Android wallpaper app takes your data

[MadamZuZu]

questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, has been downloaded millions of times, according to data unearthed by mobile security firm Lookout.

That means that apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas today.

“Even good apps can be modified to turn bad after a lot of people download it,” MaHaffey said. “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”

The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.

http://mobile.venturebeat.com/2010/07/28...-millions/

[GRRemlin]

1. Two Mac users warn Android users about security threats? Hello? Kids, can you say "WTF"?

2. The "Lookout" now look like total asshats. Here's why.

Full Story

Response from the Accused Developer

Hi, I noticed in venturebeat.com that the CEO of Lookout said that I have collected user’s data in my wallpaper apps.The data includes browsing history, text messages, phone’s SIM card number, subscriber identification, and even your voicemail password.
(http://mobile.venturebeat.com/2010/07/28...millions/)
I do not collect user data likes what the CEO of Lookout Said in venturebeat.com
He said that I have collected the text message, it is bullshit. We know that if a developer wants to collect text message, he must declare some android permissions (android.permission.READ_SMS, android.permission.RECEIVE_SMS, or android.permission.RECEIVE_MMS) firstly. And these permissions will be shown on the Android market security page and Application settings. We can see the following screen shortcut from android market, that I do not declare the permission in my applications (The right one). So my applications can’t collect user message absolutely.



In the news, it said I collected the browsing history in my applications, it makes no sense.
You can see the screen shortcut below. The “Browser” applications declare the permissions to read/write browsing history and bookmark. But in all my applications, I do not declare that permissions to collect these user‘s data.



Other wallpaper application collected more data.
Please look out the most popular wallpaper apps i.e. “Background”. That application required 8 permissions. My applications just required 5 permissions to make the app run well, and all of these permissions have been contained by “Background”.
In my applications I collected some device data, not user data.
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.

I am just an Android developer, I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.

I am wondering why the the ceo of Lookout or the Author of venturebeat.com attacks me and make irresponsible points.

[GRRemlin]

Popular wallpaper apps deemed safe, Google says

The developer of a series of Android wallpaper apps whose work was called into question last week over security concerns has been cleared by Google and is back in the Android Market.

We're only a week removed from the Android security saga that began at the Black Hat conference, and it looks like we have resolution that should put some of your fears at ease. It all started when Kevin MaHaffey, CTO of security firm Lookout, singled out Android wallpaper app developer "jackeey,wallpaper" and called it "a questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, (and) has been downloaded millions of times." VentureBeat was there and ran with the story, under the scary headline "Android wallpaper app that takes your data was downloaded by millions."

Later that day, Lookout amended its initial concerns, saying "there is no evidence of malicious behavior," though the data the apps were collected remained "suspicious." VentureBeat updated its story, which by this time was spreading like wildfire.

We contacted the developer, who explained that the data was collected "so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone." In other words, to remember user preferences. We published the developer's response in its entirety last Thursday.

That brings us to today. Google stepped in and took a look at things. And it found that indeed the apps weren't malicious or a threat to security, telling Computer World's JR Raphael "The developer's applications have been reviewed and the suspension has been lifted." The Android team did, however, point out to the developer that the method in which it was storing user preferences was unnecessary.

So in the end, this was a case of bad coding, not malicious intent. What can be done about this in the future? It'd be great if there were some sort of system to inspect apps before they hit the Market. Maybe not with walls as high as the app store, but something to check basic security and functionality up front. We're all about the Android Market being open to all. But with Android and the Android Market growing as quickly as they are, caveat emptor may not be the best policy any more.