Imagine headlines if it was an iOS app

So again: Why is Apple’s walled garden a bad thing?

This shows why a curated AppStore is better for the average user than the wild west approach of the AndroidMarket. Sure Apple blocks some stuff that you or I may want. But it also blocks a lot more stuff that you don’t want to get on your device, or your kids device, or your mom’s.

If you don’t like it, fine go Android or Jailbreak your iPhone. More power to you. But for the AVERAGE user out there, these safeguards do a lot of good and aren’t an inconvenience.

AndroidMarket can be a central curated store and open other markets for the advanced users

I wonder now whether the Librarian of Congress is still of the view that it is Fair Use to jailbreak the iOS?  I know that the Government can’t be sued if someone suffer damages as a result of jailbreaking their iOS device, so with no Sheriff in town, I guess you’d be on your own.

I wouldn’t have an Android phone unless I could parole break it.

Correction. It does not collect the voicemail password unless it is actually in the dial string for your voicemail. This is how Gizmodo updated their story on this:

UPDATE: Phandroid heard from Lookout, who clarified a few points—namely, that “the app does collect data from your phone, but only the device’s phone number, subscriber identifier, and voicemail number fields are retrieved. SMS and browsing history are not touched by any of the apps they analyzed throughout their Blackhat conference. Your voicemail’s password is also not transmitted unless you included the password in your phone’s voicemail number field.” [Thanks, commenter @gwydion]

The phone number and subscriber ID could legitimately be used as a GUID (globally unique user id) on a phone for ad tracking. I would not be surprised if iAd used exactly those.

The important thing to watch is Google’s response. There are a lot of things they can do short of going all Taliban like Apple’s App Store. One obvious thing is augmenting the description and calling more attention to apps that use “phone calling data”.

Google requires all Android Store vendors to have a verified Google Checkout account, so that if there is something malicious, they can track down the developer.

On the surface, it’s disturbing if a true security breach can affect a million people. So if that’s what it actually is, I will have the integrity to press Google to fix the hole. But as Jeff’s story shows (“It collects user’s voicemail password”), there is a bit of misinformation being spread right now.

AndroidMarket can be a central curated store and open other markets for the advanced users

So an advanced user is going to disassemble every app he/she gets before loading the app into the phone? This sort of nonsense could be hidden in ANY otherwise functional app. So why would an advanced user not be vulnerable to hinky apps?

Gee, Bosco, you’ve become so much more understanding and tolerant of security breaches.  I, for one, remember you going all Taliban on Apple, when AT&T programming error disclosed the email addresses of iPad users.  You insisted that Apple and Steve Jobs be burned at the stake, even though its was AT&T programing flaw that caused the problem.  No one could persuade you that Apple wasn’t at fault and shouldn’t suffer the severest consequences, though AT&T on the next day confirmed that the error was its error and publicly apologized for it.

Now, you find it regrettable that “on the surface” this malicious app, which is the direct result of Google’s post hoc—close the barn door after the horse is gone—security model, compromises the security of millions of Android users, but it will be okay if Google somehow fixes a hole in a malicious third party app. 

Well, I doubt that Google will do anything more than remove the offending app, after the fact, from the Android MarketPlace.  I mean that I done see Google coding the app so that it works without being malicious in its effect.  But the hole that needs fixing and the only fix that will solve the problem of malware on the MarketPlace, which is a problem that will only increase in its frequency and severity, is for Google to institute methods and procedures for screening apps before it allows them into its MarketPlace.

I also understand that Google has instituted a fix to stop people from stealing developers’ apps, which apparently was trivially easy to do.  I believe that you said you are developing for Android.  How’s that working for you?  Or are all your profits disappearing into the black hole that is the MarketPlace?

Yes Nemo, and how convenient is it that you are not warning Jeff and every other blogger about potential liability for libel for including errors of fact about what the app is collecting? Not to mention commenters (like, um, Nemo) that have used words like “malicious” to describe the developer’s collection of said data.

I just looked into the SDK to see what kind of information they can get with phone state permissions. I hope you all follow Tiger’s advice and post this everywhere. You’re gonna look stupid .

And speaking of looking stupid, you’re on a slippery slope discussing Google’s new in-app purchase verification scheme. Do some research on it before commenting. Maybe even ask someone who knows how it works and has some insight into how to use it effectively. Like all good anti-piracy measures, it can keep honest people honest and keep a lot of dishonest people honest too. From a legal standpoint, it can make breaching more airtight illegal and actionable, and centralize the breaching activity.

So again: Why is Apple’s walled garden a bad thing?

How about a false sense of security? Anybody recall the recent app that secretly allowed tethering on the iPhone? That one slipped through the cracks. Others have as well. If some developer is going to be sneaky, they will be sneaky, and the chances of them getting through are higher than we would like to think. Furthermore, I suspect that the walled garden in the iOS realm trickles down to those other “app phone” spaces such as on Android. There is a lot of good will/naiveté out there, which the walled garden sure reinforces… Now, don’t go and say that I am saying that this is a bad thing, or that I’m blaming Apple for this Android fiasco, but the truth is, there is a false sense of security in the iOS world, and it is expanded to the rest of the app phone space as well.

