Weekly Edition
Return to the Security page
| |||||||||||||
Wallach: Things overheard on the WiFi from my Android smartphone
Over at the Freedom to Tinker blog, Dan Wallach reports on an experiment he did with his undergraduate security class: using Wireshark and Mallory to listen in on what his Android phone was sending. He describes what was found for a number of different applications including Gmail, Google Voice and Calendar, Facebook, Twitter, Angry Birds, and more. "What options do Android users have, today, to protect themselves against eavesdroppers? Android does support several VPN configurations which you could configure before you hit the road. That won't stop the unnecessary transmission of your fine GPS coordinates, which, to my mind, neither SoundHound nor ShopSaavy have any business knowing. If that's an issue for you, you could turn off your GPS altogether, but you'd have to turn it on again later when you want to use maps or whatever else. Ideally, I'd like the Market installer to give me the opportunity to revoke GPS privileges for apps like these."
(Log in to post comments)
Revoking Android Privileges Posted Feb 25, 2011 23:33 UTC (Fri) by zlynx (subscriber, #2285) [Link]
This is a great idea and someone should do it.
For applications with disabled GPS or network access just have the OS pretend that particular service is turned off.
Someone should write a modified firmware that does this. For all I know, someone already has. I don't keep up with all the Android hackers out there.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 25, 2011 23:58 UTC (Fri) by ikm (subscriber, #493) [Link]
> I'd like the Market installer to give me the opportunity to revoke GPS privileges
Or any other privileges. That would be fun - revoking network access to the apps which use it solely to show ads. Said apps' writers won't be happy... But wait, you can already do this - just root your phone.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 26, 2011 15:18 UTC (Sat) by Felix_the_Mac (guest, #32242) [Link]
"just root your phone" ... and then?
A user interface to do this would be required to enable consumers (like me) to achieve the goal.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 27, 2011 3:51 UTC (Sun) by ikm (subscriber, #493) [Link]
For networking, there's DroidWall.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 27, 2011 3:56 UTC (Sun) by Kit (guest, #55925) [Link]
Once rooted, you could use DroidWall to enable/disable any app's access to Wifi or 3G in a fairly simple interface. Although, IMO, the requirement to be rooted makes it unsuitable for the majority of users (breaking the system's security shouldn't be required to perform an action!).
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 27, 2011 14:46 UTC (Sun) by oever (subscriber, #987) [Link]
I find the idea that any app can run sudo on a rooted machine a bit scary. I installed DroidWall on my non-rooted Android device (android 2.2 on galaxy tab) and it did not need any permissions. So if any app can simply tamper with something like iptables on a rooted phone, rooting does not seem a clever thing to do.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 27, 2011 15:55 UTC (Sun) by Kit (guest, #55925) [Link]
When an app requests root permissions, Superuser will bring up an overlay over the screen with the app's info, whether you want to allow/deny it, a checkbox to remember your decision, and a countdown that'll automatically deny the request if you don't make a decision after a certain number of seconds.
So it's not just an automagic thing... but that doesn't really mean it's necessarily secure. Also, pretty much all the Android devices out there have known root vulnerabilities which can be used to get you root... or for some arbitrary app to get root!
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 28, 2011 14:33 UTC (Mon) by foom (subscriber, #14868) [Link]
> or for some arbitrary app to get root
Yeah, if the random app you uploaded to initially get root worked without any special permissions, *any* app can do that behind your back. It'd be pretty nifty if Google and the phone manufacturers would actually release security advisories and OS updates to patch the multitude of known holes...
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 1, 2011 19:00 UTC (Tue) by bronson (subscriber, #4806) [Link]
Unless you use your root privilege to install an OS with those holes patched.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 1, 2011 19:43 UTC (Tue) by foom (subscriber, #14868) [Link]
How do you know when to update? They don't release security advisories either...
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 2, 2011 14:49 UTC (Wed) by foom (subscriber, #14868) [Link]
Hey look! Turns out, there are a bunch of apps distributed in the Google Market that have been doing just that...surprise surprise. Guess what happens when nobody ever patches security vulnerabilities.
http://www.cnn.com/2011/TECH/mobile/03/02/google.malware....
