Forgot your password?
typodupeerror
Privacy Software Your Rights Online

ACLU's Mobile Privacy Developer Challenge 43

Posted by Soulskill
from the apps-that-delete-facebook-apps dept.
An anonymous reader writes "Privacy groups announced a mobile privacy developer challenge yesterday. The competition, Develop for Privacy, challenges mobile app developers to create tools that help ordinary mobile device users understand and protect their privacy. It's sponsored by the ACLU of Northern California, the ACLU of Washington, and the Tor Project, with the assistance of the Ontario Information and Privacy Commissioner's Office. Submission deadline is May 31, 2011. The winner will be announced in August 2011 at an event in Las Vegas, coinciding with the DEFCON and Black Hat security conferences."
This discussion has been archived. No new comments can be posted.

ACLU's Mobile Privacy Developer Challenge

Comments Filter:
  • by Anonymous Coward
    The Droid's permissions feature is a good step in this direction. Before you install a program, the program informs you exactly what kind of access it will have to your phone. For example, you know something is wrong if a chess application asks to see all of your contact information.
    • Re:Droid Does (Score:4, Insightful)

      by Z00L00K (682162) on Saturday February 05, 2011 @12:17PM (#35111622) Homepage

      True to some extent - but even if it does request something like internet access - what is it doing with my internet access? How much traffic will it generate? It may produce a humongous amount of traffic raising my phone bill to astronomical figures. This applies to everyone not on an unlimited agreement or as soon as international roaming occurs.

      The question is sometimes like "Hey I need a hammer" - no real reason why the hammer is needed.

      And if it wants to access your contacts - which part of the contact information is it going to access - and why. Maybe it's an app for chess and it allows you to do network chess with a friend.

      • by LibRT (1966204)
        I couldn't agree more with your post, Z00L00K - I have an Android tablet and when I install a game or some other application and it tells me it wants internet access, I'd love to know exactly why it needs that access. If it is only for occasional updates, I'd much rather the option to decline the internet permission and manually check for updates. I don't consider myself an unsophisticated user, but nearly every app I've wanted to install asks permission for something which on the face of it ought to be unn
        • by WorBlux (1751716)
          Has anybody else noticed that almost all of the problems of Andriod devices arise out of closed source, proprietary, and non-free applications? The first round of problem dealt with jails, secret hardware interfaces and modules that left people unable to update to newer kernels and thus newer android versions. The second round of problems deals with malicious code that you have no practical power to change or examine. If applications were open-source the few people who cared could remove all this crap an
      • Mod the parent up. The droid permission feature should render in plain text to the user, all data it wants to access on the device before it accesses it. And not a vague black box functional description of the data, but the actual data rendered in plain text.

        Hmm With who is the data actually share with is a large un answered permission question isn't it. Would you be just as happy to share your data with some ISP where the registrant was from Nigeria, or with a Chinese server farm or an Intellus Spokio dat

      • You make a very good point. I'd like to see a hybrid system that combines the sandboxes that are now ubiquitous and the permissions/ACLs for each app; with a curated system where software is tested and vetted by a security professionals that, using the ACL determine if the app is using those permissions in a reasonable way in real world use. Ideally, I'd like ratings of apps provided by multiple parties and I'd like to apply different weights to the input from different sources. I'd like the availability of

    • Google have made a nice short clear screen warning you of everything but no one pays attention to it and it's just yet another screen to click through to get the app you want. I suspect if you asked people what their apps were doing they wouldn't have a clue. Of course it's no longer Google's problem and it's the idiot user who opted to completely ignore the warnings.
      • by hedwards (940851)

        There's a reason for that. The screen isn't really that clear. Any app which has advertising is going to need to access the network. Whether it's sending back information or just downloading it isn't indicated on the screen. A app which includes the ability to place a call from within it is warned the same way whether you have to manually agree or not. Same goes for location data, they tell you that it's going to use it, but there's no way of knowing whether or not it's required for the app or advertising.

        • Actually, it's worse. Android maintains an arbitrary distinction between "coarse" location invariably meaning "network/tower-based", and "fine" location invariably meaning "GPS-based". The problem is, lots of Android phones have GPS that's basically dysfunctional indoors (*cough* entire Samsung Galaxy S family with official firmware), and network-based location doesn't work in places where you might have no 3G signal, but have wi-fi (like a foreign country with roaming disabled). In reality, Android's locat

          • by Tacvek (948259)

            Actually, it's worse. Android maintains an arbitrary distinction between "coarse" location invariably meaning "network/tower-based", and "fine" location invariably meaning "GPS-based". The problem is, lots of Android phones have GPS that's basically dysfunctional indoors (*cough* entire Samsung Galaxy S family with official firmware), and network-based location doesn't work in places where you might have no 3G signal, but have wi-fi (like a foreign country with roaming disabled).

            First to address that last point: I've never had a problem with wifi-only positioning, except for it being imprecise. However it may not work at all if there are no access points in range for which Google has location data.

            As for your general point:

            Honestly, there is a bit of an issue.

            For example while GPS works in my dwelling, it provides a position fix no more accurate (albeit more precise) than the coarse location, when I have both Wifi and Phone enabled.

            It turns out that due to the number of WiFi points

  • Not Gonna Work (Score:5, Insightful)

    by WrongSizeGlass (838941) on Saturday February 05, 2011 @11:50AM (#35111464)
    Unfortunately there are people involved in the ownership of these mobile devices (aka users). When users are involved security is always inconvenient, an obstacle or even a nuisance. People want security via magic, not actual implementation of secure and common sense practices.
    • There ought to be a list somewhere, perhaps a popup as soon as you turn-on your computer/phone, which lists those "common sense" practices. Otherwise people won't know.

      BTW I had a family member send a 5000 dollar check to Prince Nabubu in Nigeria, because he thought he'd won a lottery. People like that need a list to tell them, "No you do not send money to strangers."

      - "Prince Nabubu never Told you the Truth. *I* am your scammer." ;-)

      • Re: (Score:2, Funny)

        by Anonymous Coward

        Can you let me have an email address for your gullible family member? I had a similar experience and I'd love to share it with them. Thanks!

    • Re:Not Gonna Work (Score:5, Insightful)

      by 16384 (21672) on Saturday February 05, 2011 @12:28PM (#35111670)

      Unfortunately there are people involved in the ownership of these mobile devices [...]

      Unfortunately you don't really own a smartphone, even one that isn't tied down to a contract and paid big bucks to carry around. The phone doesn't obey to you instead obeys to the manufacturer, to google, to the app developers, etc. It keeps sipping information and reporting it back to headquarters, and it's blocked in such a way that bypassing that is not practical.

      I was surprised to find that android phones *require* a google account, or that a iPod Touch requires being connected with iTunes to start. A HTC Desire comes with lots of widgets running in the background that you can't turn off (and it's even worse on Android 2.2, Froyo) and the terms of service clearly states they may collect data on you (duh!). Many apps requires far more permissions than they should, so after a while you either give up and ignore the permission requests or don't use any of them.

      Mobile privacy? Is there such a thing?

      • Unfortunately you don't really own a smartphone, even one that isn't tied down to a contract and paid big bucks to carry around. The phone doesn't obey to you instead obeys to the manufacturer, to google, to the app developers, etc. It keeps sipping information and reporting it back to headquarters, and it's blocked in such a way that bypassing that is not practical.

        Is this true, especially with unlocked phones? Do any others among you fellow Slashdotters agree with this? I don't feel that way with my N90

        • by 16384 (21672)

          Android OS is linux, so a root-friendly Android phone could be an option. I don't know if you can bypass the google account requirement, but if you install a firewall on the (rooted) phone you can control what gets network access or not. I particularly dislike the fact that google wants to sync all your contacts and get all your phone numbers, etc. For me that is going too far.

          Most Android apps will require full net access, mostly to show you ads, but some want to know your location as well, and it's a all

      • I believe the iPod Touch requires the client app of iTunes to sync, backup, and update the device, but it does not require an Apple ID or connection to the iTunes online store. You won't be able to buy music or apps without that, but if you're ok with that, I believe you can use the iPod Touch without sending any personal info to Apple.

        • by tlhIngan (30335)

          I believe the iPod Touch requires the client app of iTunes to sync, backup, and update the device, but it does not require an Apple ID or connection to the iTunes online store. You won't be able to buy music or apps without that, but if you're ok with that, I believe you can use the iPod Touch without sending any personal info to Apple.

          You have to associate the iPod Touch with an iTunes account, actually. But there's nothing to say you can't create a fake account with fake information. And you can buy apps

    • The Clu Application wants access to all your other programs. Pay no attention to the Align To Grid feature enabled automatically.

    • by grumbel (592662)

      That is basically nothing more then a popular myth set into the world by people to lazy to implement proper security measures, as proper security measures is what makes things easy to use, not hard. Good security measures add transparency and accountability and gives the user control, instead of handling things like a magic black box where everything can happen with no way to know what and how.

      That of course doesn't mean that user education isn't necessary, some things can't be fixed by software/hardware, s

      • > proper security measures is what makes things easy to use, not hard.

        Amen. My job involves application security, and the biggest single problem I see is that most developers have no real understanding of what they're trying to defend against or why, and when told they have to make an application "more secure", their usual reaction is to make it as awkward and user-unfriendly as they can on the theory that it somehow makes the application more secure. Most of the time, their misguided efforts end up maki

        • by PCM2 (4486)

          Please try again. If you believe your account might have been locked out, please call 888-999-2222 for assistance.

          Of course, then you open the system to social engineering, even by strangers who don't have access to the company phone book -- and as we've seen time and again, humans are often a lot easier to hack than machines.

          • You're assuming that there's actually a company phone book that a legitimate user would have ready access to. Quick... where's YOUR company phone book? Does it even exist in printed form, or (like most companies), is it all "online" now? Chicken, meet egg. Kafka's sitting on the bench over there, simultaneously groaning and laughing. And if it DOES exist in printed form, what's the likelihood that a remote employee at a hotel (or family member's house) with his laptop actually has a copy with him right then

    • by Microlith (54737)

      These devices usually have pretty good security policies. The problem comes from the fact they're almost universally applied against the user, and not for the user. IE it's not "how do we keep the system safe from outside snoopers, or rogue applications," it is "how do we keep the user out of the sensitive segments, but ensure the software they run can snoop necessary information."

  • by SuperBanana (662181) on Saturday February 05, 2011 @12:50PM (#35111824)
    Here's a suggestion for anyone that's listening: Android tells you what access an application wants, and aside from minor problems like there being obscure reasons for why the program needs access to "make calls" (often this just means the program wants to be able to tell if you're *in* a phone call or not and behave appropriately), this is reasonably handy.

    However, my main objection: you don't get to see this information in the marketplace, so you can't make a purchase decision based on it...and worse, you can't *control* what access a program gets. For example, a lot of programs request "coarse" location information, which is enough to tell where you are within a few blocks. I don't want my backgammon program to know my location, and I wish I had the ability to tell the Android OS "no, that's not OK".

    It's an all-or-nothing approach that leaves me often feeling like my arm is twisted into accepting the app, often because there are no alternatives for the functionality I want...

  • It's not easy to spurn an interest in security in people that are apathetic to the matter. Why not let them get viruses, and then learn how much of a pain in the butt it is to get rid of them? Wouldn't that provide some future-incentive?
    • by WorBlux (1751716)
      Because even then, they won't notice. They'll just blame the OS or the hardware, and wonder why someone keeps buying a flat screen TV with their credit card every week. Nobody should trust a mobile device with financial information, especially if you routinely download and run programs from random, unproven developers.
  • Where are the interactive firewall apps?

Some people carve careers, others chisel them.

Working...