Android Platform Getting More and More Risky @falkvinge @gappsupdates @airbnb @mxdataapps #nsa #gchq #angrybirds #permissions #snowden #gnu #copyleft

It’s no longer news that the NSA and GCHQ are using ‘leaky apps’ such as Angry Birds to gain access to people’s data on their mobiles. That I can write that with conviction and that it is considered the ‘new normal’ is disturbing enough in itself.

Additionally, there are more and more malware attacks on Android, and it seems that there are more and more banking trojans that are stealing people’s money through their phones.

As if all that weren’t enough, developers aren’t doing themselves any favours. Here is the new set of permissions required by the AirBnB app:

wpid-2014-02-2713.57.48-2014-02-27-13-58.png

Screenshot from my phone.

Notice that AirBnB now needs permission on “Your social information”, to include “Read your contacts”. Here’s what that permission looks like:

wpid-2014-02-2713.56.17-2014-02-27-13-58.png

Screenshot from my phone.

In essence, AirBnB seems to be saying that it needs access to all that information – who I have stored, how often I call, email, or otherwise communicate with them, and they want to be able to save contact data as well! Note that Google properly warns that malicious apps could share this data without me knowing it.

While I’m inclined to believe the best of AirBnB and suggest that they want this permission to make it easier for me to get the contact information of people from whom I might be renting a flat, it strikes me as odd that the permissions are so broad. (Also, that they think they need to ‘Save me from myself’ in however much effort and time it might take to type in a flat renter’s number.) One does not need ‘leaky apps’ like Angry Birds when the regular apps will now just hoover up your contact data for anyone else that wants it!

I wrote to AirBnB on Twitter regarding this issue, and they mentioned that they’d send it along to the responsible party internally, and then they never responded again. (To be fair, I haven’t followed up a second time.)

It’s not just AirBnB either. I have an app for the London Undergound (subway) called “Tube Map”. On attempting to update it today, I got this:

wpid-2014-02-2713.55.19-2014-02-27-13-58.png

Screenshot from my phone.

If you’ll look carefully, it says that it now requires permissions to “RECORD_AUDIO”. Here’s what that looks like:

wpid-2014-02-2717.55.02-2014-02-27-13-58.png

Screenshot from my phone.

In essence, the Tube Map application could, at any time, switch on my microphone and record the audio around it.

The best is the explanation of why this is needed, from the screenshot prior:

“These are used by some of our advertisers to allow you to interact with ads via voice commands…”

As if I would want to interact with ads through the microphone! Or at all!

I understand (and accept for my free map app) that there will be adverts, but that they think I will suddenly want the microphone accessible to not only their app but to 3rd party advertisers(!) is astonishing.

Stop and think about this though:

This is a spy’s wet dream.

Rick Falkvinge, in his post entitled “What Came True of Dystopic Predictions of the 1950s – and What Didn’t”, mentions that with reference to George Orwell’s “Telescreens” in the novel1984, that rather than having had to worry about a repressive government installing telescreens in everyone’s homes, that:
We bought and installed the cameras ourselves.

At the time I had thought about this with respect to laptops; it occurred to me later than phones are a much more insidious method of doing this. Given what I’m seeing in my phone as of late, what might have been paranoid conspiracy theory even 18 months ago is now something that we legitimately must question in the post-Snowden era.

What’s the remedy to this situation?

First and foremost, read the permission screens on your apps. It’s tempting to bypass them, but as you’ll see from just these two examples, it’s getting so that app developers are taking advantage and you can easily stop them (at least on Android) by paying attention to these screens. Unlike End User License Agreements (EULAs), these screens are not jargon filled and Google does a good job of showing in clear language what is changing and what it means.

Second, there is an app called “Permission Friendly Apps” that will audit the applications on your phone. The app itself requires no permission and contains no advertising, and is free. It’s a great example of how free software (the app is published under the GNU GPL 3) which is both free as in beer and free as in speech can be used to combat the rising tide of civil liberties encroachment.

Comments (0)

Comments are closed.

%d bloggers like this: