App can make phone calls without your knowledge!

ChaletGirl

Another app taking liberties? I was just checking through the permissions requested on Accuweather's Android app and it wants to make phone calls & text messages without bothering to tell me about it. And these aren't necessarily Freephone numbers either.

I am used to seeing (and rejecting) apps wanting to use the camera on my phone (still shots & video...) which I can't believe are necessary for the app's performance and just seem downright pervy - but potentially using a paid service without my express permission - that's outrageous! This request even pops up on the paid for version.

They would also like free access to read my emails & messages. Why??

I really wouldn't mind so much if these conditions weren't so hidden. Or if they were adequately explained. Or if my privacy was a trade-off for a free service. But the paid apps want the same access. Other industries have to comply with being upfront about extras. Why is the app industry not regulated in the same way?

Niv

I think it is pretty clear, when I go to the play store to download an app, there is a list of permissions the app wants and you just click on them for details.

I do however agree that that some of the access these apps want appear unnecessary and it has stopped me downloading apps in teh past .

thegoodman

The problem is very common with Android phones. See the news below.
http://www.guardian.co.uk/technology/2012/may/25/android-users-angry-birds-malware?newsfeed=true

May people have been tricked into this. The problem is Google who make will only remove the app once the damage is done. I think this is wrong.

With iPhone and windows phones apps are checked before release, I think the google should do the same.

Lifeforms

It's a free market, means regular joe can go make an funny app without having to pay a penny to make an app (aka apple and your "fee" to even create/submit the app.

So... a) the market isn't policed (because no one really pays for that, unlike apple). b) anyone can make an app, malicious or not, broke or not. c) people are idiots, and are quite happy to let anything download, and use their phone.

People in the know or actually pay attention to things (terms and conditions people!) will see that apps want permissions to do stuff it frankly doesn't need to do. Doesn't mean if it wants access to make calls, that it'll do it, but you only have yourself to blame if it does at some random moment dial out without you knowing it, and you suddenly get a several hundred pound bill. HOW?!
This takes you back to point C. People are idiots, and just want to do things, without caring about who's what's, whyfor's and "oh it's ok, sure you can use my phone to call anyone, you're only a stranger I've just met!"

DUTR

ChaletGirl wrote: »

Another app taking liberties? I was just checking through the permissions requested on Accuweather's Android app and it wants to make phone calls & text messages without bothering to tell me about it. And these aren't necessarily Freephone numbers either.

I am used to seeing (and rejecting) apps wanting to use the camera on my phone (still shots & video...) which I can't believe are necessary for the app's performance and just seem downright pervy - but potentially using a paid service without my express permission - that's outrageous! This request even pops up on the paid for version.

They would also like free access to read my emails & messages. Why??

I really wouldn't mind so much if these conditions weren't so hidden. Or if they were adequately explained. Or if my privacy was a trade-off for a free service. But the paid apps want the same access. Other industries have to comply with being upfront about extras. Why is the app industry not regulated in the same way?

Where to confusion is, is due to the wording they use, as you know the app requires a data connection , (hence permission to use your internet connection) eg a phone call in loose terms, they don't actually make a voice phone call. Likewise something like a banking app, may have branch phone numbers or customer services, energy app, breakdown so will require the permission to dial via the app (under your control), or use the location.
Ok things like facebook twitter etc, that's a different scenario

DUTR

thegoodman wrote: »

The problem is very common with Android phones. See the news below.
http://www.guardian.co.uk/technology/2012/may/25/android-users-angry-birds-malware?newsfeed=true

May people have been tricked into this. The problem is Google who make will only remove the app once the damage is done. I think this is wrong.

With iPhone and windows phones apps are checked before release, I think the google should do the same.

Perhaps you didn't read past the 1st few lines of the article "Company fined £50,000 after nearly 1,400 people in UK were hit by fake apps that sent premium-rate text messages"
I'm still wondering why with all the malware etc that you report, that I do not know one person personally or 3rd hand that has been affected in the ways you describe

Mr_Terrific

ChaletGirl wrote: »

I really wouldn't mind so much if these conditions weren't so hidden.

The permissions required are clearly listed when you click "Install" in the Play Store. Once these are displayed, you explicitly have to choose "Accept and Download" before you can install the app.

Choosing not to read the list of permissions the app requires before installing it doesn't make them hidden.

grumbler

Mr_Terrific wrote: »

The permissions required are clearly listed when you click "Install" in the Play Store. Once these are displayed, you explicitly have to choose "Accept and Download" before you can install the app.

Choosing not to read the list of permissions the app requires before installing it doesn't make them hidden.

Is it really that simple as you are trying to present?
Do you really think that this is an adequate and sufficient protection? How does this protect from a bogus, say, messaging app that obviously requires permission to send texts and can use this permission for sending unauthorised premium texts?

Niv

grumbler wrote: »

Is it really that simple as you are trying to present? yes

Do you really think that this is an adequate and sufficient protection? Its a warning, people chose to do with it as they will. I chose to read what the app wants permission to use and chose if I think it should need that, if not then I dont download. If people are responsible enough to own a smart phone they should take the time to learn how ti use it.

How does this protect from a bogus, say, messaging app that obviously requires permission to send texts and can use this permission for sending unauthorised premium texts? You chose not to install it

Why do we have to protect the poor old lazy victims? Read what the app wants to do before you download! You dont have to download it!

grumbler

Niv wrote: »

You chose not to install it

In this case all communication apps requiring permissions to make calls or sent texts or access Internet have to be avoided.

My point was and remains that it was not that simple as per Mr Terrific .
Permissions is only a small part of the information that has to be taken into account when making a decision. The status quo is that even an experienced person can fall a victim of some bogus app and there is no way to protect yourself except checking the source code. You cannot expect this from an end user even if the code was available.

wantmemoney

Niv wrote:

Why do we have to protect the poor old lazy victims? Read what the app wants to do before you download! You dont have to download it!

that is the argument fraudsters and scammers use to defend what they do by always blaming the victims (very often children that they specialise in targeting ).....a disgraceful 'industry' attitude.

http://www.phonepayplus-services.org.uk/output/search-adjudications.aspx

10 May 2012
Information provider A1 Agregator Limited
Service provider Ericsson Internet Payment Exchange AB

Type of service: In-app billing/ Android Trojan app

BACKGROUND

In December 2011, the Executive received 34 complaints from members of the public in relation to unknown charges being triggered after downloading apps advertised as “free”. The apps were replicas of popular games and entertainment services, such as ‘Angry Birds’ and ‘Cut the Rope’. The replica apps were developed to include coding, which triggered the sending of text messages from the users’ handsets to a premium rate number. In response the Level 2 provider’s system sent premium rate messages to the users at a cost of £5 each. The charges continued to be triggered until users uninstalled the replica app from their phone. The replica apps also appeared to restrict visibility of incoming and outgoing messages associated with the shortcode 79067, this resulted in complainants not being aware of charges until receipt of their phone bills.

ALLEGED BREACH THREE
Rule 2.2.5

“In the course of any promotion of a premium rate service, written or spoken or in any medium, the cost must be included before any purchase is made and must be prominent, clearly legible, visible and proximate to the premium rate telephone number, shortcode or other means of access to the service.”

The report from Total Defence showed a screenshot taken from an Android app marketplace labelled: “Fig 1: Permissions that must be granted by the victim for the Trojan to get installed”. The screenshot showed one permission request stating, “Services that cost you money – send SMS messages”. However, this does not fully and/or clearly inform the consumer of the cost of the service.

ps PhonepayPlus pocketed the revenue that was stolen from the victims and withheld from A1 Agregator Limited. They called it a 'fine'.