Guest spammyspam Posted October 1, 2010 Report Share Posted October 1, 2010 (edited) The Android task manager debate has been going on since the platform first existed. The two general stances are 1) that since Android is so good at managing its unused tasks, none are needed and 2) that rogue/unintentionally bad apps could be written which would render self-management useless. Although I'm in the second camp (I'm paranoid) I still don't run a task manager. However with the study using TaintDroid to determine exactly what the 30 most popular applications were sending and receiving and how, an old concern has been confirmed, while a new one has arisen. Based on the study (see http://www.engadget.com/2010/09/30/study-s...r-notificatio/) we see that: 1) Apps *do* cycle and keep alive in the background even if they don't appear to be active (and in one case before they're even run) and 2) Apps intentionally do bad things in the background even if they don't appear to be active. The argument goes that we should only run apps we trust, but judging by the list of applications that were analysed, I'm not sure how feasible this is, at least not with an application like TaintDroid freely available. Opinion and thoughts? Perhaps what is required is some kind of intelligent firewall which blocks specific permissions granted to an app? Edited October 1, 2010 by spammyspam Link to comment Share on other sites More sharing options...
Guest oh!dougal Posted October 2, 2010 Report Share Posted October 2, 2010 ... with the study using TaintDroid to determine exactly what the 30 most popular applications were sending and receiving and how, an old concern has been confirmed, while a new one has arisen. Based on the study (see http://www.engadget.com/2010/09/30/study-s...r-notificatio/) we see that: 1) Apps *do* cycle and keep alive in the background even if they don't appear to be active (and in one case before they're even run) and 2) Apps intentionally do bad things in the background even if they don't appear to be active. The argument goes that we should only run apps we trust, but judging by the list of applications that were analysed, I'm not sure how feasible this is, at least not without an application like TaintDroid being freely available. {Fixed that for you, I hope!} Opinion and thoughts? Perhaps what is required is some kind of intelligent firewall which blocks specific permissions granted to an app? Uh-oh. Waaay beyond 'task managers', the report suggests that Android App security is kinda missing in action. Folks, read the report itself (PDF) http://appanalysis.org/tdroid10.pdf -- Please! I'd really like to see some informed and independent comment. This finding demonstrates that Android’s coarse- grained access control provides insufficient protection against third-party applications seeking to collect sensi- tive data. Moreover, we found that one application trans- mits the phone information every time the phone boots. While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data. Surprisingly, this application transmits the phone data immediately after install, before first use. My first question would be - If that App is doing that when its not supposed to be 'running', does it continue to call home after it has been notionally uninstalled or removed? How is it getting permission to autorun on boot? Has the author produced something like a Boot Sector Trojan? This uncontrolled (and unknown to the phone's owner) data transfer makes Android on PAYG-data a bit of a liability, doesn't it? And how about foreign roaming charges ... uh-oh ... Regarding the 'transmitting ID info every 30 seconds' concern, that wouldn't greatly concern me if the App in question was Google Latitude and the info was the minimum to identify my phone uniquely --- how else could it work? But why would Google Maps (or any other App) need my actual phone number as well as my network ID? I might well trust Google to truly 'do no evil' --- but I don't like having to extend that trust to every App developer. The Taintdroid project home is http://appanalysis.org/index.html ISN'T THIS KINDA IMPORTANT? (and strange that its not already a hot topic) Link to comment Share on other sites More sharing options...
Guest spammyspam Posted October 4, 2010 Report Share Posted October 4, 2010 Thanks for the reply and fix. It seems that they will be open sourcing Taint after all, but since it's a low level thing we'll need it integrated into our ROMs to use it. Hopefully chefs will oblige. Looking at how the example wallpaper app works though, it doesn't seem possible that these things can be blocked automatically - plus I can already think of possible workarounds. Still, hopefully (bad) word of mouth will be powerful enough to stop developers from doing this kinda stuff on the sly. Link to comment Share on other sites More sharing options...
Guest zurpher Posted December 29, 2010 Report Share Posted December 29, 2010 It seems that they will be open sourcing Taint after all, but since it's a low level thing we'll need it integrated into our ROMs to use it. Hopefully chefs will oblige. I would very much appreciate if the developers could integrate TaintDroid into CustomROMs to raise awareness for compromised privacy. ISN'T THIS KINDA IMPORTANT? (and strange that its not already a hot topic) Yes, indeed. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now