-Jon

Well said Jon,

Bill Gates once made the point that whether or not you had AIDS, was a single bit of information 1 = yes, 0 = no, (binary) so how was anybody supposed to protect against the leak of a single bit of data?

If you do not understand that what you carry in your hand is a computer, and you don’t understand computers, then you’re at the mercy of everyone that does. Just because Apple do a quick check, doesn’t mean that the app they just checked doesn’t sleep for 24 hours, (or 6 months) and then de-cloak and go about its nefarious business.

Security is a state of mind, you either think about this stuff or you don’t, if you leave somebody else to do your thinking for you, you get what you asked for, if not what you deserve.

Here’s a checklist of Things To Consider Before Downloading Apps From Android Market to be safe from these attacks.

“Just because Apple do a quick check,”

Now THAT"S a good joke. How many months of stories have we had of developers complaining how long Apple spends reviewing apps?

Quick check. Yeah.

As for the one that slipped through the cracks. It went live and within hours was yanked. That’s a pretty rapid response.

As for this problem with the Android app, here’s the story, read it for yourselves. It’s still being ignored by CNN and CNET.

As I said… false sense of security…

-Jon

If anyone EVER believes that being on the internet is completely secure they they are delusional. The AppStore is safER because Apple makes an effort to both prevent the bad guys from posting stuff there and because when issues come to light they are aggressive about pulling the offending app.

Just because there is still petty crime does not mean we should do away with the police.

That’s simply part of the Android Marketplace model. The community is the basic police force, without the need for an up-front self-appointed police force (Apple).

Can the community still screw up? Of course. But the community can let more otherwise legit stuff through too, using the principle of “good unless proven otherwise”.

Can the community still screw up? Of course. But the community can let more otherwise legit stuff through too, using the principle of “good unless proven otherwise”.

Would you want the FDA or CPSC to adopt that model for drug or product safety? Put any old compound on the market until someone says it’s killing people? Sell a product until someone points out that it has a tendency to explode?

Didn’t think so.

That said if you’re comfortable assuming the responsibility for protecting yourself and the risk of making a mistake then fine. Download whatever you want and run it. Enjoy your AndroidMarket. Personally I’m careful with what I download, but I like the concept of having Apple, or someone else running interference for me. They may not catch everything but it’s another level of shielding.

Would you want the FDA or CPSC to adopt that model for drug or product safety? Put any old compound on the market until someone says it’s killing people? Sell a product until someone points out that it has a tendency to explode?

Didn’t think so.

Careful. Taking your line of reasoning would lead to a society where Big Brother would seem like freedom.

As to the existence of these agencies, and their practical usefulness, I would contend that they cause the same false sense of security and laziness that Apple does with its strict rules. People think they don’t need to check or verify. Companies think that if they keep to the minimums set by the govnt agencies, they’ve done their job. By doing so, they remove the intellect, and the self-preservation instinct from the equation, thus making any minor shortcoming of potentially disastrous proportions. Yet we only need to look around us at how these things happen in real life to know that regulations, etc. fall far short in real life. It’s like with traffic lights. In Europe (my town of Krakow, for instance), traffic agencies have begun learning that sometimes _less_ is safer. Turning off the lights, and forcing drivers to be aware and be careful because the light isn’t telling them when to go has two positive effects. 1. Traffic jams disappear, and 2. accidents go down.

Yes, this is much less “safe.” But honestly, do you want to live “safe” or free? Do we all really want to be automatons of the bureaucracy of the state or corporate entities who act as both our gatekeepers and conscience? Jailbreak forever.

-Jon

I think the disagreement is because of a basic difference of philosophy.

I’m in Canada. In fact I deliberately moved to TO Canada because I like a more proactive government and regulatory structure. I think it’s the point of societies to band together and protect each other from the bad guys. I moved out of the US because after 45 years I was tired of the drive to total ‘freedom’ which results in too many predators and victims. The result of all that ‘freedom’ as I saw it was a loss of liberty as people had to spend more and more time and energy defending themselves. They simply don’t have the time to be free.

Obviously you disagree. I can respect that. That’s why there are different platforms in the marketplace. You want a more open system where there is nearly unlimited choice, albeit while accepting a bit more risk. I want a more limited selection where I can be reasonably assured that what I get is what it says it is.

That’s cool.

Peace.

You want a more open system where there is nearly unlimited choice, albeit while accepting a bit more risk. I want a more limited selection where I can be reasonably assured that what I get is what it says it is.

I think you are still missing my point. You don’t get _more_ security. All you get is a greater _illusion_ of more security. How’s that health care doin’ for ya? It’s not just Canada. The UK is looking to privatize. I just read an article in my adopted home of Poland of some horrible results of institutionalized, centralized health care. It doesn’t really work better. The thing is, if you don’t have these “umbrellas” you don’t suffer from the delusion that they are actually parachutes. Where does the safety come from? Well, the threat of punishment in the courts, either the criminal or the civil courts.

Part of the problem in the US is that they are trying to have it both ways. It is the compromises that cause all the problems. Worse, as we see in the Apple Store situation. Generally the solution for the failure of the system is to increase the system! Do you want Apple to crack down harder and harder, limiting you, the customer more and more? Is that the situation you truly want? IIRC, the frog was happy as the water slowly came to a boil. But hey, man. peace. That’s cool… Let’s enjoy the ride…