Three new security phones have come into the spotlight recently: The Geeksphone Blackphone, the Boeing Black, and FreedomPop’s Privacy phone.
These phones take similar routes to security, from what we know so far. They’re loaded with encryption, security apps and other features.
But there are two feature on at least one of these phones that should be a standard part of Android.
The $629 Geeksphone Blackphone, made in partnership with Silent Circle, uses a forked version of Android called the PrivatOS. First, the system confronts you with choices when you install an app, enabling you to choose exactly what personal information is available to each app — individual permissions on each source of data that each app requests. And second, after apps have been installed, a “Security Center” lets users enable or disable specific permissions for each app.
Why aren’t these two features built into standard Android?
The antivirus software company Avast revealed Friday that a night vision Android app called Cámara Visión Nocturna has been signing users up for a paid messaging service without their knowledge or permission.
The app has been harvesting phone numbers from WhatsApp and other messaging apps and registering them for a paid messaging service, which billed them $2.80 per session. Some users were charged up to $50 per month. It’s not clear to me how this billing took place, but the damage was already done by the time researchers found out about it.
The use of ostensibly legit apps housing secret functions that rob or violate users appears to be a growing industry. Remote access toolkits, or RATs, have been a problem for years, but have tended to target users in China and elsewhere in Asia.
This week, researchers have uncovered a RAT called Dendroid, which helps would-be malware distributors target US and European users. It’s designed to hide malicious code inside otherwise legit Android app software.
An interesting feature is that the control panel for Dendroid is hosted on virtual private servers. It’s “malware as a service.”
Dendroid costs $300 and comes with both 24-hour tech support and a guarantee that it won’t be detected. Its creator, who goes by the name “Soccer” on the forums, claims that the software can record phone calls and texts, download pictures from phones and record audio and video, take pictures through phones’ cameras, call phone numbers, delete call logs, open applications and initiate a denial-of-service attack.
Dendroid is reportedly designed to slip past Google’s Play Store control (which is called Bouncer).
All this sounds horrible, but mobile security specialists don’t expect Dendroid to be a major threat in reality, mainly because it was detected and that now that the security industry and Google knows about it, they can do something about it.
What is of concern is that Dendroid represents a new trend of highly professional, highly capable all-in-one malware toolkits for Android.
There’s also the problem of data-grabbing that isn’t exactly malware.
A report last year by the Data Center of China Internet (DCCI) found that nearly 35 percent of the Android apps it surveyed were grabbing user data unrelated to the purpose of the app.
The problem exists outside China, too, although is probably on average significantly better for Play Store apps. The highest-profile case was the GoldenShores Technologies’ Brightest Flashlight fiasco.
It’s clear that Android users are at great risk for future privacy, security and financial violation from seemingly legit apps that secretly house malware payloads designed to abuse the trust of users.
That’s why Google needs to add two features from the Geeksphone Blackphone’s PrivatOS:
- A feature that confronts the user with granting or denying permission for each and every privacy-violating action the app is capable of taking. If app developers want users to complete install rather than give up because it’s too much of a hassle to continue, they need to minimize or eliminate privacy-violating features.
- A feature that provides a clear and comprehensive “Security Center” where at any time all privacy-violating permissions are revealed and can be individually toggled on or off.
Of course, third-party apps like NoRoot Firewall do something like this. But these are going to be used only by an extreme minority of users.
It’s time for Google to step up and protect users with these two features, which minimally product users at the OS level. Users shouldn’t have to seek out exotic phones or obscure apps to be able to grant or deny privacy permissions on their Android phones.
(Picture courtesy of SoftAndApps.info)
