Android apps can secretly copy photos [SLNYT]
March 1, 2012 10:07 PM   Subscribe

Android apps can secretly copy photos [SLNYT] "Android apps do not need permission to get a user's photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts."
posted by paleyellowwithorange (88 comments total) 14 users marked this as a favorite
 
Peek-a-boo!
posted by Goofyy at 10:26 PM on March 1, 2012 [1 favorite]


Probably worth mentioning that this appears to be a follow on to this: Apple Loophole Gives Developers Access to Photos
posted by Artw at 10:55 PM on March 1, 2012 [2 favorites]


SOOOO many dickpix.
posted by beaucoupkevin at 11:01 PM on March 1, 2012 [1 favorite]


Deleted comment fest!

Artw, that article you link to is incorrect. You can access the users photos without needed to ask for location permissions. I'm a iOS developer I've written several iOS apps that access the user's photo gallery and the CoreLocation permission discussed in the linked article is not needed.

It may be needed to access the lat/lon info on individual photos but you can certainly access photos without it.

The loophole is "iOS (and presumably Android) lets developers do stuff that the users want them to do". Yes some developers are dicks and probably do bad things with them. This is why developers sign agreements with Apple and why Apple has a review process for all app.

This (and the address book security problem found in the Path app) is a non-issue.
posted by schwa at 11:06 PM on March 1, 2012 [3 favorites]


I just got an android tablet, so this is relevant to my interests. I was actually thinking of doing an Ask Me about due diligence for apps; is there a way to vet them? Any site testing for vulnerabilities, etc.? No dickpix yet on mine, but I do have a nice evening sky shot with pinkorange sunset stripe, crescent moon, and glittery Venus that I don't want my sodoku game getting its mitts on.
posted by taz at 11:07 PM on March 1, 2012 [3 favorites]


Any site testing for vulnerabilities, etc.?

There are researchers who look for these things in apps available from and via Google Market. I wrote a post on serious Android vulnerabilities here that discusses some of the work of a computer scientist with North Carolina State.
posted by Blazecock Pileon at 11:15 PM on March 1, 2012 [2 favorites]


taz:

You can should be able to check what permissions an Android app needs before you download it. Look at the "Technical Details" section of this Angry Birds listing for example.

You can also check what permissions an app uses once you've installed it (although how would vary from device to device).

The problem here, is that the access to photos doesn't have an associated permission and therefore any app can access them.

The permission model is broken though. Too many apps ask for too many permissions and too few users understand them and/or bother to check them
posted by schwa at 11:16 PM on March 1, 2012 [7 favorites]


dickpix.gov
posted by cmoj at 11:20 PM on March 1, 2012 [2 favorites]


From the article:
It turns out that Google, maker of the Android mobile operating system, takes it one step further. Android apps do not need permission to get a user’s photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is not clear whether any apps that are available for Android devices are actually doing this.

The Apple and Android problems are a reminder of how hard it can be to ensure security on complex mobile devices that can run a vast array of apps. Android apps are required to alert users when they want to retrieve other kinds of personal data — like e-mail, address book contacts or a phone’s location — so the lack of protection for photos came as a surprise to some experts.
Bullshit. Apple and Google both chose to leave those features available to developers. On android it would have been really, really easy to simply add one more permission (out of hundreds) to access the photos. They apparently decided it wasn't a big deal.

They obviously don't think it's that big of a deal since the Google+ app actually uploads you pictures automatically if you install it. There is a checkoff you can uncheck when you install the app if you don't want to have it do that, but not everyone notices that. I actually have a friend who installed G+ and apparently didn't notice that when she installed Google+ on her phone. Then one day she Google her own name and all her personal photos from her phone showed up. She had no idea what was going on.

As it happens, the pictures are set to 'private', but she had no idea the pictures were even uploaded, much less what the privacy settings were. She didn't even realize that she would get a special page when she searched her own name.

But yeah, with the iPhone, since you don't have a permission model, you need to settings up globally. Either all apps have access to stuff like the phonebook, or none do.

Still, There should be a privacy option for photos (and for the camera/microphone as well)

Also, android needs to allow you to disable specific permissions for applications, or set them to ask you on a per-request basis. Right now, if you don't like the permissions of an app, you can only chose to install it, or not install it. A user should be able to say "I want to install this app, but I don't want it to be able to do X", and a developer should be able to say "Here is what my app requires to function, beyond that if you give it permission X then you can use feature Y" -- Right now, you could theoretically do that by splitting your app up into modules, since android apps can call each-other as libraries so you could have a user download 'features' separately.

Anyway, the point is it's not difficult to do these things, it's just that Google and Apple didn't bother.
posted by delmoi at 11:28 PM on March 1, 2012 [5 favorites]


I just got an android tablet, so this is relevant to my interests. I was actually thinking of doing an Ask Me about due diligence for apps; is there a way to vet them? Any site testing for vulnerabilities, etc.? No dickpix yet on mine, but I do have a nice evening sky shot with pinkorange sunset stripe, crescent moon, and glittery Venus that I don't want my sodoku game getting its mitts on.
Oh this came up in the last thread, but apparently you can get an app called Android Permission Explorer which will show you every association between apps and permissions on your phone (i.e it will show you each app, and the permissions they have, as well as a page that shows you each permission, and a list of which apps have it)
posted by delmoi at 11:30 PM on March 1, 2012 [12 favorites]


that's perfect, delmoi. Thankee.
posted by taz at 11:35 PM on March 1, 2012


This (and the address book security problem found in the Path app) is a non-issue.
Just like it's a 'non-issue' if someone installs a camera in your bathroom. All they get to do is see you naked, right? What's the big deal? There's no actual harm right? Does it affect your life in any way?

Oh wait, that's totally different then ganking pics from a cellphone -- I mean no one has ever taken a naked photo of themselves that they wouldn't wanted uploaded to some random developers' server.

And certainly no developer has ever looked through the personal data the programs they've worked on accumulated. And definitely no random, fly by night mobile app developer has ever had an insecure server ripe for the hacking.

No way are any of those things true. It's definitely a total non-issue.
posted by delmoi at 11:38 PM on March 1, 2012 [12 favorites]


Anyway, the point is it's not difficult to do these things, it's just that Google and Apple didn't bother.

I wouldn't say didn't bother. I'd say more of a case of didn't think it would be necessary.

And it is _hard_ to do this right. You can't have permissions for everything the app may or may not do - you'd have 1000s of permissions and no one will ever verify an app does what he/she expects.

As I said earlier, the Android permission model is fundamentally broken. And the mere fact that apps like Android Permission Explorer exist help highlight that fact.
posted by schwa at 11:39 PM on March 1, 2012 [4 favorites]


No way are any of those things true. It's definitely a total non-issue.

It's a non-issue because the user is actively downloading an app to do something he/she wants accomplished. Evil developers are not installing apps on the user's phones without their permission or knowledge. Your bathroom spy cam comparison is irrelevant.

The appstore is curated and every single app is reviewed by Apple. Every iOS developer has signed an agreement with Apple that serves to help protect the user's privacy. When a developer slips a bad/questionable app through the review they're relying on luck, hoping that Apple won't notice it and that the third party hackers and developers who _love_ to prod and poke apps won't find out what they've done.

Yeah Apple could go the Android route and do the permission thing, but that is a failure (as pointed out). Look how much malware there is for Android compared to iOS…

Or Apple could nag the user with CoreLocation "This app is trying to ____. [Approve] [Deny]" alerts for every thing the app may do. But users, even if they understand what the app is ask for, suffer "permission fatigue" and just tap approve.
posted by schwa at 11:47 PM on March 1, 2012 [1 favorite]


And it is _hard_ to do this right. You can't have permissions for everything the app may or may not do - you'd have 1000s of permissions and no one will ever verify an app does what he/she expects.

