Android tablets and privacy???

[Saracen]

I have a question about privacy concerns on Android tablets .... and mobile phones for that matter, but primarily tablets.

Is it possible to put data on these devices and be sure, and I mean SURE it doesn't get data vacuumed by Google's apps? From what I've seen of their so-called privacy policy, which really ought to be an "utter lack of any privacy whatever" policy, using anything that gives them access to email content, calenar entries, etc, is an absolute non-starter for anyone with concerns.

But what about 3rd party apps? If so, are there any decent 3rd party apps that provide functions for data storage or this type of personal infirmation, that are from trustworthy developers?

Or should anyone with such concerns simply forget about Android tablets?


Also, the same questions about Android phones, bearing in mind I'm NOT prepared to have Google logging and storing details of either inbound or outbound phone numbers.

Any assistance from those with the knowledge and experience of this is much appreciated.

[Marenghi]

i'd be interested in hearing some answered to these questions aswell. AFAIK there isn't an app from google that stores details of incoming & outgoing calls? going to have to go and check what permissions my google apps require now

[Saracen]

It's not so much that an app stores that data, but that some apps open up permissions so wide that they can read that data and send it out .... where it can be data warehoused and data-mined, such as on Google's massive data centre servers.

Log information

When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:

- details of how you used our service, such as your search queries.
- telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.
- Internet protocol address.
- device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.
- cookies that may uniquely identify your browser or your Google Account.

That's merely part of what you agree to with Google and allow them to do. Note that they can track date, time and duration of anybody you call, and anyone that calls you.

So, if I call you, they now have a database showing my number on your in-list, despite the fact that I've never given them permission to record my call details. Now suppose I call 20 other friends and family. They've got a call history for my phone number.

But it's more than that. They've also got access to your address book, calendar, and so on. So, if you've put my landline number, postal address, date of birth and so on, in your contact details, they can now link all that, and build a profile on me. I, of course, haven't given permission for any of this, and don't even know you've put my details in your address book, let alone that Google, or anyone else whose apps have the relevant permissioins, can read it.

The thing is, some apps have HUGELY insecure levels of access. They can access, read, write, create and delete, everything from system passwords to contact data, to amending your permissions system, and to making phone calls, sending SMS or emails, to creating network ports on your device. If you turn off wifi, some apps can turn it back on again, send data, turn wifi back off and do all that, including uploading your data, all without your knowledge.

Sometimes, such access is legitimate. Antivirus apps, if genuine, need quite an intrusive level of access to be able to work. An app that lets you email or SMS tech-support from within the app has to be able to email and SMS. If you download a new address book app or calendar, it has to be able to create, ddelete etc thise events. And any app that offers cloud sync has to be able to access the internet.

So, there are legit reasons for SOME apps to have SOME of those permissions. But why does a Sudoku game need to be able to access your phone call log? A game might need to access your phone state .... to suspend play when you receive a call. But why does it need to know who called you?

My point, therefore, is not that even highly intrusive permissions are necessarily for evil intent, but that we, as users, ought to have FAR more control over what apps can do what, and that Google awards irself a huge level of access for it's services, and that's for services usually installed by default, which often cannot easily be blocked, or even uninstalled without at the very least rooting the device, and due to the complex set of interdependencies, ridking breaking services B through Z if you disable service A.

Perhaps most inttrusive of all is that if you sign in for one Google service, their new T&C's means you've signed up for such tracking on almost all their services, a vast glob of which are installed and active, by default.

I'd like to know what recommendations are for castrating some of this? Perhaps Titanium backup, but what do the experts round here think?

[jimbouk]

Don't sign in with a google account on the phone...?

[Saracen]

Don't sign in with a google account on the phone...?

It's one approach, but then, you can't use a number of the functions such a device (phone or tablet) are so useful for, like calendars, etc. Which is why I asked about suitable third-party apps in the opening post.

[jim]

I can't really advise on different apps' privacy policies, as I frankly don't know, and I'm going a bit off topic here, but from my experience I think you'll struggle.

When you install an app via the market (apologies if you've already done this), it will always inform you of what sort of access it requires. So, typically, a basic game might want internet access to connect you to an online store. Then you might have a photo app, which will want internet access to upload to photo sharing websites, and then will want GPS location so that it can accurately tag your photos with GPS.

