Cnet and ZDNet were spreading a BS and marketing ploy from a company which is trying to sell its own "security" application. In an original article, Cnet repeated a misleading marketing information from a anti-spyware firm called SMobile, which claimed that 20% of Android apps are potentially spying on users, share private data, even places some invisible for a phone owner calls and SMS...
What is interesting, Cnet author realized their mistake and edited article (see comments below)! I really applaud it!
"Android requires application developers to declare the permissions their application will need in order to interact with the system and its data" and SMobile is sucking an information which is freely available and required for each app and trying to sell it to us! There is an obvious conflict of interests. Every technically-savvy Internet user knows that 90% of so called “free antivirus and anti-spam” software is bogus, trying to sell us unnecessary things and displaying false alarms.
As it was mentioned in one comment, iPhone apps do the same thing as Android apps, because it's just required by their functionality, but don't advertise as clearly and loud as Android apps what they can do.
As we know, Android OS automatically prohibits any app from accessing a resource in case this access wasn’t declared. Does iPhone OS do this? It sounds like a better control than a human looking on each app source code. With 200,000 apps in iPhone Store I highly doubt that every app was really inspected. I think I’ve heard about some apps being pulled from App Store *afterwards*…
Also, users voting for an app by downloading it IS a pretty strict control. There was an information about Wikipedia being almost as accurate as Britannica...
Now, let’s think about what could and should be done.
As ztts said in a Cnet comment,
”This is one of the most remarkably misinformed articles I've read in a long time. Of course some apps have access to sensitive information. If an app is meant to help organize contacts, for example, of course it has access to your contacts. This is true on any platform, and is obvious and unavoidable. The nice thing about he Android market is that, whenever you download an new app, it informs you of exactly what sensitive information it has access to, so one can make an informed decision. The fact that an app has access to information does not mean that it misuses it, as this article implies that 20% of all apps do. Truly sensationalist reporting.”
inetperu says in Cnet comment,
"Palm is taking the lead on this one I think. Personal data is locked down pretty tight - too tight actually since some apps are not even possible with the current restrictions. The ideal system would be for a permission based system like Palm WebOS uses for apps that require GPS data. When you install the app it notifies you that the app needs access to the GPS data and you can accept or deny. Something similar could be used to allow an app limited access to your address book, phone functions, SMS, etc. The user GRANTS permission to the app after being warned of possible abuse AND if access to those sensitive areas were logged automatically so that the user could review it every so often it would keep bad developers in check. Imagine an app that could scrape your entire address book, phone records, GPS history, etc. - a spammer/stalker/identity theirs dream app."
Limited access sounds like a useful idea, but... But if an app is denied a permission it was asking for *during its installation*, it then cannot perform normally, right? And asking for a permission *every time it is needed* is not a solution either, because it would create a nightmare user experience (I remember Zone Alarm doing that, as a result I just uninstalled Zone Alarm. Most users would do the same.)
Obviously, Android's way of declaring necessary permissions during installation is far from being an ultimate solution either, because most of the users will install apps anyway - if they need them.
WebOS performs a required and automatic logging of an access to sensitive areas, right? That's sounds like a really good idea. Such system logs can then be analyzed by [system] security software.
I'm pretty sure Windows has this mechanism as well. Isn't there a similar API in Android OS? I don't believe Google didn't pay attention to this area.