Can you trust Android apps?

Can you trust Android apps?
Some apps can be overzealous in their requests for permissions

Our phones contain all kinds of important data, from our address books to our current location - and we expect that information to be used by our apps on a need-to-know basis.

So why does the Android version of the WinAmp music player want access to pretty much everything?

Every Android app has a manifest, which lists the data permissions it needs. WinAmp's one is a doozy: it wants to access the cellular network database to access your approximate device location, to access the GPS system to get your precise location and to view log files that can reveal how you use your phone.

It's not the only one, either: another player, MixZing, wants to access the approximate location of your phone as well as access the phone features, which could potentially reveal your phone number and serial number, what number you're connected to if a call is active, and so on.

That's the kind of data spyware tries to capture. Why would music players want it?


SPY AMP: WinAmp's wish-list of permissions includes GPS data and sensitive log files

We asked Peter Jeffe of SocialMuse, MixZing's creator. "We're about to release a major social feature that lets you browse other users' music libraries, follow them and get updates and so on," he says.

"That's what the coarse location permission is for. In fact, we're adding fine location in the next release to let people locate themselves on the map, but it's important to note that we randomise users' locations in any case - so no-one can pinpoint a user to a specific location... we may allow users to show their precise location to friends, but we haven't decided that yet."

And the phone status? "We need to know the phone state so that we can properly handle controlling the music when calls start and stop." The same, presumably, applies to WinAmp.

Fear vs forward planning

Isn't there a danger that by allowing for features that haven't been implemented yet, developers' permission requests could alarm users?

"Well, it is a balancing act, but that's the nature of it," Jeffe says. "I think the transparency for the users is important." MixZing doesn't hide its permission requests; like other Android apps, it tells you about them when you install it - and if you're not happy, you can simply quit the installer. That's certainly more transparent than Apple's approach, where you have to hope that the App Store reviewers spotted any nasties.

"I think most people rely more on the reputation of an app," Jeffe says. "I know that I don't look too hard at popular apps, on the assumption that they wouldn't do anything to jeopardise their hard-won position in the rankings, and I'm betting that's a common approach."


FORWARD PLANNING: MixZing wants to use location awareness for future social networking features

Privacy isn't an Android-specific problem - at the time of writing everybody in iPhone-land is piling on Color, which was designed specifically to data-mine people's social interactions - but it's still cause for concern.

Lookout's App Genome Project, which aims to identify security threats, found that 28% of free Android apps could access your location compared to 34% on iPhone; and where 7.5% of free Android apps could access users' contact data, that rises to 11% on iPhone.

However, Android apps do make more use of third party content such as advertising networks: nearly half of Android apps use such code compared to around 20% on the iPhone.

What lies beneath

Reputable firms' apps probably won't go sniffing for data, but that doesn't mean no apps will. Last year, security firm SMobile's Android analysis found that one in five apps "request permissions to access private or sensitive information that an attacker could use for malicious purposes... 29 applications were found to request the exact same permissions [as] known spyware".

As SMobile pointed out, while the majority of such apps were undoubtedly benign, "there is no means available for a user to know for sure that the app they just downloaded is only doing what the user sees it doing."

There is now - or at least, there is if you don't mind fiddling. Researchers from Intel Labs, Penn State and Duke universities created TaintDroid, which finds out what apps are up to. Their own tests found that of the 30 major applications they tested, half of them transmitted data without users' knowledge, in some cases including telephone numbers and even IMEIs, the numbers unique to each phone. The researchers have now released the source code and instructions explaining how to compile it.

If you stick to reputable apps and read the small print when you install, you're unlikely to encounter any significant problems - like Apple, Google has a remote kill switch for dodgy apps - but if you're still worried, you can install an app to make your data useless to the data miners.

Privacy Blocker is a two-stage solution: first, it finds out what data apps are trying to transmit; then, it takes that data and replaces it with nonsense.

Carrie Marshall

Writer, broadcaster, musician and kitchen gadget obsessive Carrie Marshall (Twitter) has been writing about tech since 1998, contributing sage advice and odd opinions to all kinds of magazines and websites as well as writing more than a dozen books. Her memoir, Carrie Kills A Man, is on sale now. She is the singer in Glaswegian rock band HAVR.