Bad wallpaper appBad Wallpaper App

Let's recap: Late Wednesday night (or early Thursday morning), we reported on a story published at Mobile Beat that came out of the Black Hat online security conference. At the conference, Kevin MaHaffey, CTO at mobile security firm Lookout, told of an app from developer "jackeey,wallpaper," which basically is a portal for downloading wallpapers for your Android phone. The story told the tale of "a questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, (and) has been downloaded millions of times."

We've been in contact with Lookout -- which reiterates that the apps, while suspect, aren't necessarily malicious. We've also have a response from the developer in question. Updates from both, after the break.

Lookout's clarification

Early Thursday morning, we received an e-mail from MaHaffey regarding the "jackeey,wallpaper" apps. He clarified the following from the Mobile Beat piece, as well as our story:

"The wallpaper applications we analyzed proved to send several pieces of sensitive data to a server, including a device's phone number, subscriber identifier, and currently programmed voicemail number. The applications we analyzed did not access a device's SMS messages, browsing history, or voicemail password (unless a user manually programmed the voicemail number on the device to include the voicemail password)."

He also added "while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious."

Blog post explains the methodology

On Thursday afternoon, MaHaffey posted a lengthy explanation on Lookout's blog, detailing the code in question and reiterating that while the code in question is suspect, "there is no evidence of malicious behavior." And that's an important distinction to make.

So what's the big deal? Here's how MaHaffey explains things:

"There is code in the wallpaper applications that accesses sensitive data.  It’s important to note that not all applications that access sensitive data actually transmit it off of the device.  In order to see what sort of information the wallpaper applications transmit to the internet, we analyzed the network traffic generated by the application.  When we used the application, one request in particular stood out, an unencrypted HTTP request to a server named 'imnet.us.' "

The developer responds

We've been in contact with the wallpaper applications' developer today and asked exactly what information the apps collect, and why any information would be sent to a server. (That the server is in China likely is irrelevant.)

You can read the entire response below, much of which is rendered moot by Lookout's previous clarification that text message and browsing history indeed was not collected. As for what was collected, the developer told us the following:

I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.

So, that's where we stand. And this isn't necessarily a new thing for Android. Apps can have access to parts of your phone they don't necessarily need, but with no malice intended. (That's where these recent "X percent of Android apps can get at your personal data!!!" stories have come from.)  It's just a matter of coding and intent, right? That said, you do need to pay attention to the the warning you get every time you install an app. Our previous example rings true: If, say, a calculator said it needed to see my text messages, I'd worry. A lot. It's either a poorly coded app, or it's up to no good. Either way, I don't want it on my phone.

Is this all FUD? When a security company says we need to be wary, we're wary -- and the fact that a security company makes its money selling security software is not lost on us. But take your time and read MaHaffey's post again. And read the developer's response again below.

The moral of the story is mind what you download, read as much as you can, and keep on top of things. Lookout's MaHaffey says so as well, ending with "Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience."

Indeed.

Jackeey Response

 

Reader comments

Security firm details privacy concerns; developer tells us its side of the story

31 Comments

The fact he uses the word "bullshit" in his email makes me think hes scum to start off. CEO's CFO's and other heads of company do not use those kinda words because its presents a bad persona of the company. Ya hes just a dev but still it puts him in a bad light trust me as a former cop I swear up a storm but if I'm trying to defend myself there would be no swearing.

The fact that him using the word bullshit when someone lies and accuses him of being a bad guy instead of being apologetic and kissing ass makes you think he's scum?

Yep, sounds like a cop to me.

Trust me as a current citizen people like you give cops a bad name. This guy has already had his name improperly drug through the mud once when he has proven all he was doing was trying to provide android users with a useful app, now he has to deal with you calling him scum.

Here's a tip a former cop should have already known, honest tend people get pissed off when they are accused of lying but to you that is probably evidence that they are just trying to hide something.

And people like you give people in general a bad name. Telling someone they can't have an opinion. He didn't say the guy WAS scum, he said it made him think he was scum. Big difference between stating a fact and a belief.

Also, this guys job is to make split decisions. To make quick judgement calls. The developer response looks idiotic. Now much of it has to do with the poor English but I'm entitled to my opinion too.

Sorry you got a ticket or have problems with authority. Our social servants deserve better than they get. This guy hangs himself out on the line for people like me and you. Show a little respect.

Having a job doing things for people for money doesn't excuse you from being a decent person and not thinking everyone else is scum.

That developer, he was also serving the public, making nice apps for them. I have no problem with cops, I have a problem with cops who think their job is to make split second decisions (unless there is life and death involved it is not a good idea to make split second decisions, their job is to evaluate the evidence and enforce the law) and to assume everyone who doesn't kiss ass with simulated respect is automatically guilty.

