Lookout's App Genome Project warns about sketchy apps you may have already downloaded
By Tim Stevens 
posted July 29th 2010 8:15AM
posted July 29th 2010 8:15AM
Update: We received a note from Jussi Nieminen, who indicated the data fields being retrieved, as reported by VentureBeat, are incorrect. Texting and browser history are apparently not retrieved, but your phone number, phone ID, and voicemail fields are. And, since it's not unheard of for voicemail entries to include a password when setup on a phone, it's possible they could wind up with that too. Also, the popularity of the app was apparently misstated, with actual downloads somewhere south of 250,000.
Update 2: Kevin, one of the Black Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you'd like to read. Meanwhile, estimations of just how many people have downloaded this particular wallpaper app are all over the place, ranging from as low as 50,000 to over four million.
Uh-oh magadget, they're stealing ALL YOUR DATA!
@fpad77
im in your appz stealing all your dataz
@fpad77
This chart can be seen as either positive or negative for Apple or Google.
Some apps NEED to access your location. For example, you would want any app that uses GPS to access your location, otherwise you would have to manually enter it each time you used it.
Also, som apps NEED to acces your contacts. For example, any app that you can send email from. Otherwise you would have to manually enter email addresses each time you used it.
Since there are no stats on how many apps need to use this information, the figures given are meaningless.
About the figures for 3rd party code, there is no golden rule that 3rd party code is better than code supplied by either Apple or Google. In fact, you could view this stat as Apple's code being used more often because it's easier to implement,more feature complete, and less buggy than having to develop your own code.
Again, this stat on it's own (without additional information) is meaningless, as it could be seen as either a positive or a negative.
@fpad77
I just found Lookout on Android market, it wants access to:
Network communication, my location, phone calls, system tools, my messages, my personal information and hardware controls.
This is the most demanding app I could have in terms of data access. I'm reluctant to get it.
@fpad77 easy answer: jailbreak and install hackulos security, and disable all these "features" of the apps....
@maty Well an app made to monitor what other apps are accessing would itself need access to all of these things, no? How can it monitor things without having access to them. You think your antivirus on your computer has limited access? No.
@ViewRoyal :rolleyes:
Yes less third party code on apple could be a good thing. On the other hand it may be a sign that Apple doesn't allow developers to do anything out of their very restrictive bounds, and that Android developers have more freedom to "think outside the box" and improve on the platform.
@mixit
Indeed, I didn't expect it not to require access to those - but then again, some of those are for features I don't require. It wants access to send texts and receive them. Sure, its probably all legit - but I just want an app that warns me against 'bad' apps. Nothing more!
@Kerensky97
As a general rule, less 3rd party code is a "good thing" because it should means that applications can be developed faster, more easily maintained and there are less occurrences of developers "reinventing the wheel". You can, of course, pretty much write as much 3rd party code on the iPhone as you like as long as you do so via Xcode and, primarily, in Objective-C. If you don't like the way that Apple has implemented its various frameworks then I don't think that there is anything to prevent writing your own versions or simply overriding some aspects of what Apple has written. But as a general rule you want to avoid doing this unless there is a really good reason. Rather, what you want to concentrate on is the code that makes your application different and reuse as much code that is already there as possible.
@Kerensky97 ":rolleyes:
Yes less third party code on apple could be a good thing. On the other hand it may be a sign that Apple doesn't allow developers to do anything out of their very restrictive bounds, and that Android developers have more freedom to "think outside the box" and improve on the platform."
(Without rolling my eyes back at you ;-)
Apple only restricts code that undermines security or functionality of it's products. All others are allowed after review.
To me that's a good thing. But if you prefer no one looking out for your security or user experience, then that's your choice.
@maty
I know how you feel. Originally, I wanted an app that ONLY found lost / stolen phones. Howver, there is no such app. And, though I haven't needed the Antivirus yet, it's not a bad idea to have it around. You don't HAVE to use the antivirus.
Lookout does 3 things:
Antivirus, Data backup to server at mylookout.com (your choice of a combo of contacts, call logs, or pictures), and also phone location (locate by gps and get email, or make phone scream).
It also has a wipe function.
But you don't have to use all the functions. You can take your pic. If I had to guess about the SMS permission, I would think it's somehow related to the locate or backup function.