This is true, but it is irrelevant here. This isn't about some obscure back corner of the architecture that accidentally gives access to your longitude during lunar eclipses. We're talking about access to photos. I'm not arguing that it's easy to design and implement a system giving users meaningful control over what apps do, but if you're going to be requiring explicit permissions for certain things, "access to photos" should be in that category. It's a no-brainer.
posted by No-sword at 12:00 AM on March 2, 2012 [2 favorites]


But yeah, with the iPhone, since you don't have a permission model, you need to settings up globally. Either all apps have access to stuff like the phonebook, or none do.

Er. While there may not be an explicit photo access model, apps on the iPhone are pretty sandboxed. I have to explicitly grant each one permission to access my physical location, to send me notifications, etc. They can't see (much less modify) each others' files, either.

I'm not saying the photo thing isn't a serious issue, but "Since you don't have a permissions model, you need to settings up globally" doesn't seem to mesh with what I see when I go to the 'settings' screen on my iPhone. What am I missing?
posted by verb at 12:07 AM on March 2, 2012 [1 favorite]


It's a no-brainer.

I disagree. I'm an iOS developer. I've signed the same agreements all other iOS developers have signed. I'm not going to be a dick and upload your photos to my server without permission or scan your address book. I rely on my fellow developers also to not be dicks. On top of that Apple reviews all apps primarily to protect the user (with lesser or greater success).

On Android, with no central curation of apps - then yeah - there probably should be a permission. But on iOS - I think there's plenty of safeguard there to protect the users.
posted by schwa at 12:09 AM on March 2, 2012


"Since you don't have a permissions model, you need to settings up globally" doesn't seem to mesh with what I see when I go to the 'settings' screen on my iPhone. What am I missing?

Nothing, you're correct.

Currently iOS apps need permission to: access your twitter account credentials, get device location and to send you push notifications. That's it.

As you mentioned apps are sandboxed from each other and my app cannot access another apps data. Also if Apple doesn't want an app to access some data or perform some function they just don't implement it for apps. For example an app cannot make a phone call or send a TXT message without direct user interaction (i.e. tapping the dial button on the dialer).

iOS devices have so few permissions because I think the permission model works well. The user is less like to get fatigued by all these permission requests and see's so few different types that they probably have a good understanding what these permissions are.
posted by schwa at 12:16 AM on March 2, 2012 [2 favorites]


I'm sort of curious about the legal ramifications of this, especially for paid apps. If photos are uploaded via an app that's meant to do something entirely innocuous and unrelated... and someone loses their job as a result, I wonder what the liability is, if any, for the authors of the app and for the OS developer (either with/without third party hacking).
posted by taz at 12:17 AM on March 2, 2012


(Oh there's also a pseudo-permission model and privacy control for the mic. When recording audio the iOS menubar glows green [or is it red?]. An app isn't going to sneakily record your conversations without you knowing…)
posted by schwa at 12:22 AM on March 2, 2012 [1 favorite]


Er. While there may not be an explicit photo access model, apps on the iPhone are pretty sandboxed. I have to explicitly grant each one permission to access my physical location, to send me notifications, etc. They can't see (much less modify) each others' files, either.-- verb
Ah, okay. that's good.

---
It's a non-issue because the user is actively downloading an app to do something he/she wants accomplished. --schwa
Thankfully, everyone should be able to see how that argument doesn't make sense. People have gone to jail, for example, for putting secret cameras in private rooms in tanning salons.

But the same thing that applies to people running an app applies to people trying to get a tan. They are "Actively going into the tanning rooms" in order to "Do something they wanted accomplished" (in this case, getting a tan).

If you want to do X, and you try to do X, and as a result someone invades your privacy without your knowledge... the fact that you were trying to do something completely unrelated doesn't give them the legal right to violate your privacy, let alone some kind of weird moral authority that you seem to think they have.
The Appstore is curated and every single app is reviewed by Apple. --schwa
Yet, clearly they didn't have a problem with path, or many other apps uploading people's contact books without informing them. Or they didn't notice, which is actually more likely.

Anyone who actually knows anything about programming understands that it's basically impossible to know whether or not an app does anything surreptitious without seeing the source code. And even if you saw the source code it would still be fairly easy to hide functionality Check out the Underhanded C contest for example. Apple promotes Objective C and C++, both derivatives of C for coding iOS projects, but even without the insane macro capabilities of C in a large project hiding functionality would be pretty easy.

You could have the code that uploads the address book triggered at some future date after the app is approved. You could store a phone book in one buffer, and data to upload in another -- then make sure the second buffer is allocated up right after the first and trigger an intentional 'buffer overflow'. That's just one example, there are a million things you could do that wouldn't show up even in a careful reading of the source code. Doing a complete security audit costs a fortune, and Apple doesn't even have access to the source code. When you're dealing with binary code it's basically impossible.

What can we conclude here? Obviously that you don't actually know much about computer science. Not surprising since your comment about users 'actively trying to do things' (which are unrelated to uploading their contact lists or photos to a 3rd party server they are totally unaware of) is so illogical.

In any event, Apple didn't even seem to check for obvious uploading. All they can really do is run the app for a bit and check to see that it doesn't violate the UI guidelines or otherwise screw with anything.
And it is _hard_ to do this right. You can't have permissions for everything the app may or may not do - you'd have 1000s of permissions and no one will ever verify an app does what he/she expects. --schwa
Did you see the thing I linked too earlier? Android already has hundreds of permissions. You just need to have them in some kind of simple database or hierarchy to make them easier to understand (right now they have 'permission groups)

Android is based on Linux. iOS is based on OSX, which is in turn based on NeXTSTEP (not BSD, there's a 'compatibility layer') . From a systems perspective you could make every phone resource associated with some file in /dev/ and then have regular user and group permissions to access that file, just like how the large Unix servers of yore managed thousand of files with thousands of people accessing them. Treat each app like a user on the system, since that's basically what they are.

I have to say it's kind of disgusting to see all these nerds crawl out of the woodwork to defend violating people's privacy. Years ago, sites like Slashdot and other nerd hangouts were full of people railing against privacy invasion. Now it's like some people realized that, hey, maybe now that I'm the one doing it grabbing people's personal data isn't a big deal!
posted by delmoi at 12:25 AM on March 2, 2012 [14 favorites]


We jumped from a nice friendly discussion about permissions/security models to a lecture about the genealogy of iOS mixed with personal attacks. Oh internet!
posted by schwa at 12:31 AM on March 2, 2012 [2 favorites]


We jumped from a nice friendly discussion about permissions/security models to a lecture about the genealogy of iOS mixed with personal attacks. Oh internet!
Telling people that their personal privacy is a "non issue" and that it's perfectly fine to take their data if they "actively trying to do" something totally unrelated isn't nice and friendly. It's actually pretty offensive.
posted by delmoi at 12:34 AM on March 2, 2012 [6 favorites]


This doesn't have to go this way. It would be great if it didn't.
posted by taz at 12:40 AM on March 2, 2012 [3 favorites]


that it's perfectly fine to take their data if they "actively trying to do"

Please don't put words into my mouth.

Most users do not understand those 100s of Android permissions. Most users simply do not give a shit. They want their Facebook app to post their pictures and their Foursquare app to make them the mayor of some pizza place.

They want Facebook to just work. And they will not understand why Facebook doesn't work properly for them because they blindly tapped on the "refuse permission" button.

