Become a fan of Slashdot on Facebook


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Permissions (Score 3, Interesting) 143

by pd0x (#39688109) Attached to: More Malicious Apps Found On Google Play
It seems that a good number of apps do this to "find friends" using the app. It would certainly be much better if upon app installation your associated account e-mail was hashed using SHA256 (or some alternative hashing algorithm) and stored by the service. Rather than upload a users entire contact list the apps could then submit hashes of contact e-mail addresses looking for matches without being able to identify users not using the service in question.

Comment: Re:Permissions (Score 2) 143

by pd0x (#39688073) Attached to: More Malicious Apps Found On Google Play
You are 100% right about the Android Device ID but is less of a privacy concern than the ESN, IMEI, etc that is protected by READ_PHONE_STATE. It is randomly generated, and can change with factory reset or by means of root access. The use of the Android Device ID for the purpose of tracking app installations is clearly supported behavior with the caveats I mention outlined.

Worry #1 is probably not that devastating a concern. The Google platform distribution shows only 0.3% of users are running 1.5 or below at this point. It is my experience that few apps support Cupcake and below.

Comment: Permissions (Score 3) 143

by pd0x (#39687829) Attached to: More Malicious Apps Found On Google Play
I think it's worth noting that the new malicious applications found by McAfee researchers were video trailer applications that overtly requested the READ_PHONE_STATE and READ_CONTACTS permissions at install time.

While it's clear that users have limited comprehension of the permissions requested at install time (for instance see: Android Permissions: User Attention, Comprehension, and Behavior) it is rather suspicious that a trailer application require access to your contact list. From the sounds of it the malware doesn't do much other than siphon off your contact list & some identifying information (Android ID & phone number).

Should it be removed from the Android market? Yes. Is it the best example of subversive Android applications? Probably not.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (9) Dammit, little-endian systems *are* more consistent!