📜 ⬆️ ⬇️

Application falsely accused of data theft

Wallpaper app Just three days ago, a wave of surprise and indignation flashed on Habré about the application for Android devices called Jackeey Wallpaper, which stole user data and which, before the suspension of its distribution, had time to use the “millions of people”.

The English-language blogger Antonio Wells managed to contact the author of the application and interview him about this, as well as contact the company Lookout, which, in fact, reported the find.

Looking ahead - everything is not as stated in the beginning. The answer of the author and clarification of the story inside. The article is a free translation-retelling of an article from the androidtapp blog . But he is too free to translate as a translation. Mostly the story goes in the first person - the author of the original article.
The author’s name is Jackeey Wu and his answer is below.

Start writing.

I do not collect this data

Hi, I noticed that Lookout's CEO at venturebeat.com stated that I collected user data in my wallpaper program. And the data seems to contain the browser history, text messages, SIM card number, subscriber number, and even Google Voicemail password.
Immediately declare: I did not collect all of the above data.

Lookout stated that I was collecting text messaging history. That's nonsense. Everyone knows that if a developer wants to have access to the message history, he must declare access to some access zones (android.permission.READ_SMS, android.permission.RECEIVE_SMS, or android.permission.RECEIVE_MMS), otherwise the system will simply prevent him from using the appropriate API . And in the Android Market it will be clear that the program requires access to these zones. The screenshot below clearly shows that I do not declare access to these zones. So my application cannot collect this data in any way.

Application comparison

On the left is a typical messaging application. On the right is Jackeey Wallpaper.

The news also said that I was collecting browser history, but this is nonsense again. Look at your Android device at the Browser application, which requires and declares access to personal data (Your personal Information) where history and bookmarks are stored. My application does not require such access. Moreover…

Other apps collected more data.

Compare two wallpaper management apps. The Backgrounds application on the left requires access to 8 different zones. My application required access to 5, and all of them are also contained among the list of accesses declared by the Backgrounds application.

Application Comparison 2

I collected data about the device

In my application, I collected some data about the device, and not about the user. I collected screen size information to provide wallpapers in the most current resolution.

I also collected the device ID, phone number, and subscriber ID, which have nothing to do with user data. I collected them with the plans to create the functionality of the "favorites", the user's choice had to be saved and synchronized to the server. And the collected data had to identify a unique user so that his favorites could be saved and restored in case of resetting the phone to factory settings.

I’m an ordinary developer and I absolutely don’t understand why Lookout or the author of venturebeat.com attacked my application.

The end of the letter.

Comments Lookout

Obviously, while I was investigating, Lookout could not answer any questions that might arise, but nevertheless, already on July 29, an entry appeared in their blog stating the following:
Although the data that this wallpaper management program collects is suspicious, we want to clearly state that no evidence of malicious behavior was found. In the past, there have been cases where applications have been a little too zealous in collecting data, but not due to malicious intent.

July 30th. Erika Shaffer, PR Director at Lookout, said:
Lookout does not give up his words. When we noticed that incorrect information is being distributed, we as quickly as we could published a message about what we found in this application. The developer’s server collected the phone number, subscriber ID, and voice mail number. We announced this at the Wednesday presentation.

On the same day, the company's CEO added:
Obviously, the company's report was incorrectly interpreted. We want what was clear - we did not blame the application for data collection, more than the volume that we covered in our blog.
As I have already stated, our goal was to draw the attention of users and developers to what is happening in the world of mobile applications in terms of security.


- Abram Ivanovich, is it true that in Odessa the pioneer in the lottery won the Volga?
- True! Only not a pioneer, but a pensioner, not the Volga, but a bicycle, and not won, but stolen.

Another demonstration that any news should be checked. It remains only to hope that the author will be given the right to work calmly, and the owners of Android this story really makes you think when installing the next program, why this toy is tic-tac-toe and access to phone calls.

Source: https://habr.com/ru/post/100810/

All Articles