I decided to download the card game Solitaire (by ZenTech Labs) on my Android based phone. Being a free app it is paid for by advertising. When you play the game there is always a banner ad at the bottom of the screen. One of the ads caught my eye. It said “Leslie2088 is .7 miles from you. Chat?” How do they know where I am at?
That’s easy, anything that is remotely associated with Google has the potential to compromise your privacy, including your location, the contents of your contact list, the contents of your emails, and the contents of your text messages. In this case the advertisement was simply misleading as they did not know where I was and they probably made up Leslie2088 as well. The Solitaire application only needed network communications access on the Droid to be installed. Other applications often require much more than that.
The ZenTech Solitaire game, and probably virtually every ad supported application in the Android market simply spews a stream of advertisements, some deliberately misleading. I am not saying that ZenTech is deliberately misleading, but some of the advertisers often are.
One ad indicated I had 2 friend requests. Clicking on that ad leads to a dating application called “Find Friends”. When you start the application it brings up a license agreement that, in the fine print, says the service costs $9.99 per month. The app is free, but you have to pay to use it. Clicking “No Thanks”, instead of agreeing to their terms proceeds to go into the app. The first thing it wants you to do is connect with your Facebook account! It is a bad idea to give these people your Facebook ID and password, not that there is anything private in Facebook anyway. The Find Friends app requires network access, has the ability to send SMS messages, and read the phone state and identity. The Solitaire game itself is harmless, but some of the advertisements can be expensive if you click on them and don’t read the fine print.
I decided to look for an RSS reader. This is a pretty simple application that shouldn’t require a lot of permissions. It needs to know the network is active and perhaps use some SD card storage as a feature. In fact, Sparse RSS requires minimal device access. Another reader called “News Reader” requires the ability to know your location (network based), full internet access (of course), reads phone state and identity, and modifies global system settings. Some other RSS readers require even more controls.
Giving the application these permissions give advertisers a lot of information about you and even let them read your personal communications. One really cool thing about Android is that you have the opportunity to see what resources an app will require before you install it. This is not a feature of Windows, Linux, Mac OS, or any other smart phone I know of. If you understand what these permissions allow an application to do you are in a better position to decide if it is worth the risk to you to install the application.
Director of Technical Education
Author ESET Research, We Live Security