At the end of the day they want the apps to just work.

Apple understands that and has set up a security/permission model that works. Yes it can be abused and cheated. Nasty people are out there, who aren't thinking of the children like you are. But when they get caught, their ability to publish apps not the store is removed. Their certificates are revoked and they're left with trying to work out how to abuse and cheat the system some other way.
posted by schwa at 12:43 AM on March 2, 2012 [2 favorites]


Most users do not understand those 100s of Android permissions. Most users simply do not give a shit. They want their Facebook app to post their pictures and their Foursquare app to make them the mayor of some pizza place.
I realize a lot of "tech people" seem to think that. They seem to have a conception of "the user" as an idiot who doesn't understand anything, has no desire to learn anything and simply wants to click cows, poke their friends on facebook and earn badges.

I've never seen any empirical evidence that it was true. On the contrary, what actually seems to be the case is that ordinary users do care about privacy. A couple of years ago Facebook ranked pretty low in terms of customer satisfaction, polls indicated that people were upset about various privacy policy changes. Someone out there is reading all these articles about privacy issues, otherwise they wouldn't make very good linkbait. I think what happened is that ordinary users don't have the technical competence to understand where where data can flow and who can access it. And the information isn't exactly always easy to see. The only reason people noticed what Path was doing was because someone used a packet sniffer on their own network in order to reverse engineer the protocol. Not something your average user can do.
They want Facebook to just work. And they will not understand why Facebook doesn't work properly for them because they blindly tapped on the "refuse permission" button.
Again with the assumption that they're stupid and that it's better to let people's data leak everywhere then force people to think. Except a Facebook app wouldn't need to do anything other then access the internet on your phone. Some people might want to upload their photos, and some might not. That's why you have a permission in the first place.

It's only "difficult" if you assume users are idiots. But if they are idiots, then shouldn't the first priority to be to protect them, rather then taking advantage of their naivety? Paris Hilton is pretty dumb, but had t-mobile not configured the sidekick to upload everything she wouldn't have had her account hacked, resulting in her nude photos and phone-book leaked all over the internet. My guess is that she probably didn't realize all those photos would be uploaded.

So like I said. if a user is really too stupid to understand a dialog that says "Do you want App X to be able to access your [pictures|camera|location|address book]" then they should be protected from bad actors, rather then exposed. And they do care about privacy, they just don't understand what actions could result in the loss of it.

danah boyd is an ethnographer who actually studies this stuff. According to her:
There’s a widespread myth that American teenagers don’t care about privacy. The logic is simple: Why else would teenagers share so much on Facebook and Twitter and YouTube? 2 There is little doubt that many – but not all – American teens have embraced many popular social media services.3 And there is little doubt that those who have are posting photos, sharing links, updating status messages, and commenting on each other’s posts.4 ... participation in such networked publics does not imply that today’s teens have rejected privacy as a value. All teens have a sense of privacy, although their definitions of privacy vary widely. Their practices in networked publics are shaped by their interpretation of the social situation, their attitudes towards privacy and publicity, and their ability to navigate the technological and social environment. As such, they develop intricate strategies to achieve privacy goals. Their practices demonstrate privacy as a social norm that is achieved through a wide array of social practices configured by structural conditions. How teens approach privacy challenges the ways in which privacy is currently conceptualized, discussed, and regulated.
However, 'intricate strategies' can only function if people know where and when data can be taken. (The paper is about teens, but in my experience adults are, even more concerned about privacy then teens. )

Also, it would basically be impossible for Apple to tell if an app violated people's privacy in the review process, unless it was doing it in the most obvious way (which Path was, and even in that case they either didn't catch it or care).
posted by delmoi at 1:31 AM on March 2, 2012 [7 favorites]


You know the same is true of any app on OS X as well, yeah?

I have to say it's kind of disgusting to see all these nerds crawl out of the woodwork to defend violating people's privacy.

Can we hold off on the theatrics until it's actually shown that anyone is abusing the current situation? No one's saying that it's acceptable to secretly upload user's photos to a random server. People are saying that adding yet another ticky-box is not a solution, especially in the absence of any actual evidence that this is a problem.

The address book stuff is a real story. This isn't.
posted by Arturus at 1:38 AM on March 2, 2012 [2 favorites]


it's just that Google and Apple didn't bother.

Google's business platform is targeted advertising, based on aggregating and analyzing user data.
Google's Web platform is targeted advertising, based on aggregating and analyzing user data.
Google's social platforms are designed to support targeted advertising, based on aggregating and analyzing user data.
Google's mobile platform is therefore ...

That's what Android is designed to do. This is an affordance of the system (for google), built directly into the architecture, that supports the business model. It's deliberate. In an ideal world, maybe that affordance would be perfectly designed, and privacy would not be an issue. The real world however is much more complicated. If you sign up for anything google, this is what you should be prepared to expect.

If you think that google is saying "Here check out the cool shiny phone/apps/service we have developed for you" and then take that at face value, then I think you are mistaken.
posted by carter at 1:39 AM on March 2, 2012 [2 favorites]


It's a no-brainer.

I disagree. I'm an iOS developer. I've signed the same agreements all other iOS developers have signed. I'm not going to be a dick and upload your photos to my server without permission or scan your address book. I rely on my fellow developers also to not be dicks. On top of that Apple reviews all apps primarily to protect the user (with lesser or greater success).


Come on -- you can't really believe that this works as a theory of security. If we're just trusting everyone not to be a dick, why have permissions of any sort at all? Let's just have all information on all phones freely available at all times via IP, for the convenience of any app developers who might want to access it. I mean, I'm not a dick, you're not a dick. What could possibly go wrong?
posted by No-sword at 1:43 AM on March 2, 2012 [5 favorites]


" I'm not a dick, you're not a dick. What could possibly go wrong"

What will fix it? Just one more checkbox?

You can't guard against all evil developer issues (privacy or otherwise). This is fundamentally a social/human problem and not a tech one. You put limited tech solutions in place where it makes sense (location being the most important) and you rely on social mechanisms (the developer agreement & bannination) to protect everywhere else.

If you think there is a tech solution that can work without seriously inconveniencing the user I'd love to hear it.
posted by schwa at 1:52 AM on March 2, 2012


Can we hold off on the theatrics until it's actually shown that anyone is abusing the current situation? No one's saying that it's acceptable to secretly upload user's photos to a random server. People are saying that adding yet another ticky-box is not a solution, especially in the absence of any actual evidence that this is a problem.
I don't see why you wouldn't want to err on the side of privacy. The vast majority of apps have no need to access your photos, so it will be a non issue for most developers.
posted by delmoi at 1:53 AM on March 2, 2012


I seem to recall "Access files on your SD card" being an Android permission.

A photo is a file on my SD card. Users may be expected to understand that much. (Correct me if I'm wrong about that.)

So there is actually a permission to deal with this issue, and the question is whether it's specific enough.
posted by LogicalDash at 1:58 AM on March 2, 2012 [2 favorites]


Open Source works both ways, apparently.
posted by ShutterBun at 2:01 AM on March 2, 2012 [2 favorites]


Hmm, I say, UNIX filesystem permissions solved this problem a long time ago. I wonder if it'd be too much to ask users to make "app groups" that are each run by a different "user"?
posted by LogicalDash at 2:01 AM on March 2, 2012


You know the same is true of any app on OS X as well, yeah?

Obviously this is beyond what most users can do, but in theory you can run an app using sudo on another account, which would deny it access to any personal data stored on your main account. Same thing is possible in windows. But unless you root/jailbreak a phone it's not going to work.