It mi
@ViewRoyal
You are probably not a developer so you have no idea what you are talking about. There are just alot more java libraries available than objective-c. So it is logical that android apps use more 3rd party library - there are just alot more java libraries available. That is just an advantage of Android developer. So that number has nothing to do with how smart or how much freedom android app developers have. For that you have to compare quality and creativity of apps.
@WhatDoIKnow
It's true that there are more libraries available for Java. But in real life, users are more concerned with the quality of the apps they use than the codebase that was used to develop them.
@beatsandmelody If you're on android, try where's my droid.
Also, antivirus software is useless on the android os
@fpad77: Hahaha. They should have titled this post as follows:
"Lookout confirms Android is open. Shares all of your data with criminals unknown."
If not, "Android is for @ss clowns" is always a safe bet.
@maty
Lookout's app also has backup/restore functions, that's why it needs access to so much stuff. You can disable whatever you want within the app, though.
So much for open source
@MoonWalkerCTE More ike open-sores
@MoonWalkerCTE
your an idiot
On android it tells you what will be accessed but on the closed iOS is tells you nothing
@DefPoet Word I agree 100% but I read them, you read them. Does anyone non-savvy read them? I would imagine that no iphone users ever would if they were there.
@MoonWalkerCTE
Or any sort of intelligence shown by users who download wallpapers that have full internet access even though they were fully warned by the open source OS you're bashing. BTW, if you read the article, you'd learn it happens in Apple's closed garden as well...but that OS doesn't bother to tell you.
@DefPoet
On iOS a wallpaper application that accesses that kind of data and upload it would never have been approved in the first place. That kind of abuse is ridiculously easy to spot.
@DefPoet Look at you calling me the idiot. iOS 4 and previous versions of iOS have always asked for your permission. And in iOS 4 you can also see when it is being used.
@MoonWalkerCTE
What does open source have to do with it?
@MoonWalkerCTE
"If you're an iPhone user, the only privacy notice you'll see from an app regards your current location -- as much a warning about the associated battery hit from the GPS pinging as anything."
RTFA idiot!
@drange
Hah! Yeah, like a 15 yr old kid can't get a tethering program past Apple's rigorous standards!
@drange
What like that coloured flashlight app that actually allowed tethering wasn't approved? Oh wait it was!
@drange
http://thenextweb.com/apple/2010/07/05/app-store-app-farm-steal-your-money/ hmmm stealing info or stealing money -_-
also
http://www.zdnet.com/blog/hardware/i-am-rich-iphone-app-a-steal-at-99999/2368
That alone invalidates every single app agruement
@MoonWalkerCTE
Permission to install, and what access rights an app has, are two different things fanboi.
@drange
"On iOS a wallpaper application that accesses that kind of data and upload it would never have been approved in the first place. That kind of abuse is ridiculously easy to spot."
WRONG!
Remember a couple of weeks back? The coloured "flashlight" that actually was a USB tethering app? Yeah, an app that supposed to show coloured blinking lights but had deep access to your phones data and could reroute it to an attached device or wherever it wanted. Apple didn't know until Engadget reported it. So don't be too sure about their vetting process.
@DefPoet
The first links is about hacked iTunes accounts being exploited and the second was a program that didn't do anything at all, not even steal your data. The developer of the former case has been blocked completely and in the latter case the app was pulled. What exactly is the point you're trying to make with these 2 examples?
@PookiePrancer
@fais
Yes that app was a screwup by Apple and should never have been approved, but let's not forget that it got pulled within a week or so.
Compare that to the masses of Android users who don't read or heed any of the warnings about access to private data, which effectively means loads of people have their data exposed without anyone ever doing shit about it 'because they allowed it themselves'.
Net result that one store tries to protect ignorant people (which are many, if not most people) and sometimes fails doing that, the other store tries to warn ignorant people so they can make an informed choice to get raped of their private data. You decide which one of the two methods is better for yourself, my guess would be the App Store model.
@fais That didn't steal my personal data though
@MoonWalkerCTE
Sorry dude, but you proved yourself to be the idiot once more. If you had read the article and/or owned an iPhone or iPod Touch, you would know that the only permission an app asks for is your location, that's it.
On Android though, BEFORE YOU INSTALL the app, you get a full breakdown of every single area of your device the app will have access to.
So if you were to download a wallpaper app and it says it wants access to your contacts..... Something is definitely fishy.... and THAT, is the power of open source.
@Tes A hidden feautre is better then something secretly stealing your personal data.
The title of this headline should be: Android wallpaper app that steals your data was downloaded by millions
@MoonWalkerCTE
Er...that's not the point and if you THINK that's the point you're not really worth discussing this with. The point is Apple DIDN'T see code it ordinarily wouldn't approve of in an app. They ASSUMED it would need no internet access so didn't check what it did access. That fact alone says any number of apps in the app store could ALSO have access to TCIP protocols on your phone, data packets that you don't want anyone seeing and be able to re-route it to places you're unaware of.
@Plazmic Flame So users how to read 200 words to know if this app is malicous or not? I don't know about you but I currenly have 262 applications on my iPhone and I don't think I would want to read through every app.
@DefPoet Someone charges a lot of money for a stupid app, and that is "stealing"? No. That's stupidity on the user part, but not stealing.
@DefPoet You have other comments here I would like to argue with, but I just cant keep up. Let's just say, Android is perfect for someone like you. You make apple fanboys look tame.
@DouchePoet
oh mocking someones name on the internet real mature!
rock on bro btw I use whats best for me at the time
I have no allegiance to a stupid company that only wants your money which btw is every single company that has/does/will exist
@MoonWalkerCTE Where are you getting 200 words from? Either way, if you don't want to read it, that's fine, but if someone gets their personal info sent overseas by a flashlight or something, that's the fault of user stupidity on Android, not Google.
@MoonWalkerCTE
200 words? more like 20 for each app
and if you would rather not know about what an app has access to that qualifies you as a sheep
@DefPoet
But what about those that just want more more gee-bees? LOL.
I think there's a reason Android is attracting mostly the geek power users and the iPhone is attracting both the gen and pro consumer. One company tries to protects users by vetting its store from such apps and the other is *open* to whatever. Is Google even doing anything about those Apps that steal your voicemail password, text message?
@dave95
Read this and stop eating Engadget FUD.
http://phandroid.com/2010/07/29/another-app-stealing-data/
There is no stealing of voicemail or voicemail passwords, SMS messages or your browsing history.
@Tes
on a side note
http://online.wsj.com/article/BT-CO-20100729-703774.html
Japan pwns apple!
@drange
But you missed the point once again: APPS ON THE APPLE APP STORE ARE DOING THE SAME THING! The difference is, you never got to make an informed decision; Apple keeps you ignorant, not protected.
"That fact alone says any number of apps in the app store could ALSO have access to TCIP protocols on your phone, data packets that you don't want anyone seeing and be able to re-route it to places you're unaware of."
@Tes
Possibly, but this is all still only talking about hidden network access, which in itself does not allow sending private data from your phone, since the app would require access to said data first. Now, on iOS there should be only one way of accessing *any* data stored on the phone but outside the application sandbox, and that is through API's that are easily caught by the API scanning that Apple performs on every binary. I'm not saying this method is infallible, but the fact that a flashlight app that uses the TCP stack slipped through, does not automatically mean that a flashlight app that wants to snoop around outside it's own sandbox would also have slipped through.
The simple fact remains (and that's my whole point here): any app store has a risk of malicious apps slipping through and doing nasty things to personal data. Android tries to stop it at the user level, assuming that users are careful what they allow apps to do. The amount of Windows malware and viruses has proven that this logic is flawed. Apple tries to stop malicious programs from getting on your phone in the first place. This method might fail sometimes, but at least the app can be pulled as soon as somebody finds out it is rogue, so other users won't be affected.
@DefPoet On iOS, you don't need to worry about warnings because uncle Jobs is working to keep you safe unlike Android.
@PookiePrancer
No, you are misinterpreting the data. It only says something about how many apps do that kind of stuff. Not how many apps do it while they're not supposed to do so. For all I know, there's simply more apps in the App Store that do useful stuff with your contact list or calendar or whatever, there's no way saying anything about the amount of malicious applications based on the data in this article.
@PookiePrancer
By the way, I would be much, much more worried about apps that pull in third party code than apps that steal my contacts. If someone finds out my moms phone number, well that's bad but not terrible. If someone manages to remotely turn my phone into a botnet node or have it make random calls or whatever, now that's a real problem.
@Unverified User
Dug. No I didn't. I never said anything about how the data is used.