As more and more info over the leaked celebrity ‘nudes’ comes to light it gets worse. From security issues at Apple, to questions asked about all cloud storage its all starting to be written. As yet no competitor has used this to their advantage, but it goes without saying they have all combed their own systems to make sure it couldn’t happen to them. The fact of the matter is however that it could very easily. For Android this could happen more easily and is without doubt happening, and all undetected.
This attack was not a one off action, the group responsible are believed to have been formed on the /stol/ forum on image board AnonIB. In fact the the ring at the heart of the exposed pictures, had already been active for at least two years. Planning to easily and without detection mine pictures and info from Android handsets. There was no complex brute force attack, simply by cloning Flappy birds!
The hackers, and anyone for that matter, could upload a version of any app to the Google Playstore full of malware. These often exploit the users naivety with Android permissions and give the app access to a wealth of information. This would eventually be picked up by Google Play monitoring, but a huge amount of data could be transferred to remote servers in the time before Google pulled the app.
The AnonIB board has since been taken offline, but The Guardian uncovered postings from an anonymous user dating back to late July. Going into great details about how he had developed a malware copy of the Flappy Birds games. Altering the app to exploit app permissions and give anyone access to photos and other information.
“I am a f**king genious [sic]… Hear me out. I.. modded… the app,” the developer explained. “It now secretly downloads all of the phones pictures to my server when the game is running. The problem is this – it’s a violation of Google Play developers license to do publish sneaky apps like that, and I REFUSE to risk my license over it.” He then asked for financial support to make a second Google Play developer account and promises to “post any wins [stolen photos] obtained in this thread”. – /stol/ “hacker”
This is all too easy for an open platform like Android, with Google fighting a constant cat and mouse game with policing its own app store. Any app that creates a level of buzz and user following seems to be cloned and produced hundreds of times. Many ‘developers’ just wanting a slice of the advertisement revenue the game generates. However many have a much more sinister end result.
The permissions issues is a wider issue for Android and one that Google is well aware of. They have taken steps to fix the issue by making permissions easier to understand, however more complicated to find. This is a huge issues for Android and one that should be addressed in upcoming ‘Android L’.
Google did attempt to bring in permissions in a similar way Apple does with iOS. Users having the ability to grant or deny requested permissions with the current version ‘Kit Kat’. Deciding later to pull the function, receiving heavy criticism for doing so.
What is the correct model? iOS is usually the design that is presented for God permissions management. As it takes the compromise of the permissions requested and those that are granted to the user.
An iOS app can request all the permissions it desires, albeit a more limited list than Android. It solely rests on the user if those are granted or not.
There is certainly an argument that exists on Android but if a single permission is not desired then the whole app is not able to be installed. Where as with iOS the app can still be used but without that functionality. I can still install Facebook messenger, but only grant it the permissions I wish the app to use, not the almost draconian list it demands of Android.
Although hailed as the perfect permissions system, this still needs to be improved upon. For example, granting an app permission to use your location, give it access to your location all the time, not just when using the app. So there is no perfect option without closing the whole system. However at last we are in a situation that Apple and Google are fighting over who can keep your data safest!