July 24, 2014

Wallpaper Apps Exonerated, Google Posts Guidelines (UPDATED)

Last week, we were among dozens of media outlets that reported that sketchy wallpaper apps were sending your personal data to servers in China. It turns out, those claims were greatly exaggerated, and after removing the apps from the Market to investigate, Google has now given them a clean bill of health. The Android team has also posted guidelines for developers to help them avoid misunderstandings like this in the future.

So what happened? First, security firm Lookout issued a report noting potential security risks of Android and iPhone apps, highlighting an Android app that was collecting the user’s phone number and other information and transmitting it to servers in China. VentureBeat, in reporting the story, added that users’ text messages and browser history were also being grabbed by the app. This was not true and VentureBeat has retracted those assertions:

The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website. We corrected the error as soon as we heard the correct information. By that time, news had spread far and wide.

It turns out that the developer, Jackeey Wu, was just collecting a unique identifier to enable users to keep favorites and settings after wiping their phone or on a new phone. Despite the fact that this was an unwise way to implement this feature, there was apparently no malicious intent. After a suspension from the Market so that Google could investigate, the apps have been reinstated.

Finally, on Wednesday, Nick Kralevich, an engineer on the Android Security Team, posted best practices for handling user data on the Android Developers blog. While these guidelines don’t mention the wallpaper app controversy specifically, they seem directly aimed at helping developers avoid running into a situation like this in the future:

Here are a few tips for writing trustworthy Android applications:

  1. Maintain a privacy policy
  2. Minimize permissions
  3. Give your users a choice regarding data collection
  4. Don’t collect unnecessary information
  5. Don’t send data off the device
  6. … but if you have to, use encryption and data minimization
  7. Don’t use code you don’t understand
  8. Don’t log device or user specific information.

The post expands on each of these points with quite a bit of detail, so if you’re a developer, head on over to read the rest.

Update: Android Developer Advocate Tim Bray adds to the conversation in a post on his personal blog, adding that in addition to the fictional reporting of text messages and web history being sent to China, the reporting of up to 4 million downloads of the app was also fictional. He also takes a look at reporting on iOS’s latest security hole. He concludes that “people who write about security issues need to bring up their game a few notches. One one hand, they need to be doing basic journalism: fact-checking, multiple independent sources. On the other, they shouldn’t be frightened of turning up the volume when the population needs to be warned.”