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 26, 2011 16:33 UTC (Sat) by CyberDog (guest, #29668) [Link]
Half the functionality of ShopSavvy (assuming that's the same as ShopSaavy :) is to show you where in your neighborhood you can get the same product cheaper. That requires knowing what neighborhood you're in. Sure you could argue that the developers could make an "online only" version, but as of today it's just the nature of the product. If an app whose functionality is based around knowing where you're shopping makes you feel uncomfortable, don't install it! That's what the disclaimers about "This app has access to..." are for.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 26, 2011 21:34 UTC (Sat) by Kit (guest, #55925) [Link]
The article was also highlighting how that information was being sent off in _in_the_clear_, which is just a bad practice.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Feb 28, 2011 6:40 UTC (Mon) by i3839 (guest, #31386) [Link]
Sending location data in the clear is fine. People sniffing that data
are very close to you anyway. Anyone else can already know your location.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 1, 2011 1:04 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] If the goal of a shopping app is to tell me where else in the neighborhood might have a better price, it really only needs to know my neighborhood. It doesn't need to know my location to within a few meters. App writers really ought to think about issues like how much precision they really need rather than simply grabbing high precision data just because they can. It might help if the system had support for a range of location accuracy- everything from GPS/WAAS precise to country-level coarse- but app writers should still consider rounding location information off to the degree of accuracy they genuinely need.
Mobile phone loactions... Posted Feb 28, 2011 10:22 UTC (Mon) by dps (subscriber, #5725) [Link]
Mobile phone operators are known track the location of handsets and use it to select an appropriate base station when some calls you. I think that operators are legally required to be able to locate the source of an emergency call, albeit usually using triangulation instead of GPS.
While there are some rules many people other than law enforcement potentially has access to where your cell phone is currently located. I think the UK data protection rules do not allow sale of this information to advertisers without a customer's consent---that is not a stated reason for collecting that data and therefore not something that should be done with it.
In the US I do think there is anything close to the EU legislation that requires people to say what personal data they collect, why and not misusing it other reasons.
Mobile phone loactions... Posted Mar 5, 2011 15:35 UTC (Sat) by BenHutchings (subscriber, #37955) [Link] Mobile phone operators are known track the location of handsets and use it to select an appropriate base station when some calls you. Thankfully, cell phones are not pagers and do not require network broadcasts. So yes, handsets associate with specific base stations. The base stations are coordinated so they can hand-off moving handsets as necessary to maximise signal strength and minimise power usage. Up until the last 10 years or so, this was the only location tracking in most cell networks. I think that operators are legally required to be able to locate the source of an emergency call, albeit usually using triangulation instead of GPS. In the US, the FCC requires all telcos to provide location information for emergency calls. There are several different implementations of this for cellular networks, using the handset or the base station(s) or both. So far as I know, this is generally possible to disable except during an emergency call. Obviously that depends on the phone firmware.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 1, 2011 15:36 UTC (Tue) by matthewdavis1 (guest, #66378) [Link]
I like the direction this posting is heading. Providing a list of permissions for a given application is not enough, IMO. I'd like to be able to deny certain permissions, at the risk of the application not functioning fully, GPS included.
If a given application is requesting access to my address-book, because it has the ability to automatically find all my friends on openfient from my address book (an opt-in method, fwiw). I don't want that application to have that ability in the first place. I will never use the feature, and I would love to be able to block access at the source rather than believe that the application will not scan my address book because I didn't activate that feature.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 3, 2011 11:47 UTC (Thu) by AndreE (subscriber, #60148) [Link]
I like the idea, but it would certainly need to consider certain things. Being able to arbitrarily remove any access requested by an app would certainly kill a large part of the market. At the least there would be no free apps relying on ad revenue.
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 11, 2011 14:56 UTC (Fri) by albertoafn (guest, #64225) [Link]
That's totally fine for me. Ive been searching in the market for a month only free apps... and I dare you to find one that does not ask for weird not needed permisions. I could not even find a freaking alarm clock that did not ask you for your gps position and alike...
I found a great alarm clock in fdroid repositories, btw... but my point is that the market is flood with crappy (malware from my pov) free apps. Even if there is a legit one, you can't find it among the crap... I am waiting for the day that you can filter out apps by permisions...
Wallach: Things overheard on the WiFi from my Android smartphone Posted Mar 15, 2011 12:17 UTC (Tue) by robbe (guest, #16131) [Link]
Most people would probably not block ads, even if it were more easy. They refrain from doing it on the web as well.
An application could stop functioning if it does not receive ads from the mothership (too bad if you're currently flying). Or just cache the last few ads and show them -- but this will probably not generate revenue for the author.
From my experiences with an iPad most apps just do not show ads if they have no connection. The Apple store also does not show ad-sponsored apps, which is a nuisance. Permissions management on iOS is worse than on Android: Most capabilites are just granted. For location info a popup asks the user, but there is no "never for this app" option. I still can't figure out why my VPN client wants to know where I am.
|
|||||||||||||