The problem here is that apps tend to start off with very basic requirements. I had an application which was no more than a torch - it showed a white screen, which lit up a dark room. That was fine. Then one day, I went to update, and suddenly it required internet access - presumably for adverts. I ditched it. Another application, I paid to purchase a premium version, which didn't have adverts. Then, a few months down the line, they added adverts to the premium version - the only way to prevent it was not to update. As soon as I got a new phone though, I couldn't get the old version, and it was either no app, or app with ads. Again, I ditched it.

My personal experience is that it gets worse with time. I think, typically, you'll get a photo app, and you'll be happy with it. However, somebody will absolutely love the idea that you can tag your photos with GPS. Fair enough. Problem is, the developers then are pressured into adding the feature, and typically do - and here's the big kicker - you can't individually accept or deny different rights to apps. You either accept all of them, or none of them. So if the photo app wants access to my camera (fine), the internet (not great, but acceptable), my GPS location (you're having a laugh?!), well, I get no say in the matter other than to decline it altogether.

I'm glad that Google informs me, absolutely, but it just becomes unmanageable. Even if you find an app, say for your calendar, which you like, sooner or later, feature creep will mean that someone, somewhere, says "Please add feature X", and then it's added, new rights are demanded, and then you need a new app again.

The sheer number of apps that request ridiculous permissions is unbelievable - I've seen games that want to know when I'm being called - and of course nearly all of them want access to the internet. No doubt most of them don't use the features at all, or at least don't use them unless you specifically permit it within an options menu, but they're there, and by installing you agree to them. In most cases I suspect it's primarily a case of being careful, requesting all sorts of permissions that might be needed, or vaguely improve functionality, even though they're not used in the nefarious ways they could be. Either way, it's a massive minefield.

[jim]

I've just dug up a few examples for you, as I primarily use non-Google applications for things.

My alarm clock, for instance, requires the following:

CHANGE YOUR AUDIO SETTINGS
Allows the app to modify global audio settings such as volume and which speaker is used for output.
FULL NETWORK ACCESS
Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.
PAIR WITH BLUETOOTH DEVICES
Allows the app to view the configuration of Bluetooth on the tablet, and to make and accept connections with paired devices. Allows the app to view the configuration of the Bluetooth on the phone, and to make and accept connections with paired devices.
READ PHONE STATUS AND IDENTITY
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
MODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE MODIFY OR DELETE THE CONTENTS OF YOUR SD CARD
Allows the app to write to the USB storage. Allows the app to write to the SD card.
DISABLE YOUR SCREEN LOCK
Allows the app to disable the keylock and any associated password security. For example, the phone disables the keylock when receiving an incoming phone call, then re-enables the keylock when the call is finished.
MODIFY SYSTEM SETTINGS
Allows the app to modify the system's settings data. Malicious apps may corrupt your system's configuration.
PREVENT TABLET FROM SLEEPING PREVENT PHONE FROM SLEEPING
Allows the app to prevent the tablet from going to sleep. Allows the app to prevent the phone from going to sleep.

My calendar app, which is far less fussy, requires the following:

READ CALENDAR EVENTS PLUS CONFIDENTIAL INFORMATION
Allows the app to read all calendar events stored on your tablet, including those of friends or co-workers. This may allow the app to share or save your calendar data, regardless of confidentiality or sensitivity. Allows the app to read all calendar events stored on your phone, including those of friends or co-workers. This may allow the app to share or save your calendar data, regardless of confidentiality or sensitivity.
READ PHONE STATUS AND IDENTITY
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.
MODIFY OR DELETE THE CONTENTS OF YOUR USB STORAGE MODIFY OR DELETE THE CONTENTS OF YOUR SD CARD
Allows the app to write to the USB storage. Allows the app to write to the SD card.

Anyway, you get the picture.

[Flibb]

There are apps that let you edit the permissions given to other apps. I use one to lock down whatsapp so that it works on a tablet.

[Agent]

The sheer number of apps that request ridiculous permissions is unbelievable - I've seen games that want to know when I'm being called

They actually don't have much of a choice. If you're playing a game for instance and the phone rings then what should the game do? Presumably you want it to do something sensible like pause and pass control to the phone application. If you didn't give it permission to know the phones state regarding calls, it would just carry on going in the background while the call was taking place. Not very user friendly

This isn't really an Android issue as such, it's common across any platform. If you lock the ability down to read the phones status, then you massively limit what end users can do with that aspect of the phone. Giving the user the choice is by far the best solution IMO. As you rightly point out - you don't have to let them have access at all.

It's not much different to PCs in this regard. Do you know what you're downloading and installing? Are you sure it's not reading your emails after it's been installed? How are you sure - anti-virus? Doesn't stop everything and certainly less likely to if it's been custom made with a low installed user base. Anything less than reviewing the source code and compiling it yourself (and even then, do you really trust the compiler?) and there is going to be that element of doubt.
I agree that it's much more of an issue on mobile platforms due to the nature of them, but it's important not to forget that many of us are not that paranoid on a PC platform and will happily install programs because we trust the developers. The same should be applied to mobile devices IMO - do you trust the developer? I think it's unlikely that the Dropbox team is going to have any malicious aspects in their program for example, but only you can choose that level of trust really.

As for the privacy issue....it's an interesting area, but ultimately I think it's fighting a losing battle. You don't need a Google account to use an Android device, but you'll miss out so much as a result I'm not sure how usable it would be. The Play store needs one for example. You could install another store (like Amazon), but do you trust them with your data? and we're not even talking about the actual apps from the stores either...

You could skip the store route all together and download them from wherever you choose by enabling the 'unknown sources' option, but you're still back to the big question: Do you trust the developers of whatever you're installing? There is no option of seeing other user reviews in most cases with this route either, so you won't know its quality until you have it installed.

[jim]

They actually don't have much of a choice. If you're playing a game for instance and the phone rings then what should the game do? Presumably you want it to do something sensible like pause and pass control to the phone application. If you didn't give it permission to know the phones state regarding calls, it would just carry on going in the background while the call was taking place. Not very user friendly

Quite, and I'm prepared to accept that - given what Saracen said in his initial post though, I suspect we would differ on that point.

I do however take issue over two things: firstly that sometimes I think the permissions are too wide-ranging. It's one thing to allow software to appreciate that I'm being called, but if in the same operation it's also permitted to find out the ID of the caller... they can be very wideranging at times. And secondly, as I mentioned (as standard) you can't pick and choose which permissions each piece of software has, so if your alarm clock suddenly decides it wants GPS access, you can't just disable that one feature.

That's where I get a bit frustrated - because these phones are effectively idiot-proof, it spoils your ability to customise the device (and to go incredibly off topic, this seems to be where W8 is headed). You rightly mention our habit of being less cautious on a PC, but then I can always firewall stuff on my PC. Without rooting an Android phone, you can't really effectively firewall it.

[Saracen]

There are apps that let you edit the permissions given to other apps. I use one to lock down whatsapp so that it works on a tablet.

Anything you feel comfortable to mention, by PM if necessary?

[Saracen]

Agent and snooty, I understand the perspective you've each outlined.

But as for the game/phone situation, Agent, as I mentioned earlier, a game might legitimately need to know the phone status, but not the caller's number, or to record the duration of the call.

And I guess in part, what I'm looking for is trustworthy apps, and hence reputable developers, for third-party alternatives to Google components which at least means Google are going to get far less of a dataset on me.

And, in part, I'm after something giving the equivalent in functionality to a good PC firewall, offering ME a level of granularity of control over what apps can do, just like I can block certain PC apps from having any net access.

Ultimately, though, it's clear to me, and was before I got a tablet, that the only way to protect some data is to never, EVER, put that data on it. If need-be, that'll limit the use of the tablet but it won't render it useless. So if I can't find any other way, that's what I'll do. But the notion of me voluntarily handing all my contact data, phone logs, emails, GPS data, and so forth, to Google, simply isn't going to happen, ever.

And if necessary, I'll just sell, or just scrap, the tablet. I'd rather not do that, but if I do, then I've nothing to lose by first rooting it, loading a custom rom and/or sideloading apps. If I end up bricking it, at least nothing lost. And at least then I can dump some of the junk Google and Samsung stuff this thing with.

[Flibb]

Anything you feel comfortable to mention, by PM if necessary?

Just hunted my Nexus 7 out, the one I use is called SRT appguard, and suprise suprise google removed it from the store. Info in German (tanslate works fine) and hopefuly a download
http://www.backes-srt.de/produkte/srt-appguard/
and a paper on appguard
http://www.infsec.cs.uni-saarland.de...id-monitor.pdf

[Saracen]

Will take a look at that.

Thanks, Flibb.

[Agent]

I do however take issue over two things: firstly that sometimes I think the permissions are too wide-ranging. It's one thing to allow software to appreciate that I'm being called, but if in the same operation it's also permitted to find out the ID of the caller... they can be very wideranging at times. And secondly, as I mentioned (as standard) you can't pick and choose which permissions each piece of software has, so if your alarm clock suddenly decides it wants GPS access, you can't just disable that one feature.

I suppose it's a balancing act really. Too much control and you'd end up with a list of permissions so long, no one that isn't a proud geek would understand. Too little and you'd have people complaining.
Is the balance at the moment right? Not really thought about it because I've always thought most of my apps were fairly sensible in their permission needs (perhaps that's a good sign?).

I think the issue with individual permissions on an app is that it causes hell for the developers. Currently if an app needs, say 3 permissions, and you allow it - all well and good. Now if you give the user the ability to pick and choose, there are 6 different possible selections that need to be tested. That is going to cause any developer a headache!

Perhaps it would be better if the apps could tell you why they needed certain permissions? An alarm clock might want GPS data so that it can auto set daylight savings depending on where it is - not an unreasonable request IMO, but it might not be obvious why when installing.

That's where I get a bit frustrated - because these phones are effectively idiot-proof, it spoils your ability to customise the device (and to go incredibly off topic, this seems to be where W8 is headed). You rightly mention our habit of being less cautious on a PC, but then I can always firewall stuff on my PC. Without rooting an Android phone, you can't really effectively firewall it.

Arguably the permissions information is a form of firewalling. Do you trust this app to have the ability to do X, Y and Z? Then carry on. The level of fine tuning like this on Windows would also need additional applications installed. After all, you're effectively talking about denying the app the ability to do what it's been coded to. It's a bit like trying to block Firefox from being able to use any mouse inputs.

I suppose you could build in the ability to toggle bits of the app on and off and request permissions for new aspects as needed, but Android doesn't currently support that. It would need a rewrite of the permissions system for the OS as I understand it.

Root in it's own right is another security feature too. It's something a lot of people forget. I have root on all my devices, so I'm certainly not going to preach it as being a bad thing, but giving an app root access allows it to access any part of your system. That's hardware, software, file-system, net, your dropbox docs....the lot.
As soon as you've done that, you're back to the same question: Do you really trust that firewall app? . What else is it doing behind the scenes?

I honestly don't think there will ever be a perfect balance of usability and security. You can make things extremely idiot proof, but in doing so you just make bigger idiots

[Agent]

But as for the game/phone situation, Agent, as I mentioned earlier, a game might legitimately need to know the phone status, but not the caller's number, or to record the duration of the call.

I agree, absolutely and totally 100%. But that kind of control just isn't there by default on any mobile OS I know of.

And I guess in part, what I'm looking for is trustworthy apps, and hence reputable developers, for third-party alternatives to Google components which at least means Google are going to get far less of a dataset on me.

And if necessary, I'll just sell, or just scrap, the tablet. I'd rather not do that, but if I do, then I've nothing to lose by first rooting it, loading a custom rom and/or sideloading apps. If I end up bricking it, at least nothing lost. And at least then I can dump some of the junk Google and Samsung stuff this thing with

If you don't mind going down that road - consider Cynogenmod if it is available on your device. It's basically a 'clean' build of Android for individual devices, tested and with a good community. The bit you'll probably like is that it comes with none of the default Google apps (also known as 'gapps'). They can't actually include them, as while Android is open source, the apps are not and are not under a redistributable licence.

This means you don't ever have to have those aspects from Google, if you don't want. Keep in mind this includes the Play store though, so you'll need to use another one like Amazon, or get the apks (think .exe installer for an app) from individual developer sites if you can.

Ultimately, though, it's clear to me, and was before I got a tablet, that the only way to protect some data is to never, EVER, put that data on it. If need-be, that'll limit the use of the tablet but it won't render it useless. So if I can't find any other way, that's what I'll do. But the notion of me voluntarily handing all my contact data, phone logs, emails, GPS data, and so forth, to Google, simply isn't going to happen, ever.

The same could be said for PCs though really. There will almost always be some app on your PC that is out of date, or even Windows itself, that could leak data. Heck, the US has had a few scares recently about backdoors at the actual silicon level!

I can understand the Google reluctance though If you do go down the custom ROM route though (ones that don't include gapps anyway), that should ease your mind a lot I'd think.

edit - http://www.itworld.com/mobile-wirele...without-google