Also you can use a virtual machine to try out an app if you want too, but don't trust the developers.

But in general, you're right. Security on desktop PCs is terrible. It was even worse before when Windows, for example, ran as admin by default. But it wasn't like nothing bad happened, everyone's computer filled up with spyware. It was actually a pretty huge problem. And it's becoming more of a problem on OSX.
I seem to recall "Access files on your SD card" being an Android permission.
I think that's for the entire SD card contents. It wouldn't apply to photo-specific APIs (as far as I know).
posted by delmoi at 2:03 AM on March 2, 2012


They seem to have a conception of "the user" as an idiot who doesn't understand anything, has no desire to learn anything and simply wants to click cows, poke their friends on facebook and earn badges.

I've never seen any empirical evidence that it was true.


Wow, really?
posted by ShutterBun at 2:14 AM on March 2, 2012 [1 favorite]


Come on -- you can't really believe that this works as a theory of security. If we're just trusting everyone not to be a dick, why have permissions of any sort at all?

Traffic lights still work most of the time, even if there aren't metal barriers and police surrounding them 24 hours a day.
posted by ShutterBun at 2:22 AM on March 2, 2012 [2 favorites]


Wow, really?
Feel free to link to real data that shows 'users' don't care about privacy.
Traffic lights still work most of the time, even if there aren't metal barriers and police surrounding them 24 hours a day.
Tens of thousands of people die in traffic accidents in the U.S every year, millions worldwide. It's the leading cause of death for a lot of age groups. You're several orders of magnitude more likely to die in a car accident then a terrorist airplane attack, yet the security at airports is insane.

Part of that is because people are much more worried about deliberately causing accidents. But they are worried about people deliberately blowing up airplanes. People are much more concerned about intentional death and destruction then something unintentional.

If you just meant that people aren't running around 'hacking' traffic lights for some reason, well, why would they? It's clearly illegal and they'd be prosecuted if caught. But more importantly there's no upside. On the other hand if you look at something like an ATM where there is an upside, of course people hack it.

With personal data, not only is there an upside (even just prurient interest) there's also no legal penalties if caught. At least not yet.

So yeah, I'm not really sure what you're trying to say. If you're saying "People all obey traffic lights and everything's fine" then you're wrong, lots of people mess up (unintentionally) and overall an enormous amount of death and destruction results. If you're saying "people don't go around sabotaging traffic lights", well, what would the point be?

And in either case, there's no benefit to either running a red light deliberately and causing an accident (unless you're both suicidal and a dick), nor is there a benefit to hacking a traffic light for some reason. But there is a benefit to stealing personal data, which is why people do it.


I don't really get this idea that people shouldn't worry about it because most people aren't "dicks", and thus won't steal data. Not everyone needs to be a dick, just a small percentage. We already know that a small percentage of people are dicks, and we already know people steal data. So... we already know it's wrong.
posted by delmoi at 2:49 AM on March 2, 2012


Apple won't ever invest enough effort for their review process to provide any meaningful protection to users. There simply isn't any realistic code review process for closed source code.

In fact, a UCSB study showed that unauthorized iPhone/iPad apps leak private data less often (4%) than Apple approved ones (21%) (via). lol

You could perhaps isolate your closed source Android apps from accessing any data, restricting yourself to open source Android Apps for anything important. Android is itself open source of course, giving you the basics at least.

There should eventually be an SEAndroid based distribution that achieved this.
See : NSA Publishes Blueprint For Top Secret Android Phone
posted by jeffburdges at 2:51 AM on March 2, 2012


Part of that is because people are much more worried about deliberately causing accidents.

er, that should say "aren't worried much about"

posted by delmoi at 2:54 AM on March 2, 2012


You can't have permissions for everything the app may or may not do

People are working on it.
posted by flabdablet at 3:12 AM on March 2, 2012


Why do people keep buying (not just using, but actually *paying for*) gadgets they can't examine the innards of to find this kind of thing?

Anyone using Android should switch to Replicant.
posted by DU at 4:17 AM on March 2, 2012 [1 favorite]


Feel free to link to real data that shows 'users' don't care about privacy.

I'm not saying people aren't "at some level" worried about privacy. I'm just aghast that you've yet to encounter a large group of people whose *primary* concern about their smartphone is "that it works, posts pics to facebook, and takes care of their Farmville crops" (or however it was said)

Granted, if you sat a bunch of people down and asked them "would you be concerned if an app could surreptitiously upload your pictures to a private server?" I'm sure a lot of them would say "yes," but I'm also willing to bet it would rank pretty low on their "performance expectations of a smartphone" scale on any given day.

Tens of thousands of people die in traffic accidents in the U.S every year, millions worldwide. It's the leading cause of death for a lot of age groups.

You've taken my comparison a bit too literally. The main idea is that an environment of "thou shalt not be a dick" is much more effective than any kind of roadblock. Comparing "accidents" to "deliberate recklessness" isn't valid. (Although not impossible, it seems a fairly remote chance that someone is going to design an app that "accidentally" starts uploading people's pictures to a server)

Apple has taken one approach, which to my mind reads as something like "These are the rules. Follow them, or we'll kick you out of the pool. We can't police every single thing every one of you does, but if you're caught, penalties will be severe."

Google seems to be taking another route: "We're going to monitor every single thing you do which falls under these 50 categories. Violate any one of them, and your out."

Apple's method relies (again, to this layman) more on the (supervised) public trust system, whereas Google is using more of a series of checkpoints. Neither is perfect (what could be?) but it seems to me that Google's method is more ripe for exploitation (checkpoints are made to be evaded)

What's safer: a neighborhood that says "Don't run any stopsigns in our town. We have a police force, and although we can't be everywhere at once, if we catch you, you're in deep shit"

or:

A neighborhood that says "Although we don't employ a police force, we've installed red-light cameras in various intersections within the city. A map of these intersections is available here. Anyone caught running a red light is in deep shit."

(please forgive the oversimplification and/or complete misunderstanding of how Android vs. iPhone security works; I genuinely welcome any factual correction)
posted by ShutterBun at 4:29 AM on March 2, 2012


On Android, with no central curation of apps - then yeah - there probably should be a permission. But on iOS - I think there's plenty of safeguard there to protect the users.

That's what protected users' address books?
posted by inigo2 at 5:47 AM on March 2, 2012


I'm not saying people aren't "at some level" worried about privacy. I'm just aghast that you've yet to encounter a large group of people whose *primary* concern about their smartphone is "that it works, posts pics to facebook, and takes care of their Farmville crops" (or however it was said)
First of all I don't sit around getting into detailed discussions with people about cellphones. Why would I? usually it's just "I got this phone," "I got that phone," "what apps do you have?" "whats the battery life". I did show someone who'd gotten a new iPhone Siri, since they apparently had no idea it was there. I met some kids who were very impressed with my Angry Birds high score and wanted to play it on my phone.

I've never once talked to anyone about facebook on their phone. I don't think I've ever had a real world conversation about farmville in my entire life.

The problem with this privacy stuff is that they can immediately tell if their phone isn't working, but they can't tell if their data is being stolen. And for the most part, a lot of users don't realize where the problems are. They probably have no idea that any app they download from the app store could be uploading their contacts list. They probably have no idea that any app they download from the android market can access stored photos.

On the other hand, when my friend found all the photo she'd been taking with her phone were uploaded to Google plus, she freaked out, she was far, far more upset then she would have been if the google+ app had trouble uploading photos. (again, in this case there was an opt-out but she just didn't pay attention when installing the app). Do you think that when Paris Hilton had her nudes leaked all over the internet she was less upset then if she had trouble downloading those pics to her own computer from T-Mobile's website? It does seem that when, and if, people discover their privacy being violated, they are much more bothered then when stuff requires an extra checkoff or whatever during install.

