Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Congress Weighs in on iOS Apps Collecting Address Book and Other Personal Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
Before you go nuts here
This was done by a very good bunch of programmers. At various times, they did or didn't give notice that they would like your contacts info to get more friends. The quickest way to find that out is to upload it to the server, and thus give you very quick reads, server end. I doubt that either Path, or Instagram, or Apple were doing this for anything else but convenience, trying to save the user a few dialogs asking whether it was okay for the app to have access. They asked at the beginning, not each time.
Much as I love the idea of apps having to ask each time they want access to location, it gets to be monotonous, requiring the click of a box that interrupts the app. So my moral? Be careful about the degree of outrage displayed. You may get something unworkable, like the continuous pop-up menus in Windows, uh, the one before 7.
Obviously, they will put in some version of "each time" here. It's sad but necessary.
This was done by a very good bunch of programmers. At various times, they did or didn't give notice that they would like your contacts info to get more friends. The quickest way to find that out is to upload it to the server, and thus give you very quick reads, server end. I doubt that either Path, or Instagram, or Apple were doing this for anything else but convenience, trying to save the user a few dialogs asking whether it was okay for the app to have access. They asked at the beginning, not each time.
Much as I love the idea of apps having to ask each time they want access to location, it gets to be monotonous, requiring the click of a box that interrupts the app. So my moral? Be careful about the degree of outrage displayed. You may get something unworkable, like the continuous pop-up menus in Windows, uh, the one before 7.
Obviously, they will put in some version of "each time" here. It's sad but necessary.
It can be done. It was something that came up a while ago. They use some tricks to do it and generally speaking those few apps get caught pretty quickly by the xda guys and in turn Google tends tends to pull them.
This is funny. I just started using Path. It is so superior I think it has a chance to be the next big thing
I recall reading that before. Here's a few of them:
http://www.androidpolice.com/2011/1...e-numbers-gps-sms-emails-addresses-much-more/
http://www.securitycurve.com/wordpress/archives/4925
Whether they're fixed or not, I have no idea. Given the explanation as to how some of those leaks work versus how long those manufacturers take to get OS updates out, I'm strongly leaning on the "not likely to have been fixed yet" side.
The problem mostly lies within code added by the handset manufacturer, as shown by the chart on the 2nd link. ASOP is significantly safer/compliant than HTC Sense. So there appears to be little Google can do about it, outside of redesigning their permissions system.
Wow, that's quite bad of HTC. Even without the permissions problem, what's with all the backdoors anyway?
This is why I use custom ROMs - I want to remove all that crap off my phone, even if I do use HTC Sense I don't want security issues arising from it.
My guess is that HTC was simply in a hurry and their engineers did not have time to understand the permissions system. I haven't delved into it, but I suspect that it's not as simple to understand as people commonly think. Besides, official Android docs are pretty crappy to begin with.
I trust custom Android ROMs as much as I trust an unaudited jailbroken iPhone. That is to say, not at all.
Custom ROMs are open sourced and if they started spying on people, one of the many tech savvy people on XDA would notice and call the developer up on it. It's not hard to check the packets going in and out of a phone with a full set of Linux tools on it.
HTC shouldn't be putting spyware on their ROMs in the first place. I suspect this stuff still exists in their phones today even if the permissions issue is fixed. It's quite worrying really.
Of course, being called out on it happens way after the ROM has made it way around the world. Not all ROMs provide full sources or change lists either.
Check this case out. We know it's been found and fixed. But that doesn't make the backdoor any less scary. What if somebody installed this ROM on a friend's phone?
http://www.droidforums.net/forum/li...-their-phone-taken-control-liberty-1-5-a.html
I do agree that it's not cool to have blatant spyware on your production ROM. But at the same time, some of what this stuff does has legit uses. Although could have been better implemented. The difference between diagnostic logging and spyware is pretty small. And mostly in the "raw user data" to "anonymized statistical data" ratio. (I'm fine with a daemon reporting that my address book has 300-400 entries, with an average of 1.5 addresses per entry, and 12 groups. I'm not fine with them sending the actual entries or even exact count of entries.)
Last edited:
That isn't a backdoor, it's just a script which does silly things to the phone. A backdoor allows external access, that was just the case of a ROM coming with a test script and people thinking their phones were being hacked as a result.
Even if a ROM doesn't provide a source, finding spyware that sends out data from your phone isn't difficult. Like I said, you can just watch the packets going out the phone if you want, and with however many millions of members - many of whom are hackers - on xda and other Android sites, I'm sure at least one would pick it up even if it was being more discreet than the example you provided.
The biggest issue about HTC's logging is that, according to the article you linked to:
Now if anyone can gain access to the phone by requesting access to an open port, that seems like something a remote attacker could exploit as well. If this is indeed an actual backdoor (i.e. HTC can remotely request information from your phone at any time) it also leaves your phone open to hackers trying to use that backdoor too. That's the bigger worry if you ask me.
Of course, removing HtcLoggers.apk after rooting fixes it, so at least it's not a difficult thing to get rid of, it's just that most people won't bother doing that and will leave themselves open to more snooping.
That script was built into the ROM and checked a server for stuff to run on reboot. It allows an external party (the ROM creator) to arbitrarily execute a script on all user's phones without directly interacting with them. I'm pretty sure that qualifies as backdoor or a botnet built right into the custom rom.
Here's the thing, while you're right that you can watch the packets going out from the phone.... really, how many people do this? I certainly don't have the time for this unless I'm debugging my own apps. And this assumes spyware doesn't use encryption. As much as I appreciate the few security specialists who do survey their traffic, I'm certainly not expecting that any other cell phone hacker is going to do this to "keep us safe" because a phone hacker who knows what he's doing usually knows that there's plenty of cool stuff he could be making instead of staring into the matrix looking for that one misplaced packet.
With that said, I also don't trust HTC phones either. My Nexus S runs ASOP "as Google intended it to be" and my iPhone4 is not jailbroken. If something's screwed up, I know who to blame.
As for the HTC port thing, it's probably filtered at the kernel level to localhost only. It'll only be remotely exploitable if a relay app is installed or if a linux tcp stack exploit is found. The latter would make it into the news for linux web servers before Android fans hear of it, if it ever happens.
Google Chrome does the same thing... TBH you do have a point, its not good.
Hardly any will do that. Very few. But with the many millions of tech savvy members, my bet is that at least one will do some sort of auditing on any given custom ROM. Linus' Law is probably relevant here.
ASOP is the way to go on Android really
It'll be filtered at kernel level if it's been coded well, and HTC didn't seem to put too much thought into it. Still, it should be fine now and rooters can easily remove it regardless