Wallpaper Apps Exonerated, Google Posts Guidelines (UPDATED)

Last week, we were among dozens of media outlets that reported that sketchy wallpaper apps were sending your personal data to servers in China. It turns out, those claims were greatly exaggerated, and after removing the apps from the Market to investigate, Google has now given them a clean bill of health. The Android team has also posted guidelines for developers to help them avoid misunderstandings like this in the future.

So what happened? First, security firm Lookout issued a report noting potential security risks of Android and iPhone apps, highlighting an Android app that was collecting the user’s phone number and other information and transmitting it to servers in China. VentureBeat, in reporting the story, added that users’ text messages and browser history were also being grabbed by the app. This was not true and VentureBeat has retracted those assertions:

The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website. We corrected the error as soon as we heard the correct information. By that time, news had spread far and wide.

It turns out that the developer, Jackeey Wu, was just collecting a unique identifier to enable users to keep favorites and settings after wiping their phone or on a new phone. Despite the fact that this was an unwise way to implement this feature, there was apparently no malicious intent. After a suspension from the Market so that Google could investigate, the apps have been reinstated.

Finally, on Wednesday, Nick Kralevich, an engineer on the Android Security Team, posted best practices for handling user data on the Android Developers blog. While these guidelines don’t mention the wallpaper app controversy specifically, they seem directly aimed at helping developers avoid running into a situation like this in the future:

Here are a few tips for writing trustworthy Android applications:

  1. Maintain a privacy policy
  2. Minimize permissions
  3. Give your users a choice regarding data collection
  4. Don’t collect unnecessary information
  5. Don’t send data off the device
  6. … but if you have to, use encryption and data minimization
  7. Don’t use code you don’t understand
  8. Don’t log device or user specific information.

The post expands on each of these points with quite a bit of detail, so if you’re a developer, head on over to read the rest.

Update: Android Developer Advocate Tim Bray adds to the conversation in a post on his personal blog, adding that in addition to the fictional reporting of text messages and web history being sent to China, the reporting of up to 4 million downloads of the app was also fictional. He also takes a look at reporting on iOS’s latest security hole. He concludes that “people who write about security issues need to bring up their game a few notches. One one hand, they need to be doing basic journalism: fact-checking, multiple independent sources. On the other, they shouldn’t be frightened of turning up the volume when the population needs to be warned.”

  • Kip

    As a by-stander Android user who hadn’t actually installed this app but did follow the news with interest, I am guessing that many who did are now breathing a sigh of relief – to an extent.

    However, this just shows how easy it is for someone to create much ado about nothing much; to put it bluntly – isn’t it scaremongering?

    I have read the team update following Google’s statement, and it seems to be missing the keyword: Apology. The same should apply to VB, which I understand was one of the major players in this drama.

    Yes, the team highlighted concerns about the app which has now led to best practice guidelines (plus plus) but what now concerns me is how both parties don’t seem at all bothered over potentially ruining what could have been the developer’s bread and butter (double negative) on the basis of what seems to be unclear reporting and unsound interpreting of facts respectively.

    If this were to happen again, how will us general Android users trust what so called ‘security firms’ have to say? To use some adjectives lifted from a sample team update – to be clear certainly not malicious behaviour, and how should we define suspicious?

  • Sam

    Mentioned in this article you said collecting the unique device id was an unwise way to maintain that user across various devices. What do you think is a better approach? Some how you have to identify the user across the device and imo extracting the device id is actually farely common for apps with a lot of functionality.

  • With the exception of some sites/articles, the reporting of the Lookout was flat-out shoddy and created a lot of FUD. But the good thing about it all is that consumer may become a little more security minded before they start installing apps on their (mobile) devices.

    Sam, the ‘device-id’ is a good way to uniquely identify the device, but not to identify the subscriber of the Android Market. People download/pay an app from Android Market using their (google checkout) account. If they buy a new device but keep the same account, you’d still want to make sure their app works. Therefore, for phones with Android Market, it’s usually better to use the ‘subscriber-id’/’android-id’.

  • Charles Liu

    Agree with Streets this story is predicated on some fairly standard “China FUD” our media snaps to.

    Basically anything bad about China must be true. Has anyone noticed how racist it is to insinuate servers in China are inherently evil?

  • Pingback: Coca Cola’s Beautiful Live Wallpaper is AdMob Case | Hi-tech news()

  • Pingback: COMMUNITY ALERT: DavinciDevelopers Stealing Apps To Sell As Own Creations | Hi-tech news()