There are a ton of great cops out there, they don't get as much press because they don't usually come on forums where someone is defending his good name and use their false sense of authority (I'm a cop so my opinion of people is more accurate) to then say their opinion of someone is that they are scum.

The cops and ex-cops I have known who are decent guys don't make a habit of dropping "I am/was a cop" into their conversations as if it makes their opinion worth more than the average citizen. They also don't make a habit of saying "not that I know this guy, or that he has done anything wrong, hell this article has just proven he has done nothing wrong, but still, sounds like scum to me". You're seriously defending this guy's obviously incorrect and dickish accusation just because he's a cop.

Talk about blind faith.

Just to be clear, I'm not bagging on the guy because he's a cop, I'm bagging on him because he assumes anyone who doesn't like being called a liar is scum, and then uses his position (ex-position) to somehow make his argument seem more authoritative, that the developer is scum because as an ex-cop, he is an authority on scum.

That's right up there with "because I'm mommy, that's why". So to be really clear, I have no problem with cops, I have a problem with http://en.wikipedia.org/wiki/Appeal_to_authority

Sorry guy, but I'm sure if I was in his position and was being accused of foulplay when I was just simply creating what the people want, I'll be pissed as well.

"The fact he uses the word "bullshit" in his email makes me think hes scum to start off."
:: Well, you just used bullshit in your rant. You could have said "bad language" or something.

"CEO's CFO's and other heads of company do not use those kinda words"
:: CEOs, CFOs, COOs, et cetera, who are heads of companies do not spell as poorly as you, or use words like "kinda". Is that how you filled out all those police reports you wrote every day?

"Ya hes just a dev but still it puts him in a bad light"
:: Ok, now I get that you are actually a fifteen year old, so the "I'm a cop" reference makes sense. The cops I've met don't refer to themselves that way.

You're just a kid trying to be a little bitch to someone you don't even know, who got caught in some media nonsense. I hope I don't end up on 60 Minutes for the game I'm writing, because I want to keep your Top Ten scores on my server - for the same reason; user convenience and a possible International high score. I was thinking of grabbing the GPS co-ords of your phone when you get the score, but I see now how people could take that as an invasion - and little pricks like you would just chum up the waters with your crap.

Vote down Police Funding everyone - they are completely Out Of Control in the US; even tho I can't believe this child was ever a cop.

OK, proper malware press release process:

1. Identify potential malware.
2. Introduce yourself to the author, explain your findings and ask for a rationale for the oddity.
3. If the response isn't suitable, call out the dogs.

Failing to do so makes you about equal to the popup ads that say I need to scan my computer now because Windows is infected (somehow Windows got installed on my Ubuntu system and got a virus without me knowing it...).

Not to mention that the guys from Lookout initially said that they were stealing our SMS messages which is far worse then anything that the wallpaper app is doing. Lookout just wanted to create a buzz so more people download their security app.

"The moral of the story is mind what you download, read as much as you can, and keep on top of things." No, the moral of the story is you don't regurgitate sensationalist HACKERS ARE ON YOUR PHONE OH GOD THE CHINESE ARE STEALING YOUR TEXT MESSAGES THIS COMPANY SAYS SO libelous nonsense.

Regardless of whether there was in appropriate use of personal data, aren't a lot of these wallpaper apps violating copyright and trademark laws (e.g. Harry Potter, National Geographic, use of NASA logo)?

Ok for real if your rooted and running a custom rom then don't complain about anything. The developer that made the rom could have been collecting info off your phone from first boot. About the SMS thing who cares. What do you really text that's so important. What do you swap social security numbers over text or something. No so stop worrying. What they got a dirty text you sent your wife or significant other wow call 911. I don't really have anything on my phone that I feel is really to important. I don't store bank passwords or anything like that on my handset that's just irresponsible. If you really want something to worry about Google collects tons of data from your phone and I would bet your carrier does too. Worry about that and don't store sensitive info on your phone. You never know when you could lose it.

Well I don't agree with him totally bit he makes some good point. If you have a custom ROM you are just trusting the ROM hacker to not screw you. I thought the same thing about all these iFools talkin smack about this but then using their jailbreak store.

