Tuesday 13 November 2012

Big Brother? Sits right on your mobile


[The image above has nothing to do with this post, but it seemed to be fitting, given the latest developments. This post is all about trust]

In this age of free(mium), it's common knowledge that you pay with your privacy. Facebook is the best (or should I say worst) example of the dance around your data, yet there are many more tools that you use, which have access to everything that you carry with you: all the data on your phone. Not only can they read that, they can also change it - and even "impersonate" you

Some applications do need this very deep trust level, e.g. virus scanners and applications such as Androidlost. Others absolutely do not do so, like Skype, Google Plus, LinkedIn and Facebook. Interested to see what they can do to the contents of your phone? You'll be in for a surprise, or should I say, shock

Let's start with the virus scanner, e.g. Bitdefender

BitDefender can access:

  • Your personal information: read browser's history and bookmarks, write browser's history and bookmarks, read contact data, write contact data, read sensitive log data
Your entire browsing history is available, and they can change it too. Understandable if there's a bogus link to an malicious website. Read contact data? write, even? All that seems trivial when compared to what the sensitive log data gives away:
Allows an application to read the low-level system log files. Log entries can contain the user's private information, which is why this permission is not available to normal apps
Well, fair enough, a virus scanner isn't a normal app. So let's just trust 'm, hey?
  • Services that cost you money: directly call phone numbers, and SMS messages
  • Your location: coarse (network-based) location, fine (GPS) location
  • Your messages: edit SMS or MMS, read SMS or MMS, receive SMS
  • Network communication: create Bluetooth connections, full Internet access
  • Your accounts: manage the account list, use the authentication credentials of an account
  • Storage: modify / delete SD card contents
  • Phone calls: read phone state and identity
  • Hardware controls: change your audio settings
  • System tools: change network connectivity, change Wi-Fi status, display system level alerts, modify global system settings, prevent phone from sleeping
  • Your location: access extra location provider commands
  • Network communication: Google Play billing service, receive data from Internet, view network status, view Wi-Fi status
  • Your accounts: discover known accounts
  • System tools: automatically start at boot
The last four are at the bottom of the list, and available via "Show All". Here's what BitDefender says their app can do, and let's just suffice to say that they leave out a few. The most burning questions get answered; your account access is necessary for signing in into BitDefender via e.g. your Google Account (so much for oAuth, I guess). Reason for write access to contacts? Absent. Location access? "necessary to get the best possible location" - I bet ya! The SMS stuff is needed for SMS-controlled management of BitDefender, they say, along with making phone calls

Let's face it: to be protected at all levels, you need read access to all levels. In order to be able to remove malicious software at all levels, you need write access to all levels. Still leaves a few questions unanswered, but hey

Let's check out what Skype can do, shall we? Whatever is extra (yes, you read that right) to what BitDefender can do, is in bold. Whatever is duplicate, is italic. Whatever is not used, is in regular font

  • Your personal information: read browser's history and bookmarks, write browser's history and bookmarks, read contact data, write contact data, read sensitive log data 
  • Services that cost you money: directly call phone numbers, and SMS messages
  • Your location: coarse (network-based) location, fine (GPS) location
  • Your messages: edit SMS or MMS, read SMS or MMS, receive SMS
  • Network communication: create Bluetooth connections, full Internet access
  • Your accounts: manage the account list, use the authentication credentials of an account
  • Storage: modify delete SD card contents
  • Phone calls: read phone state and identity
  • Hardware controls: change your audio settings
  • System tools: change network connectivity, change Wi-Fi status, display system level alerts, modify global system settings, prevent phone from sleeping
  • Network communication: Google Play billing service, receive data from Internet, view network status, view Wi-Fi status
  • Your accounts: discover known accounts
  • System tools: automatically start at boot
And the following are extra:
  • Disable key lock, retrieve running applications, write sync settings, record audio, take pictures and videos, act as an account authenticator, read sync settings, read sync statistics, send sticky broadcast, control vibrator
So Skype can pretty much do all that my deeply trusted virus scanner can? Granted, it can't access my browins history, nor SMS and MMS, nor bill me via Google Play.
But Skype has almost the same deeply trusted access to my phone? Why? why on earth? To use the Internet in order to connect to someone else? That's ridiculous

Even worse, it can retrieve all running applications, read my synchronisation settings, and even impersonate me! Here is what that last fine setting really can do:
Allows an application to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords
What?! Skype has access to my password?! And can even change it?!!!
Yes, Skype has access to my password, and can even change it. It can also create accounts on my phone. Do you use Skype? Happy with it? Still happy?

 How about google Plus then? We'll run the same exercise as before: bold, italic and regular. This time, I've added the full permissions that Skype has as a baseline


  • Your personal information: read contact data, write contact data 
  • Services that cost you money: directly call phone numbers
  • Your location: coarse (network-based) location, fine (GPS) location
  • Network communication: create Bluetooth connections, full Internet access
  • Your accounts: manage the account list, use the authentication credentials of an account
  • Storage: modify / delete SD card contents
  • Phone calls: read phone state and identity
  • Hardware controls: change your audio settings
  • System tools: change Wi-Fi status, modify global system settings, prevent phone from sleeping
  • Network communication: receive data from Internet, view network status, view Wi-Fi status
  • Your accounts: discover known accounts
  • Disable key lock, retrieve running applications, write sync settings, record audio, take pictures and videos, act as an account authenticator, read sync settings, read sync statistics, send sticky broadcast, control vibrator
And the following are extra:
  • Read subscribed feeds, write subscribed feeds, read your profile data, write to your profile data, read your social stream, write to your social stream, set wallpaper, download files without notification, control flashlight, read Google service configuration,  receive data from Internet
Needless to say, the permissions are similar, yet go even deeper. Google plus apparently doesn't feel the need to retrieve my running applications, nor to read my synchronisation statistics, but lo and behold, even Google Plus doesn't need to act as an account authenticator. But I guess that the access to Google service configuration, along with reading and writing to my profile, make up for that. Hard to tell, really, from the tech documentation they provide.
Who's in charge here? I most certainly am not. All my personal data is up for grabs, all my friends, all private messages, everything - p0wned by Google. Download files without notification? Who cares about that when you've granted access like the above...

Are you up for the last one? LinkedIn - let's see what they require, or at least, acquire. Again, Skype is the baseline

  • Your personal information: read contact data, write contact data 
  • Services that cost you money: directly call phone numbers
  • Your location: coarse (network-based) location, fine (GPS) location
  • Network communication: create Bluetooth connections, full Internet access
  • Your accounts: manage the account list, use the authentication credentials of an account
  • Storage: modify / delete SD card contents
  • Phone calls: read phone state and identity
  • Hardware controls: change your audio settings
  • System tools: change Wi-Fi status, modify global system settings, prevent phone from sleeping
  • Network communication: view network status, view Wi-Fi status
  • Your accounts: discover known accounts
  • Disable key lock, retrieve running applications, write sync settings, record audio, take pictures and videos, act as an account authenticatorread sync settings, read sync statistics, send sticky broadcast, control vibrator
And the following are extra:
  • Read calendar events plus confidential information, receive data from Internet
Well that's all folks! Glad to see that it is default for these three applications to not only read, but also write to your contacts. And access your profile data in some intrusive manner, one way or the other. And identify you by real name and number, by accessing your phone identity. Oh, and manage your synchronmisation settings for you, that really is required for all these apps, isn't it?

Facebook? Same as the others. In fact, not nearly as bad as I thought it would be - but just as bad as the others

Listen up. You might be upset by what goes on in this world. You might be protesting new government laws, so-called anti-terror ones, or you might be standing on the barricades for who knows what request for information on your private life that you just don't deem necessary.
But do you give applications like these even more than a mere glance?
Don't you just install them, without reading what they do?
Or do you read what they want, but don't read the fine print?

I'm sure you'll do much more than that, after this post. Let me make a prediction: mobiles and phones are becoming, and have already become, so darn cheap, that people will carry two of each in the very near future: within the next 2-3 years. Not all people, but those who can afford an extra $100 for a burner phone or burner tablet, will get one. Burner meaning that it contains nothing private.
Then, still, the question remains which apps to use. Well, I predict that the app usage will quickly diminish, actually. Why download an app for an application that you only use online anyway? Why download an app to actually use an application that you only use via a browser when you're sitting behind your laptop?

The answer is simple: you might (and highly likely do) not need to, but it's given to you for free. How's that hey? Marvellous... isn't it?
op Tuesday, November 13, 2012
Labels: , , , , , , , ,

0 reacties:

Post a Comment

Thank you for sharing your thoughts! Copy your comment before signing in...

Subscribe to: Post Comments (Atom)