X

Report says be aware of what your Android app does

SMobile says some Android apps could be used to place calls and send text messages without the user knowing it, but users have knowingly granted permission when downloading.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
3 min read
 
In this screenshot, an Android user downloading the MyTracks app is informed of the data and resources the app has access to.
In this screenshot, an Android user downloading the MyTracks app is informed of the data and resources the app has access to. Google

Updated 4:30 p.m. PDT to change headline to reflect that SMobile says it isn't criticizing the Android model and Updated 10:30 a.m. PDT to change misleading headline and add information throughout stating that users are granting permission to apps when they download them.

About 20 percent of the 48,000 apps in the Android marketplace allow a third-party application access to sensitive or private information, according to a report released on Tuesday.

And some of the apps were found to have the ability to do things like make calls and send text messages without requiring interaction from the mobile user. For instance, 5 percent of the apps can place calls to any number and 2 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges, security firm SMobile Systems concluded in its Android market threat report.

SMobile is not saying those apps are all malicious, but is making the point that there is a potential for abuse.

To be fair, users should know what the apps they downloaded are doing because they have expressly granted the apps permission to do those activities when they downloaded them. In addition, the Android architecture limits the apps to the permissions granted so any damage from a potentially malicious app would be very limited, according to Google.

The report found that dozens of apps have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location, said Dan Hoffman, chief technology officer at SMobile Systems.

"Just because it's coming from a known location like the Android market or the Apple App store (with the iPhone) doesn't mean you can assume that the app isn't malicious or that there is a proper vetting process," he said.

There is not always a good way to check up on the reputation of the developers of apps; many developers use aliases or don't have information linking to a company Web site. For those who want to download apps without having to worry there is antispyware software from SMobile Systems and others.

"There are known spyware apps that are on the market," Hoffman said. "It's a growing problem."

A Google spokesman dismissed those claims.

"This report falsely suggests that Android users don't have control over which apps access their data," the Google spokesman said on Wednesday morning. "Not only must each Android app get users' permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious."

Android

The question comes down to how much people understand as to the implications of the permissions they are granting when they are downloading the app.

I'll be delving deeper into the security model of Android in a future story and I'm interested in hearing more reader thoughts on the matter. How carefully do you read the permissions language when downloading apps?

This FAQ has more information on how to use smartphones safely.