This is a perfect example why bloggers aren't regarded as real journalists. Post first research later. You guys got suckered by a self interested security firm. Responsible journalism should outrank sensationalism or you are just going to reinforce the stereotype that keeps you from being legitimate

Man I feel sorry for the dude sort of because of the bad image Android Central and Lookout have painted of the dude he could possibly lose potential users for his app even though I think the app is free so most people would assume no biggie its not like he was making money in the first place but just image a developer having been treated this way from a simple wallpaper app there's no way he would want to develop anything else...idk in the grand scheme you upset a lot of people by falsely accusing them with improper proof. Maybe a small shameless apology and maybe an app spotlight would be in order...won't bring back the lost customers but it's better than nothing.

A "security firm" trying to make a name for itself by stirring up controversy. Just like Consumer Reports did to the iPhone 4.

I wonder if the guy can sue...

Ummmm no. Consumer Reports doesn't need to make a name for itself and anyone who has ever had rabbit ears in their house could tell you that you can loose signal by touching the antenna. I guess the fact that so many people don't understand the physics behind this is a sign of the times gone by. But trust.....touch an antenna and you alter your reception......simple as that troll.

Nope. Not a troll. The iPhone 4 antenna has issues. Just pointing out that what CR did was a publicity stunt.

You shouldn't be so insecure about the type of phone you use...

Personaly I am very shocked that NO app added to the android market is tested by google (who do take a cut and an exchange rate fee) before allowing them on the market in the first place realisticly the Android market is there store, and ultimatly they should be testing all submitted apps before allowing them on the store in the first place. This would ultimatly help protect there consumers and developers alike from this kind of hastle.

Yes they should do it similar to the way Apple does it and allow a flashlight to slip through with hidden tethering capabilities. Riiiiiight ....

Wow i can't believe the idiocy that occured in these comments. To the" former cop" i can see wbt you're not one anymore. Your ipc skills lack and you have an ancient cop mentality. Fyi Im currently a police officer. For the guy dogging on the cop you definitely have some animosity towards law enforcement which is your perogative but come on if you were just gonna blow up keep it educated and relevant. And yes i'm commenting on both so guess im just as guilty but comments are really dissapointing in the image of a officer and a citizen. As far as the article im skeptical of anything i didn't do myself. When it comes to security we all have to be proactive in our security and look out for eachother so when something suspicious comes up it spreads through the community and gets stopped. I rather false alarms than no alarm at all.

Couldn't he just google for the screen size?
And did everyone miss that he collected the phone number and subscriber ID of the phones? WTF does he need that data to make stupid wallpapers for?
What's BS is that this guy is collecting ANYTHING at all.

If you read his response in the Scribd box you can see that he took the phone number / subscriber ID to link what was downloaded so that it could easily be retrieved later (like on a different device or after a device has been wiped)

You do have a point about the screen size thou. Only thing I can think of is so maybe he can see what size is being used most frequently?

Just thought I'd share the message that I just sent in to Lookout's website:

"Wow...I hope you craft your software more carefully than you craft your accusations. It's really a shame...not only did you ruin a developer's reputation, but you also tarnished the rep of the entire Android platform. Two friends I work with who know I use an Android phone came up to me separately yesterday to talk about how there was an Android app that can send "all your personal information" to a server in China (nice touch, btw...nothing bumps up the FUD factor like mentioning China).

I guess the best part of this is that if this is the only thing you could come up with to try to sell your software, then Android is a pretty safe platform at this point. It's just too bad that most people who caught the initial FUD report won't ever see the debunking."

Umm they didn't force him to collect personal information about people. my phone number and subscriber ID are not public information.
I should be able to choose whom I give that information to.
How do we know he isn't selling that information to telemarketing company's?
He knows what phone you use and how to contact you and who knows what else.

It's not lookouts fault he did this.
I for one am glad they brought it to everyone's attention. not because I've downloaded his wallpapers, but because people need to be careful and not expect all apps are safe.

They didn't force him to collect personal information about people, what they did do was blow the fact that the app did way out of proportion. You can totally choose who you give your information to by paying attention to what info each app has access to. We don't know that he isn't selling the info to a telemarketing company just like we don't know Google doesn't keep a record of every speech to text we enter into our phone.

All Lookout did was cry wolf when there wasn't really a need to, and now I won't be able to trust them even if there really is a wolf.

I disagree with the basic if this story, a LOT of application get your IMEI over the air for ALL kind of reason, I do not consider my Phone Number or voice mail number as a major breach of my personal information, in fact it is safer to provide a phone number than an IMEI (it can be cloned and used to commit crime)

I agree that ideally this developer should have tell people that he was taking this information but I agree with the previous poster

Lookout have managed to raise over 15 Millions of investment money, they want to increase their visibility and they should have to the very least talked to this programmer ahead of their press conference!

Google has removed this developer, I hope they are analyzing the whole thing and hopefully they will let us know their finding...