That said though, why even assume that there is a tradeoff between privacy settings and having the phone 'work'?

I mean, you would think people using facebook would want to be able to take pictures directly in the app, right? But you need permission to do that. And of course all of those apps need to access the internet, but they need permission to do that too. So why would adding a permission to access already taken photos somehow make apps stop working. So, if they need internet permission to work, and they get it, and they need camera permission to use the camera, why would adding a permission to access the photo library cause a problem? It doesn't really make that much sense.

The arguments that people need these security holes to stay open for apps to work makes no sense at all. Having the phone work and having your private data secured are totally orthogonal problems.

That said, are users really more concerned about clicking cows then privacy? If you gave a user the choice between uploading all of the photos directly to facebook, or uploading none of them, which would they choose? If they had a choice between uploading all of their personal photos to iFart's web server, or not using a fart app, which would they choose? Or what about not uploading their contact lists to Path, or not using Path?

I'm guessing that most users, if actually told that those were the only two options would probably chose not to use a lot of those products. Except we know that facebook probably isn't uploading all of your photos, even though it can. On the other hand we know that path was uploading the contact lists, so that really was your choice. The only thing was people didn't know that those were their choices They assumed that Path wasn't uploading their contact list.

I mean there is a permission to expand the status bar or turn on the flashlight. Why would they go through the trouble of adding those permissions but not adding a permission to secure the photos?
but it seems to me that Google's method is more ripe for exploitation (checkpoints are made to be evaded)

What's safer: a neighborhood that says "Don't run any stopsigns in our town. We have a police force, and although we can't be everywhere at once, if we catch you, you're in deep shit"
No. The checkpoints can't be evaded. I mean, you trust that every website you visit doesn't have access to your hard drive, right? But why not? Because the browser is secure, and doesn't grant those apps permission to access the hard drive. Same thing with an android app. It's physically impossible for apps to 'break through' the checkpoints. They use the same security technology that mainframes and Unix systems use to manage multiple accounts. Obviously a security bug is a possibility, just like with any OS but it's pretty unlikely. It's the same security technology that's been around for decades and exists in every modern OS.
What's safer: a neighborhood that says "Don't run any stopsigns in our town. We have a police force, and although we can't be everywhere at once, if we catch you, you're in deep shit"

or:

A neighborhood that says "Although we don't employ a police force, we've installed red-light cameras in various intersections within the city. A map of these intersections is available here. Anyone caught running a red light is in deep shit."
It's more like "You're in a room with 8 inch thick concrete walls" there are N doors, each one 2 inches thick and made of titanium. Each of which requires a different key to open. You can tell the user what doors you'd like to be able to open, and if they don't want to give you those keys, you will not even come into existence" (And also, in this metaphor, every other app on the system gets it's own room, and can can even create it's own doors and keys to give to other apps)

Except, there are handful of rooms that don't have doors. There typically isn't really anything interesting in most of those rooms. So what's surprising is that apparently the room with all the user's private pictures is wide open - with no door. Obviously it would be easy to put a door there, so why isn't there one?

It sounds like IOS has maybe two doors and the rest of the rooms are open.
Currently iOS apps need permission to: access your twitter account credentials, get device location and to send you push notifications. That's it.

Clearly, twitter isn't a part of iOS, the authentication in this case is actually being done by twitter's OAuth provider. So it sounds like location and push notifications are the only two doors. Everything else (like the contacts list or photos) is totally open or (like, for example, installing new apps from outside of the apple store) completely closed off.
posted by delmoi at 6:08 AM on March 2, 2012


The idea that my phone may upload personal photos to the Internet without my permission is a secondary concern for me in the same way that my phone suddenly growing spikes or setting my dog on fire is a secondary concern - not because it wouldn't be a bad thing, but because I expect at a basic level that the device will not do that, and without evidence that it does, I wouldn't think to worry about the possibility.
posted by Holy Zarquon's Singing Fish at 6:28 AM on March 2, 2012


Currently iOS apps need permission to: access your twitter account credentials, get device location and to send you push notifications. That's it.
Clearly, twitter isn't a part of iOS, the authentication in this case is actually being done by twitter's OAuth provider.

actually, it is part of iOS, hence the system-level control of access to twitter accounts similar to location and notifications.
posted by frijole at 6:32 AM on March 2, 2012


a lot of users don't realize where the problems are

This is very true. They have no idea of how the Internet or the Web work, and in fact they probably have erroneous mental models. Most people will not be able to follow the discussion in this thread. This also applies to users' understandings and mental models of security, privacy, etc., over networks.

From this point of view, it is disingenuous of google, facebook, (etc.) to claim that they design for users' privacy. If this involves having to read and click through various interfaces and policies, where the terminology represented within is obscure and poorly defined in the first place, then people are not offering informed consent either way. You would almost think that this was deliberate ...
posted by carter at 6:36 AM on March 2, 2012


I'm not going to be a dick and upload your photos to my server without permission or scan your address book. I rely on my fellow developers also to not be dicks. On top of that Apple reviews all apps primarily to protect the user

As a user, this does make me uncomfortable. I don't like security policies that are essentially: "trust us, we're doing the right thing". No offence, but I don't know you or the thousands of other developers in the Apple store. Anyway, everyone has a bad day and something might slip through by accident.

We've only seen informational leaks with phones so far, contacts, location, and so on. These things are quickly turning into electronic wallets and even wireless keys now---I saw mention of using nfc as a car key the other day. "Just trust us" isn't going to be good enough for my bank information, my car or house keys.
posted by bonehead at 6:39 AM on March 2, 2012 [2 favorites]


I understand that there are concerns about too many permissions, but it seems like "Do you want this app to access your personal information (location / contacts / photos)?" would cover most of the concerns and most apps like games would never need that permission.
posted by smackfu at 6:51 AM on March 2, 2012


Hmm, I say, UNIX filesystem permissions solved this problem a long time ago. I wonder if it'd be too much to ask users to make "app groups" that are each run by a different "user"?

Well, both Android and iOS are UNIX derivatives. So in a very literal sense, they do use the UNIX filesystem's permission model. What they don't do is put the task of managing each file's permissions, groups, etc in the hands of the phone's user. I'm not sure that would sold the real problem of peoples' information leaking or being compromised by bad actors, though: it would just make using the phones considerably more complex, and give companies like Apple and Google plausible deniability. "Oh, you chmodded your address book file 777 to make FunHappyApp work, like it said in its documentation? You ran that app as YOU instead of AppsWithNoAccessToAddressBookUser in the RestrictedUserGroup? Well, your bad. Pick up a copy of Essential System Administration and don't forget that again."

That's where the world of PHP WebCMS apps is at these days, and I daresay that the people who try to install a custom web app on a shared host are probably more technically inclined (on average, at least) than the target market for the iphone.

Facebook has gotten as many complaints about its "ridiculously detailed" permission model as it has about la security, because it basically puts the burden of policing a giant permission-matrix on its users and shrugs off complaints about complexity. "You wanted privacy? Here, have sixteen million checkboxes." Exposing the UNIX filesystem permissions model would be even worse.

The point is not that leaving personal information like photos vulnerable is acceptable. Rather, it's that asking people who use UNIX on a daily basis and think that a per-file permissions matrix is easy to grasp shouldn't be making the decisions about how to expose security controls to the user. There has to be a better way, and
posted by verb at 6:53 AM on March 2, 2012


Pretty sure this is true of every single device with an internet connection that you can install software on isn't it? Non-issue.
posted by zeoslap at 6:55 AM on March 2, 2012


I'm not going to be a dick and upload your photos to my server without permission or scan your address book. I rely on my fellow developers also to not be dicks.

Relying on people not to be dicks doesn't work.
posted by Trurl at 7:06 AM on March 2, 2012


Non-issue? I think people are just coming around to the fact that we trust programs too much, and that there should be discrete compartments of information that you share with them at your desire, similar to how it works for websites.
posted by smackfu at 7:07 AM on March 2, 2012


actually, it is part of iOS, hence the system-level control of access to twitter accounts similar to location and notifications.
Huh.
Pretty sure this is true of every single device with an internet connection that you can install software on isn't it? Non-issue.
Almost every website you visit includes "software" (JavaScript) that gets "installed" (in you cache)

Security is a solved problem. It's just not usually turned on. Except It's almost entirely turned on on Android, except for this weird and inexplicable gap.
The idea that my phone may upload personal photos to the Internet without my permission is a secondary concern for me in the same way that my phone suddenly growing spikes or setting my dog on fire is a secondary concern - not because it wouldn't be a bad thing, but because I expect at a basic level that the device will not do that, and without evidence that it does, I wouldn't think to worry about the possibility.
Yeah... it hadn't even occurred to me that photos weren't secured by permissions on android is. Everything else is. Like I said, you need a permission to turn on the flashlight or adjust the volume. Almost anything that could potentially be even a little annoying is blocked. Why are the pictures left available for anyone to take?
posted by delmoi at 7:07 AM on March 2, 2012


Another big problem with android, though is the "SD Card" permission. Basically, any app that can access it can access photos, as well as any other dropped there by other apps. That's kind of a problem.
posted by delmoi at 7:25 AM on March 2, 2012


A note to everyone on the internet: "This isn't a problem for you, because I don't think it is a problem for me" is not the same thing as "This isn't a problem for me, even though it's a problem for you", and while the latter is reasonable, the former is insulting.

carry on
posted by davejay at 7:42 AM on March 2, 2012 [4 favorites]


I understand that there are concerns about too many permissions, but it seems like "Do you want this app to access your personal information (location / contacts / photos)?" would cover most of the concerns and most apps like games would never need that permission.

Only sometimes. The big problem with broad permissions is that applications can piggyback their bad-faith exploits on reasonable permission requests. For example an application that lets you put funny moustaches on photos being given "access to your personal information" could do a lot of things with that personal information that you don't want it to, and being given access to photos doesn't necessarily mean they want to give access to (say) the camera itself.

Figuring out a decent balance between "have fun with chmod and chown" and "security? what security?" is tricky. Too far towards the former and people tune out mentally and bad actors take advantage of fatigue. Too far towards the latter and you frustrate legitimate developers and let bad actors sneak their exploits in under seemingly-legitimate requests.
posted by verb at 8:01 AM on March 2, 2012


You can't guard against all evil developer issues (privacy or otherwise)

Right, which is why I'm not saying that Android is bad because it doesn't guard against all evil developer issues. I totally understand that this is impossible, and that there will always be a tradeoff between security and convenience.

What I am saying is that photos in particular are something that many users really, really want to keep private. And so, yes, if your OS's security model as understood by users is "apps must get authorization before doing potentially shady things", photo access in particular should be on that list of shady things. That's the very limited scope of what I am saying.
posted by No-sword at 8:39 AM on March 2, 2012 [4 favorites]


In this thread : people act as if the trojan horse program was invented yesterday.
posted by w0mbat at 8:52 AM on March 2, 2012


In this thread : people act as if the trojan horse program was invented yesterday.
w0mbat: I guess that's a reasonable response, but the thing is the security model on android is such that the user assumes they are protected. An android app with no permissions doesn't need to be any different then a web page. You browse the web all the time, I assume without worrying about whether or not you trust the the site developers, right?

But beyond that, the security 'model' on PCs (mac and windows) completely sucks. There is no reason for things to be as open as they are by default. They're setup so that the program runs with the permissions of the person running them. If you're using a restricted account, the program won't be able to do anything that 'you' can't.

The way it should work is, essentially, each developer is a 'user' on a multi-user system. So each app would only be able to access data that the 'administrator' (i.e. the user) gives them access too.

If security had been done correctly on the PC, starting with windows NT/2000 which had a solid security model (windows 95 did not) and OSX (OS9 couldn't do it either) it wouldn't be the problem it is today.

Also as I said in another thread, users expect their phone apps from the app store to be more secure then some random .exe file they find on the internet.
posted by delmoi at 9:03 AM on March 2, 2012


> There has to be a better way

Easy, we just hire competent full-time sysadmins for our phones.
posted by jfuller at 9:07 AM on March 2, 2012 [1 favorite]


So I bought an Android phone for the first time a few months ago - my first ever smartphone. I was excited about having mobile access to the internet, getting directions (it's my first GPS-enabled device too), and becoming one of those brain-dead droids that are constantly staring at their phone while walking. Oh, and games! I was finally going to crack the code and figure out why those damn birds were so angry! And apps! I could twitter and facebook my face off, and become the mayor of my own house!

Of course, after I got the phone I realized that all these apps required some serious data commitment on my part. Facebook wants my GPS coordinates, to read/write all my text messages and all my contact data, and to "Act as an Account Authenticator", whatever the hell that means. All I want to do is take a picture of a cute squirrel and share it, or maybe tell my friends that I'm headed out to get some tiramisu and would they like to join me.

The twitter app seems to have the same data overreach problem - leave my contacts and GPS location alone and let me type my stupid 140-character message! Is it really that important that you know exactly where I am when I get the tell @thecurrent to play my favorite song? Even Angry Birds wants to know where I am, what my phone state is, and wants "full" internet access. For a silly game where you throw pigs at birds (or something like that - didn't install it and still haven't played it).

So for those rare times when I want to get the same functionality on my phone that I do on my laptop - I kick it "old-school". And by old-school, I mean HTML5. I open a browser, do the deed, and move on with my life. Yeah, it sucks that not everything is seamlessly integrated, but at least I have a little bit of control over what's being sent via HTTP requests - though I'll admit I haven't personally sniffed the 4G traffic, though I'd really like to get one of those antennas that allow you to do this.

Anyway, what I'd really like out of Android (as a pony request) is an ability to have some granular control over apps. How about I just not grant Facebook the ability to track where I am, and see what happens. How about I take away it's ability to root through my contact list and see if that breaks some functionality? I only want what every American President wants - a line-item veto!
posted by antonymous at 9:11 AM on March 2, 2012 [2 favorites]


I find it utterly hilarious that anyone can possibly think the unix security model is at all relevant to this discussion.

"hey what do these chmod and chown apps do?"
posted by schwa at 9:12 AM on March 2, 2012 [2 favorites]


And so, yes, if your OS's security model as understood by users is "apps must get authorization before doing potentially shady things", photo access in particular should be on that list of shady things. That's the very limited scope of what I am saying.

nthing that. The challenge is turnaround time on major changes like that, though. In theory it could go out in a point release of iOS, but it would likely break older apps and would probably need to be pushed to a major release. And if you look at the adoption curve for new versions of Android, it becomes clear that most people update that OS when they buy a new phone, not when a new OS is released.

Which means that unless some sort of short term shim is put in place, this issue will probably be with us for a while.
posted by verb at 9:20 AM on March 2, 2012


But beyond that, the security 'model' on PCs (mac and windows) completely sucks. There is no reason for things to be as open as they are by default. They're setup so that the program runs with the permissions of the person running them. If you're using a restricted account, the program won't be able to do anything that 'you' can't.

I'm not sure what you mean. The user-sandboxing model you talked about is precisely the way OSX works. The problem is that few people want to go to the effort of changing user accounts to run different apps. It at least improves things by not running everything as root; the account you use on a day in, day out basis is your "personal account," and you have to authenticate whenever an app wants to make any sort of system-level changes.

Again, maybe I'm missing what you mean?
posted by verb at 9:25 AM on March 2, 2012


on iOS - I think there's plenty of safeguard there to protect the users.

er, have you looked at the iTunes Store lately?

I mean there is a permission to expand the status bar or turn on the flashlight. Why would they go through the trouble of adding those permissions but not adding a permission to secure the photos?

Is it really that simple? How are photos treated different than any other files? I have JPGs, GIFs, PNGs in various directories of my phone's memory card.

I'm very wary of installing any "apps" on any machine (I prefer a secure (heh) Web browser), so this doesn't bug me too much (also what the fuck should i really care if you steal my pictures? it's certainly better than stealing my contact info ... for me), but good lord sometimes I feel like the 90% of the computer-software products these days are built for black-hat SEO, sleazy data harvesting, opt-out bundles, home-page/search-engine/new-tab takeovers, rogue scareware, etc. etc. Get a sense of purpose, please.

nthing the Permission Explorer for Android. As far as I can read there is no READ_FILES permission ... so what is the permission to look for here ... ACCESS_CACHE_FILESYSTEM or something? Only 3 default apps use it for me.

I seem to recall "Access files on your SD card" being an Android permission.

What is that permission name, though?

Anyone using Android should switch to Replicant.

Anyone with one of the 3 Android phones that can run it should switch to Replicant.
posted by mrgrimm at 9:52 AM on March 2, 2012


I find it utterly hilarious that anyone can possibly think the unix security model is at all relevant to this discussion.

Hahaha, yeah, why would that matter when we're just running a unix-based OS on our phone.
posted by nTeleKy at 10:13 AM on March 2, 2012


Anyway, what I'd really like out of Android (as a pony request) is an ability to have some granular control over apps. How about I just not grant Facebook the ability to track where I am, and see what happens. How about I take away it's ability to root through my contact list and see if that breaks some functionality? I only want what every American President wants - a line-item veto!

What you want is CyanogenMod. Then you can do exactly this. And more!

If what you really want is to be able to do this without rooting your device/voiding your warranty... I wouldn't hold you breath. It might happen (the inclusion of the ability to disable carrier bloatware in ICS was certainly a welcome surprise) but if I were a betting man, I'd put my money on this never becoming a part of Android proper.
posted by SpiffyRob at 11:10 AM on March 2, 2012 [2 favorites]


So for those rare times when I want to get the same functionality on my phone that I do on my laptop - I kick it "old-school". And by old-school, I mean HTML5. I open a browser, do the deed, and move on with my life. Yeah, it sucks that not everything is seamlessly integrated, but at least I have a little bit of control over what's being sent via HTTP requests - though I'll admit I haven't personally sniffed the 4G traffic, though I'd really like to get one of those antennas that allow you to do this.
I find it utterly hilarious that anyone can possibly think the unix security model is at all relevant to this discussion.
Application can run Linux shell commands 'behind the scenes' in Android. In fact, you can get a local terminal app that will let you access the regular command line, as your normal, non root user. And if you do root the phone you can install and run any Linux program on your phone, without replacing the current install of Android. They run just fine on the same kernel, alongside the rest of the phone software.

In fact I just bought the thing and ran the ps command. Each app actually is running as a separate user. (with usernames like app_47, app_19, etc)

That said, android mostly uses the java security model for most permissions. The java permission model is actually really interesting. Any piece of code can launch new code in an environment with a subset of it's own permissions. (to do this you call AccessController.doPrivalaged(PrivilegedAction<T> action,AccessControlContext context))


Java permissions don't just apply to files or specific files, but to every function call. So if your program, say, sends text messages you could restrict which users the apps can send text messages to. (to do this, you call AccessController.getContext().checkPermission(x) where x is a Permission object. And the cool part is you can create as many permissions as you want. Every app on android can communicate with other apps, but in order for App A to call a method in app B, A needs to get permission to access that feature in B. That way applications can expose functionality without risking user security.

Anyway, point here isn't that users should need to know how to use chmod. The point is that those security technologies sit underneath the system. In fact iOS not only uses unix security features, it depends on them. Without them, every iOS phone would come pre jailbroken, and every app on iOS could do anything it wanted.

None of this needs to be exposed to the user as anything other then "Do you want app X to be able to do Y" There is an enormous difference between the underlying technology and the user interface
Is it really that simple? How are photos treated different than any other files? I have JPGs, GIFs, PNGs in various directories of my phone's memory card.
Right, but apps need permission to access the SD card. The technical name is android.permission.WRITE_EXTERNAL_STORAGE. That's what it shows up as in permissions explorer. If you want an example of what it looks like in the android market, Angry Birds asks for it and it shows up like this:
STORAGE
MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD CONTENTS
Allows an application to write to the USB storage. Allows an application to write to the SD card.

But yeah like I said, the SDcard is a free for all for any app that has access to it. (Like terminal I just got). There are lot of legitimate reasons why an app might want to access the SD card. They really need to add a permission for photos, and lock down the /sdcard/dcim folder (Or wherever they are stored on your device. not all android devices uses /sdcard for as the storage path)
posted by delmoi at 11:26 AM on March 2, 2012 [1 favorite]


I'd like to see a tree view hierarchy for permissions, preferably with groups layered on top. Each app can either be assigned permissions directly or just thrown in a group. Also, anything attempting to access data without permission should just be returned a default set. For example, any app attempting to receive your location without permission should just be given the apple HQ's GPS coordinates; address books could come back blank, photos albums could be empty or return a stock photo, etc... I'd rather an app prompt me that no photos are found, and prompt that perhaps I need to check permissions than it have access to my photos without permission.
posted by Crash at 1:20 PM on March 2, 2012


okay, okay.
Now that there are 1,742 reasons not to take sayxxy pictures with the phone, I'm convinced. DAMMIT! I was really hoping to keep snapping happily away with the mere 1,741..
posted by herbplarfegan at 2:07 PM on March 2, 2012


When recording audio the iOS menubar glows green [or is it red?]. An app isn't going to sneakily record your conversations without you knowing…

Unless it starts eavesdropping while the phone is in your pocket and you can't see the screen.
posted by CyberSlug Labs at 2:09 PM on March 2, 2012


"I'd like to see a tree view hierarchy for permissions, preferably with groups layered on top"

Grandma will totally love that model on her new iPad.
posted by schwa at 2:10 PM on March 2, 2012


The UCSB study on unauthorized apps vs authorized apps is irrelevant ax-grinding sophistry. There are a huge number of confounding differences between the two stores, basically no conclusions can be drawn. Which isn't a particularly big flaw for a paper about a static analysis tool. But throwaway results will always be picked up by someone digging around for trash.
posted by Wood at 2:29 PM on March 2, 2012


Grandma will totally love that model on her new iPad.
Do you not understand that Crash wanted to see that because they wanted as a user to see what apps could do what their on his phone?

The concerns people have about this are concerns as users. I don't really give a crap about people trying to make money writing mobile software. I've written a grand total of one android app in my life, just to play around with the SDK and my first-ever smartphone. All I want to do is be able to personally send text messages, make phone calls and take pictures in privacy.

If that means grandma can't click cows because Zynga isn't willing to let her do it without being able to data-mine her phone-book or look through the nudie pictures she sent to sal at the nursing home that's fine with me. And honestly it's probably better to default to private if a user doesn't understand privacy settings.
posted by delmoi at 3:40 PM on March 2, 2012


I find it utterly hilarious that anyone can possibly think the unix security model is at all relevant to this discussion.

I remember when OS X was just coming out some people actually believed that Alias|Wavefront would just be able to recompile Maya or Jaleo and bam, you'd have it on the Mac just like that. Of course it wasn't until version 3.5 I believe, though I could be wrong, that we saw Maya on the Mac. I believe the reasoning was since Irix was based on Unix and OS X was based on Unix, therefore, for some reason, all the software would work across both platforms.
posted by juiceCake at 10:53 PM on March 2, 2012


I remember when OS X was just coming out some people actually believed that Alias|Wavefront would just be able to recompile Maya or Jaleo and bam, you'd have it on the Mac just like that. Of course it wasn't until version 3.5 I believe, though I could be wrong, that we saw Maya on the Mac.
Graphics libraries aren't standardized on unix the same way file permissions are.
I believe the reasoning was since Irix was based on Unix and OS X was based on Unix, therefore, for some reason, all the software would work across both platforms.
Pretty much anything command line based will cross compile between different versions of Unix pretty easily, so long as you're not using proprietary extensions, and that includes OSX. I don't think OSX has an X-windows server, which is what most Unix systems used for graphics at the time, and it certainly wouldn't have any SGI extensions that high end graphics packages would have needed.

Anyway, that was years ago and cross-platform software is much, much easier to do nowadays with standard graphics libraries like QT and broad support for OpenGL - plus cross-platform run-times like Java.

In any event, we're talking about Security implementations, not compatabilty. Android is Linux and user/file permissions (along with java-style runtime permissions) do play a roll in how security works. From the documentation:
Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.

Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform, and per-URI permissions for granting ad-hoc access to specific pieces of data.

Security Architecture

A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.
The problem is that for some reason Google decided not to include "pictures" as protected data, when obviously they should have.
posted by delmoi at 5:06 PM on March 3, 2012


Oh look:

'It's not me': Christina Hendricks says leaked nude internet photo is a fake... but admits her phone was hacked.

I'm sure this is a total "non issue" for her. Completely ridiculous to worry about privacy and all. (Same thing just happened to Olivia Munn as well)
posted by delmoi at 12:01 AM on March 5, 2012


Here's a list of actual users saying what they want in their phone, and the argument to not deliver it is "but users don't want that"? The Grandma argument is just a smokescreen. Let's be honest, most "grandmas" who couldn't understand a simple permission system don't have smart phones. I use quotes b/c there's plenty of grandmothers (such as my own Mom, who's far from technical) who care about their privacy and want this feature in their phone. App developers just want to mine people's data 'cause that's where the money is, or they're too lazy to want to have to deal with a layer of security when writing their apps. At least be honest about why you're doing it.
posted by Crash at 8:50 AM on March 5, 2012


(Same thing just happened to Olivia Munn as well)

We Made Olivia Munn’s Dirty Talk Safe for Work by Adding it to Stock Photos
posted by homunculus at 12:17 PM on March 5, 2012


'It's not me': Christina Hendricks says leaked nude internet photo is a fake... but admits her phone was hacked.

I suspect lack of comprehension of how yFrog works is a more likely culprit than a rogue app, cf. Anthony Weiner.
posted by Artw at 4:24 PM on March 5, 2012


Here's a list of actual users saying what they want in their phone, and the argument to not deliver it is "but users don't want that"? The Grandma argument is just a smokescreen. Let's be honest, most "grandmas" who couldn't understand a simple permission system don't have smart phones.


There's a difference between appealing to a hypothetical grandma, and calling on what we have actually observed happens when the majority of non-developers are given a UI like this for managing permissions. I'm not saying privacy is a non-issue. I'm not saying that people shouldn't have control. I'm saying that when the vast majority of users say "I want to protect my privacy, how do I do that?" and are given a grid with hundreds of checkboxes, they pause, squint, and say, "I want to protect my privacy -- how do I do that?"

For better or worse, "Grandma" is a generic standin for "a non-technical user who is more interested in performing specific tasks than manipulating a device's data model." I think it's a bit ageist and sexist, and given the fact that the number of elderly people using the internet outnumbers "software developers" by more than an order of magnitude, I think it's dangerous to make too many assumptions, but yeah. It's not just grandmas.

I don't have any problem with software companies providing that kind of big wall of checkboxes, I just think that it will not do much to solve the problem. It will either result in a list of permissions so fine-grained that it explodes into hundreds upon hundreds of options in the 'Privacy Settings' screen, or permissions with such a wide umbrella that bad-faith apps still sneak exploits in under legitimately approved behavior.

I'm not saying that it's insurmountable. I'm not saying that companies shouldn't try to solve it. But I've watched the "Oh, just add a shitton of checkboxes, that'll solve it" answer turn good systems into hash before. Seeing it treated as the obvious correct response that only idiots and spamming assholes would oppose causes heavy sighing.
posted by verb at 4:49 PM on March 5, 2012 [1 favorite]


The wall of checkboxes can be implicit, and users don't necessarily need to engage with it directly.

If the system presented privacy protection popups in a standard form "$appname wants to use your $resource" with "allow" and "deny" buttons and a "do the same thing (*) for the next [ ] minutes (*) every time" control, and provided a standard "reset privacy protection settings" option for every installed app and for every protected resource that would cancel the "do the same thing" settings for that app or that resource, that should pretty much take care of it.
posted by flabdablet at 7:24 AM on March 6, 2012


There's a difference between appealing to a hypothetical grandma, and calling on what we have actually observed happens when the majority of non-developers are given a UI like this for managing permissions. I'm not saying privacy is a non-issue. I'm not saying that people shouldn't have control. I'm saying that when the vast majority of users say "I want to protect my privacy, how do I do that?" and are given a grid with hundreds of checkboxes, they pause, squint, and say, "I want to protect my privacy -- how do I do that?"
And the solution is simple: Default privacy settings to the max, and if they can't figure it out, their stuff stays private.

In other words: Informed consent. If they're not informed, they can't consent.

Plus, the basic UI doesn't need to be that complex. Something like, okay you want to upload your photos to facebook. You click "upload photos" in the facebook app, you get a modal screen asking if you want to "let Facebook, Inc see all my photos"

The options could be "Yes, let them see all my photos" or "Let me select which photos facebook can see"

The grid thing would just be so you can go back and remove permissions later. I don't like androids "Either grant all permissions, or don't install", you should be able to modify permissions later.

Also, app developers should write their programs to work, and do everything the user wants except for the stuff they don't have permission to do if they lack permission. Is that more work for the developer? Obviously, but so what? The phone exists to benefit the user Not the developer. Developer lazyness is not an excuse to violate people's privacy.
posted by delmoi at 12:14 PM on March 10, 2012 [1 favorite]


And the solution is simple: Default privacy settings to the max, and if they can't figure it out, their stuff stays private.

Sadly, this is as likely as double-opt-in mailing lists in email, which should also be the default.
posted by inigo2 at 6:01 PM on March 10, 2012


Condom Or Android Handset Name?
posted by jeffburdges at 4:47 PM on March 27, 2012


Version 4.0, Cream Pie Sandwich
posted by flabdablet at 9:22 PM on March 28, 2012 [1 favorite]


« Older I'm with the teachers!   |   Get ready for ? Newer »


This thread has been archived and is closed to new comments