Friday FOSS Week in Review
Google’s been everywhere in the news this week, so much so that I’ve considered calling this week’s column “Friday Google Week in Review.” It’s not all Google, however, but it is all interesting – at least to me.
8% of Android Apps Leak Data
On Tuesday, security site Dark Reading reported that Neil Daswani, CTO for security firm Dasient has found that about 8% of Android apps leak user data. In a study that will be released in full at next month’s Black Hat conference in Las Vegas, Daswani found that 800 out of 10,000 applications tested were found to be leaking personal data. Eleven of the apps were sending mobile spam, SMS messages, to other smartphones.
“‘Some of these applications, once started, were sending premium SMS messages,’ Daswani says. ‘The user ends up paying for those messages, and they can be pretty expensive. It’s sort of like the old 900 number scams, where if you called once, your phone would continue to incur the charges over and over again.'”
The study also found instances where Android apps attempted to take root control of a device, some then attempting to spread to other phones worm-style:
“‘Once you have root-level control, you pretty much own the phone,’ Daswani says. ‘This is a problem that carriers and device makers will have to take action on very soon.'”
In addition, the study also proves that malware can be delivered to an Android device by means of drive-by downloads from legitimate applications.
Obviously this means that the folks at Google need to find a better way of vetting the apps offered for sale on the Android Market, as Zenobia opines on digitizor:
“This malware problem on Android has become too much. One of the main reason that we see malicious apps in the market is because of the lack of regulation in the apps that get into the Android Market.
“Sure, the lack of regulation can be good. It means that developers can make their apps without worrying if Google will accept their apps or not. It fits into the pre-existing application distribution model where anyone can develop and publish their own apps.
“However, this comes at a price – the malware problem. Yes, most of the problems with these malicious apps can be avoided if only users read the permission requirements of the apps. But, what percentage of the users actually read the permission requirements of all the apps they download?”
Until Google gets a handle on this, I’d advise all Android users to be extremely careful about installing apps and to treat the handset as if it’s an insecure Windows device.
Webmaster Tools Glitch Allowed Removal of Sites from Google Database
In his first ever blog on his new blog site, James Breckenridge reported on Tuesday that he’d discovered an exploit in Google Webmaster Tools:
“Yesterday I was busy removing thousands of URL’s from within Googles Webmaster Tools, it was pretty time consuming as there were so many, there had to be an easier way? I settled on quickly making myself a chrome extension that adds a link next to a result in a Google search, deep linked into webmaster tools. With that installed I was busy clicking away removing the URL’s in record time.
“Then I made a little mistake and accidentally removed a URL of a website I have no relation to?!? I was stunned it could be that easy. Surely there was no way Google would actually remove the page, right?”
Wrong. He dug a little deeper and discovered he could indeed remove just about any page he wanted from Google’s index, and published the exploit using the News of the World website as an example. He didn’t actually remove the site, however, and he promptly notified Google who quickly fixed the problem, but he did post this screenshot:
Exploits like this are bound to crop up from time to time, but this couldn’t be good for Google, who’s trying their damnedest to convince the corporate world that they should trust them to keep all of their data safe and secure in the cloud. Kudos to Mr. Breckenridge, however. Pretty impressive first blog post.
Screenshot from SharkCloud Demo
Last month I reported on Storm Bear Williams open source office apps project Shark Cloud, which will be able to be used hosted on the SharkCloud servers ala Google Apps or can be downloaded for an install on the users own server. Since then, Williams has sent me a nifty screenshot from the proof of concept demo he’s been working on of a cloud based spreadsheet. Although he cautions that this isn’t anywhere near the final product, just something to show potential investors, it still looks pretty good to me:
He says the search is still on for a CTO and anyone who can write code. If you’re interested, give him a shout at storm at sharkcloud.com. Oh, they also need money. Did I say that? Money. Paper grease. Investors. Angels.
Google vs. Oracle
If trouble with the app store wasn’t enough, Google’s under seige from a lot of directions regarding Android. First and foremost is Google’s difficulties with Oracle, who wants a gazillion dollars for Android’s alleged infringement of Java. Google, on the other hand, thinks the sum of zero would be more appropriate.
Yesterday, U.S. District Judge William Alsup basically told Oracle and Google that they’re both nuts. “You’re both asking for the moon and you should be more reasonable,” he said, according to Reuters. Last we heard, Oracle was claiming they’re owed anywhere between $2.6 and $6.1 billion, while Google’s has been standing by their estimate that they owe zippo.
Google may be willing to negotiate, however, as they’re suddenly remembering once talking to Sun about licensing Java for Android and recollect that Sun had offered a license for a mere $100 million. Anyway, it’s becoming pretty evident that Google’s probably going to pay something, but don’t look for it to be a deal breaker for Android. That’s another fight, that involves Apple, Microsoft and HTC…
Speaking of which, Google’s chairman Eric Schmidt also this week kind of sort of stood by their good partner HTC in their Android patent battle with Apple. Stay tuned…
Stallman Says Be Wary of the Cloud
Finally, in an opinion piece for Spiegel Online, the free software guru Richard Stallman urged users to be careful with sensitive data online:
“…Facebook’s users do not pay, so they are not its clients. They are its merchandise, to be sold to other businesses. If the company is in the US, or is a subsidiary of a US company, the FBI can collect this data at whim without even a court order under an un-American US law, euphemistically named the ‘Patriot Act.’
“Services also offer to operate on the users’ data. In effect, this means that users do their computing on the servers, and the servers take complete control of that computing.
“There is a systematic marketing campaign to drive users to entrusting their computing and their data to companies they have absolutely no reason to trust. Its buzzword is ‘cloud computing,’ a term used for so many different computing structures that its only real meaning is: ‘Do it without thinking about what you’re doing.'”
Well, that does it for this week. See you on Monday. In the meantime, may the FOSS be with you!