Google: Android Wallpaper Apps Were Not Security Threats
Remember those "data-mining" Android wallpaper apps -- the ones that set off a storm of media coverage when a security company claimed they were "suspiciously" collecting user data?
Google has just finished its investigation into the applications, and it's found they were doing nothing that put users at risk.
The Android Wallpaper App Fiasco
The Android wallpaper apps first entered the spotlight when mobile security firm Lookoutdiscussed them during a presentation at the Blackhat security conference last week. Lookout, which markets an app-scanning utility for Android phones, said the programs were "gathering seemingly unnecessary data" from users' devices.
The apps, it turns out, were accessing users' phone numbers, subscriber ID numbers, and voicemail numbers. According to their developer, the information was being used to identify devices and track users' preferences. Other Android programmers confirm that this explanation does make sense, though they're quick to point out that the same effect could be achieved in a far better -- and less data-intensive -- way.
The story spun out of control when tech blog VentureBeat published a reportmisstating Lookout's findings. VentureBeat errantly reported that the apps were accessing users' browsing histories, text messages, and passwords. It insinuated that the programs were "stealing ... personal information."
Countless other blogs picked up on the report, and the incorrect info spread like wildfire around the Web. Suddenly, a story of some apps accessing more permissions than they needed to turned into a horror tale of evil criminals hacking into phones and harvesting sensitive data. The latter, despite the attention-grabbing headlines it helped create, simply did not occur.
[See Related: Verizon's Droid X: 12 Apps to Get You Started [This story is from the new Android Power blog at Computerworld. Follow@AndroidPower on Twitter or subscribe via RSS to make sure you don't miss a beat.]
Google's Android App Investigation
So that brings us up to now: Shortly after the storm of coverage began, Google stepped in and pulled the apps from the Android Market to investigate. That investigation has concluded, and Google has determined the wallpaper apps were not acting maliciously or posing any threat to users' security.
"The developer's applications have been reviewed and the suspension has been lifted," a Google Android spokesperson confirmed to me.
The Android team gave the developer some suggestions on improving his apps. Their goal was to guide him through achieving the same preference-storing functionality he had in place without accessing unnecessary information -- the same thing other developers had suggested when we first looked into this story.
App Security and Android Market Implications
Now, some commenters have misconstrued my original remarks to mean that the developer in question "sound[ed] OK to me" but that "this indeed [was] a guy hacking into our cell phones and taking whatever information he want[ed]." This could not be further from the truth, and it could not be further from what my initial analysis of the situation actually stated. What I said was that the reality of this situation had been blown up out of proportion, thanks largely to the initial misreporting of the facts. There was no hacking involved, and no one was ever in a position to "take whatever information he wanted."
Rather, what we had was a developer who accessed more permissions than he needed to in order to achieve a function in his applications. These permissions were openly accessed through Android's permission architecture, and users downloading the applications were informed that the permissions were in place.
In the big picture, there is room for improvement. While Android's permissions system does alert users to what types of data an application is authorized to collect, it doesn't exactly do so in an easy-to-understand or user-friendly way. More could be done to make it crystal clear what each permission means and specifically why an application is requesting it. Hopefully, this is something we'll see improve as Android and the Android Market continue to mature.
Painting this instance as an earth-shattering security threat, though, is misunderstanding what actually happened. And suggesting that Google lock down its Android Market and require preapproval of all programs as a result is misunderstanding what the platform is all about.