“[Last week] we published a blog post lauding an extremely important app privacy feature that was added in Android 4.3,” Peter Eckersley writes for Electronic Frontier Foundation. “That feature allows users to install apps while preventing the app from collecting sensitive data like the user’s location or address book.”
“After we published the post, several people contacted us to say that the feature had actually been removed in Android 4.4.2, which was released earlier [last] week,” Eckersley explains. “We installed that update to our test device, and can confirm that the App Ops privacy feature that we were excited about yesterday is in fact now gone.”
MacDailyNews Take: Wow! You actually updated an Android device? Rare move. Congrats!
“When asked for comment, Google told us that the feature had only ever been released by accident — that it was experimental, and that it could break some of the apps policed by it,” Eckersley writes. “We are suspicious of this explanation, and do not think that it in any way justifies removing the feature rather than improving it. Many instances of apps ‘breaking’ when they are denied the ability to collect data like a location or an address book or an IMEI number can easily be fixed by, for instance, giving them back a fake location, an empty address book, or an IMEI number of all zeroes. Alternatively, Google could document for developers that these API calls may fail for privacy reasons. A good hybrid would be to use fake data for old versions of the Android API and cleanly defined Java exceptions in the next API level. As with many other changes that occur across Android devices and Android versions, some app developers might have to do minor updates to keep up.”
“The disappearance of App Ops is alarming news for Android users,” Eckersley writes. “The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people’s data is being sucked through. Embarrassingly, it is also one that Apple managed to fix in iOS years ago.”
MacDailyNews Take: “Open” wide, settlers of fragmandroid!
“We’re not sure what to say to Android users. If app privacy is especially important to you — if, for instance, you want to be able to install an app like Shazam or Skype or Brightest Flashlight without giving it permission to know your location — we would have to advise you not to accept the update to 4.4.2,” Eckersley explains. “But this is also a catastrophic situation, because the update to Android 4.4.2 contains fixes to security and denial-of-service bugs. So, for the time being, users will need to chose between either privacy or security on the Android devices, but not both.”
Read more in the full article here.
MacDailyNews Take: Here’s a better idea for Fragmandroid settlers who are tired of being personal data generators for Google: Just go get the iPhone you tried, but failed, to approximate and be done with it!
Life is best on iOS.
[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010