right thing, the only thing I question is how it could possibly have taken them so long!
Because Android is, and always has been, a user-tracking and ad-delivery system. Which should surprise exactly no one, since Google is, and always has been, a user-tracking and ad-delivery company.
Oh, and don't discount that 'innocuous' network permission as a tracking tool. Since GPS creeps people out, many, many apps now request "View WiFi connections" instead. That returns a list (with signal strength) of all APs within range of the phone. They can cross-correlate that info to a database of AP locations, which in turn will geo-locate the device almost as precisely as GPS (at least in urban areas).
Now if only the permissions model was narrow enough. As I understand, and admittedly I'm not an Android developer, required permissions are auto-determined at build time by looking at the dependencies of a project. Given the interconnectedness of services and APIs, you easily end up requiring silly permissions, because some little corner of a library somewhere might need it in specific circumstances...which, of course, may well be totally irrelevant to your app.
My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated.
" a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."
That would be good wouldn't it, as would various other possible improvements.
I seem to remember something like that in later versions of Symbian, but it was a long time ago so I could be wrong.
Oh well, stuff's progressed since then. Not sure which way though.
"My pet peeve with network permissions is that I can't limit the destination. Many apps need/want network access to check for updates/configs/etc. I'd prefer to only allow them to phone home to destinations of which I approve. I've not seen Marshmallow's permissions in action, but a handy popup like "Blah wants to connect to 'tcp://dodgy.site/track/me'. Allow: Now, Always or Never?" would be much appreciated."
--------------
Unfortunately, this becomes less and less useful as malware migrates, and all you see is some anonymous commodity cloud server in the url.
Hi,
You might go have a look at no-root firewall apps in playstore. There are many to choose from now, and Lostnet has a geo blocking function. You can fire up these when using apps that are suspect. Or run it all the time.
Now, for those who don't think it's a big deal about this keyboard app, then I suggest looking at how few permissions other well known keyboard apps ask for. Almost all are about half the amount.
I once had one of these smartphone things and was appalled to see what practically anything I downloaded to install pretended to access on it. Phone records, camera, log files, etc.
So I got rid of it.
As I see it, the truth of the matter is that a *very* small fraction of users even *know* about permissions and fewer *have the knowledge* to act upon them.
Even fewer decide against installing based on the permissions these freeware malware impose.
This post has been deleted by its author
Yeah really. The correct call is to buy a Windows Phone or Blackberry as an investment. It will probably end up being the last model either make and much like the Kin you can probably ebay it in several years as a nerd joke gift for a good amount of cash. A lack of scarcity in the wild certain won't be an issue considering both's unit numbers are now down pretty much to what they give away to employees.
Is to pay attention to the permissions being requested by what you're installing, and the reputation and reviews of the publisher, but the same type of people that would get suspicious that someone asked for their house key and social security number on a first date can't be bothered to pay attention to what they're doing on their phone, tablet, etc. Maybe it's because our brains are wired by evolution to not think that something as innocuous as a feather touch on a phone display can set in motion an immense chain of events and repercussions. Of course anyone that has drunk texted their friends or lovers has likely come to understand this in the light of day.
There is a great deal of freedom and flexibility with the Android platform, but you do have to consider the decisions you make, and a decent freeware AV isn't a terrible idea either. Some people may be better off in the walled garden, at least until more security is built in by default.
And silly AC is ignoring that many Android users paid a fat wad for devices they can't expand with SD memory and has no removable battery. Or was the Galaxy S6 just a figment of my imagination? And it wasn't the only one.
What people like you ignore is that not everyone cares about those features as much as you do. I remember in the early days of Android when one of the touted features that Apple was missing was an FM radio. Many Android phones still include that feature, and Apple still doesn't, but I have yet to every personally meet ANYONE who uses their phone to listen to FM radio. Sure, if you want an FM radio or SD card or removable battery Android is your only choice. But don't act like these are features that everyone wants. I'd prefer not to have my performance go in the toilet since the SD interface sucks so bad compared to properly designed internal storage, thanks.
I have used the FM radio before, though sparingly. I wouldn't call it a deal breaker by any means if it isn't there, though it seems silly to not have an app to use it if the feature is already on a chip in the phone. I would miss my IR remote though. If you buy a decent quality SD card, performance is fine. If you buy the cheapest one you can find, it won't be. A removable battery is nice, but the deal breaker for me is if the device doesn't have an SD card slot. I like storing my media on an SD card. You can preach all you want about cloud backups, but if something happens to my phone, I can just pull the card and there's my stuff, or swap the card into my next phone like a SIM, and again, there's all my stuff.
Though even if there was no card slot, I would still prefer an Android device personally. I just like the flexibility and the UI better. I've never cared for Apple's UI design on their phones. And I don't have to use the frustrationware that is iTunes.
"or SD card or removable battery Android is your only choice"
Or you can buy a Windows Phone. My Lumia 640 has both.
But back to Apps (and obviously being a WP user I'm hardly qualified to talk about those as there are so few on WP ;)). It seems to me that no one cares about the origin of apps, who the authors are or anything. On a Linux PC, if I was installing something, I'd be checking out the website or open source repositories or professional reviews. It seems nobody cares that the authors are unknown and can't be contacted. it seems that average joe (or janet) user just thinks apps are created in the ether somewhere by pixies and can be installed without a care. No wonder things often end badly.
* Oh wait 80%? Ouch! I wonder how many shoppers even realize that Google is behind Android, or that M$ makes serious $ from it too. But what's the alternative? That, or post a pile of money to Apple...
* How many consumers are aware that the Play Store is full of this sh1t? If I didn't follow these articles, I could have easily assumed, that Google would never be dumb enough to let this happen.
* Do we see any warnings in the mass media? No its just glorified plugging of the Play store all day long, and how neat this app is, or this other one.
* Its all very well to talk about educating users. But whose going to do it, the government? F@ck that! There needs to be accountability and responsibility here. Google should be fined megabucks for letting these apps slip through. Blaming users is just so unjust....
* Its also increasingly tricky to find a real-world store that offers a non-Android dumb phone from a few years ago. There just isn't choice anymore. Its the same with Smart TV's. No basic models around anymore.
* Many flavors of Android phone sold across the world (outside EU./ US), come with tracking enabled out of the store with invasive apps already installed. WTF??? Vendors should be lined up and shot for this...
What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time. Until there is some Android malware that causes real consequences for a lot of users the problem will be ignored. Look how many years Windows malware (and DOS malware before it) was around before it really got the kind of attention required for Microsoft to do something about it. It wasn't until stuff like Code Red, I.Love.You and so on all hit over a short period of time and caused a lot of problems that people took notice, and bad publicity forced Microsoft to act.
The same will be true of Google (and Android OEMs who are part of the problem as far as not updating Android) Until it becomes a big problem, they will mostly ignore it because it isn't hurting them financially. I'm not sure why you think Google should be "fined megabucks" because of apps in the Play Store. Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?
Good for you! But its warnings to the masses I'm talking about. Not sites you and I read. We don't need to read every warning anyway as our defences are already up. Its the average person in the street who needs this info, and urgently... In fact the most ignorant of all, are the staff working in stores selling this stuff. Talk about clueless...
Boy talk about red herrings!
What do you mean you never see any warnings in the mass media? I see stories about Android malware in places like Cnet all the time.
Uhh, Dougie...for the record Cnet != Mass Media. Call me back when NBC does an in-depth story in the Nightly News, or this becomes a story on 60 Minutes.
Should Comcast be held liable if hackers use their pipes to cause trouble? Should AT&T be liable if terrorists use their phone network to call each other and plan attacks? Should HP be liable if the KKK uses their printers to print racist materials?
The mind just boggles at the density of that remark.
Wow, so you're upset that people are backing Google and Microsoft by buying Android, but then note that the alternative to giving them money is to give Apple money. You know that's how business works right? You give people money for a product or service, and the ones with the most successful product or service get more money.
I don't think there's any confusion that Google are behind Android, I also don't believe most phone buyers give a crap. They probably don't even buy a phone - they get it free on contract, and the network handles the payment for the phone. So as far as they can see, they've paid Google/Microsoft/Apple absolutely nothing.
The Google Play Store is also not "full of this shit".It's got some malicious apps, the majority are not.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
