[OT] Re: HTC Android handsets spew private data to ANY app

[Oleg Goldshmidt]

NB: marked [OT] in subject, I believe in conformance with an earlier
discussion on Android topics on Linux-IL (that I am too lazy to dig up
a link to in the archives).

On Tue, Oct 4, 2011 at 6:29 PM, sara fink <sara.fink at gmail.com> wrote:

> Why -and when - did HTC "decide" to log user activity? Surely that's a
> breach of privacy?

Not in itself. It's logged locally, on your device And it is not
particularly unusual. The problem is that the context is different
from what we (Linux users) are used to.

Any system records user activity. UNIX/Linux has logs, last(1), shell
history, process audit, etc., etc. Your browser has a history. One can
go on and on.

We all hope that a random user level application does not collect
information from those logs and send it to the internet. In some cases
it is forbidden by security measures (e.g., /var/log/messages cannot
be read by applications without privileges). In some cases, the only
recourse is audit (by whatever means necessary) or trust.

Assume you install a binary application written by John Q. Malicious
(or Skype/Microsoft, just to stir things up a bit :) - as a regular
user. And you run it as you. Nothing (nothing a casual user is capable
of, that is) will prevent this application from reading your shell
command history, browser cookies and history, your ~/.ssh/id_rsa, etc.
All of those are readable by you, and by running the application you
gave it your credentials. If it sends packets to the internet without
you noticing it, it's your problem. if your computer is
employer-provided and you are clueless then you installing random
software on it is the sysadmin's headache.

The problem with smartphones that some sensitive information is
available to regular users. When you install Android applications, you
are supposed to check what facilities it can access. E.g., a reminder
application has a reasonable need to access your contacts (you want to
look up a contact when making a reminder to call him) and phone state
(don't interrupt phone calls, light up the display if it is dark,
etc.). It probably does not need to access internet. Did it ask at
installation time? Did you say yes? Have you checked that it doesn't,
in fact, access the internet and send all your contacts to
telemarketing providers or to Hezballah?

If this is a package that provides location information to something
like Waze needs to access the network and your location info. If you
install and enable it it is assumed you understand the risks.

The problem with (some) HTCs was that it opened the logs to everyone
regardless of permissions (if I understood correctly). A related
problem is that so many apps are ad-funded (which is not common on
Linux) and thus request internet access - to get the ads - that they
wouldn't need otherwise. And people used to installing stuff by
clicking "next" repeatedly don't stop and think.

Oh, and something named androidvncserver.apk and installed by default
by HTC does look scary...

-- 
Oleg Goldshmidt | pub at goldshmidt.org