|
|
Subscribe / Log in / New account

Android trojan steals keystrokes using phone movements (ars technica)

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 24, 2012 7:51 UTC (Tue) by slashdot (guest, #22014)
In reply to: Android trojan steals keystrokes using phone movements (ars technica) by theophrastus
Parent article: Android trojan steals keystrokes using phone movements (ars technica)

Or, presumably, just place the phone an a rigid surface and touch lightly.

But anyway, they shouldn't be giving sensor data to anything except the foreground application and system tools.

to post comments

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 24, 2012 18:05 UTC (Tue) by mathstuf (subscriber, #69389) [Link] (6 responses)

So it'd be impossible to track yourself with Footprints or any of the exercise GPS tracking applications unless it's front-and-center at all times? I certainly wouldn't classify them as "system tools". I doubt that such measures would go over well.

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 24, 2012 20:25 UTC (Tue) by slashdot (guest, #22014) [Link] (5 responses)

These applications should probably access a system tool that provides the device position with a granularity that is coarse enough to prevent reading keypresses.

Or you could always have the kernel/libraries return approximate data when the application is in the background, if compatibility must not be broken.

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 24, 2012 20:37 UTC (Tue) by mathstuf (subscriber, #69389) [Link] (4 responses)

GPS is already inaccurate enough as is when going through a wooded area or in the rain (never mind both). The kernel munging numbers for security isn't a good idea anyways, because what is "enough" data that is reasonably required to derive the keypresses? Guessing gets us nowhere because the rogue applications will only get better, not worse. So as attacks get better, my GPS tracking gets dumber? No thanks.

I would think the solution might be more along the lines of allowing an application to have exclusive access to some device (outside of kernel-level processes) when it's actively using the data.

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 27, 2012 15:40 UTC (Fri) by cmccabe (guest, #60281) [Link] (3 responses)

There should be a separate capability for getting accelerometer, etc information in the background.

Unrelatedly, there's a real problem with apps asking for too many capabilities, and (stupid or lazy) users giving them. Maybe there needs to be some kind of differential pricing so that apps that ask for a lot of capabilities have to be sold at a more expensive price.

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 27, 2012 17:32 UTC (Fri) by nybble41 (subscriber, #55106) [Link] (2 responses)

> Maybe there needs to be some kind of differential pricing so that apps that ask for a lot of capabilities have to be sold at a more expensive price.

I would recommend charging developers extra for each requested permission, rather than setting a price floor; otherwise, developers could use the pricing rules to justify a higher (and more profitable) price for their apps, while deflecting the blame onto the store. Charging for permissions would have a similar effect on prices, without giving developers a perverse incentive to request excessive permissions.

The revenue from granting permissions could be used to fund additional review to ensure those apps are using the permissions responsibly. Instead of merely saying "this apps wants these permissions", the store could say "this app has been reviewed and certified for these permissions".

Android trojan steals keystrokes using phone movements (ars technica)

Posted Apr 27, 2012 17:40 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (1 responses)

I think a lot of grief could be spared by splitting some permissions. One such is separating out a "connect to advertisement networks" from "connect to the Internet", or even to have a whitelist of IP addresses or domain names attached to the Internet permission. Another possibility would be to just have applications actually describe what the permission is used for in the manifest file so that the market can display it. I currently have two upgrades waiting on my Galaxy Nexus because they add the "read sensitive logs" permission with no explanation of why it is needed. They also don't really make sense to have the permission in the first place (Google Voice and My Verizon) and there's no explanation.

Android trojan steals keystrokes using phone movements (ars technica)

Posted May 3, 2012 10:57 UTC (Thu) by robbe (guest, #16131) [Link]

CyanogenMOD allows one to turn off each permission independently. Of course, many apps don't handle denied requests well and will crash... I guess staying at the old version is better than making the application unstable.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds