Let's recap: Late Wednesday night (or early Thursday morning), we reported on a story published at Mobile Beat that came out of the Black Hat online security conference. At the conference, Kevin MaHaffey, CTO at mobile security firm Lookout, told of an app from developer "jackeey,wallpaper," which basically is a portal for downloading wallpapers for your Android phone. The story told the tale of "a questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, (and) has been downloaded millions of times."
We've been in contact with Lookout -- which reiterates that the apps, while suspect, aren't necessarily malicious. We've also have a response from the developer in question. Updates from both, after the break.
Early Thursday morning, we received an e-mail from MaHaffey regarding the "jackeey,wallpaper" apps. He clarified the following from the Mobile Beat piece, as well as our story:
"The wallpaper applications we analyzed proved to send several pieces of sensitive data to a server, including a device's phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device's SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."
He also added "while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious."
Blog post explains the methodology
On Thursday afternoon, MaHaffey posted a lengthy explanation on Lookout's blog, detailing the code in question and reiterating that while the code in question is suspect, "there is no evidence of malicious behavior." And that's an important distinction to make.
So what's the big deal? Here's how MaHaffey explains things:
"There is code in the wallpaper applications that accesses sensitive data. It’s important to note that not all applications that access sensitive data actually transmit it off of the device. In order to see what sort of information the wallpaper applications transmit to the internet, we analyzed the network traffic generated by the application. When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named 'imnet.us.' "
The developer responds
We've been in contact with the wallpaper applications' developer today and asked exactly what information the apps collect, and why any information would be sent to a server. (That the server is in China likely is irrelevant.)
You can read the entire response below, much of which is rendered moot by Lookout's previous clarification that text message and browsing history indeed was not collected. As for what was collected, the developer told us the following:
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.
So, that's where we stand. And this isn't necessarily a new thing for Android. Apps can have access to parts of your phone they don't necessarily need, but with no malice intended. (That's where these recent "X percent of Android apps can get at your personal data!!!" stories have come from.) It's just a matter of coding and intent, right? That said, you do need to pay attention to the the warning you get every time you install an app. Our previous example rings true: If, say, a calculator said it needed to see my text messages, I'd worry. A lot. It's either a poorly coded app, or it's up to no good. Either way, I don't want it on my phone.
Is this all FUD? When a security company says we need to be wary, we're wary -- and the fact that a security company makes its money selling security software is not lost on us. But take your time and read MaHaffey's post again. And read the developer's response again below.
The moral of the story is mind what you download, read as much as you can, and keep on top of things. Lookout's MaHaffey says so as well, ending with "Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience."