Recently, CNET reported on a study that was done by security-firm SMobile Systems involving Android apps, purporting that a full 20% of Android apps have access to personal information. According to the article, “…dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location, said Dan Hoffman, chief technology officer at SMobile Systems.”

Now before we start going into full-on panic mode, let’s think about this. The way that security-firm SMobile Systems went about their study was by looking at the permissions that the apps in question used. There’s a definite problem with this method. As an example, let’s take one of the apps in the app store and look at its permissions. For our purposes, we’re going to use Google’s own Voice app. Google Voice is a phone/SMS app that uses Google’s own services to make and receive calls and text messages, as well as giving access to visual voicemail that offers several caveats (such as voice-to-text transcriptions) that other visual voicemail setups don’t.

Google Voice has access to the following information:

Your personal information Services that cost you money Your messages Network communication Your accounts P hone calls Hardware controls and finally System tools.

According to the criteria that SMobile Systems used, Google Voice would be considered malware. Now let’s take a quick look at why that information is needed:

Your personal information- Google Voice has the ability to read and write contact data. Well…yeah. It needs that functionality in order to properly function as a phone replacement app. There’s no sense in having to go to a completely separate app in order to add, edit, or remove contacts.

Google Voice has the ability to read and write contact data. Well…yeah. It needs that functionality in order to properly function as a phone replacement app. There’s no sense in having to go to a completely separate app in order to add, edit, or remove contacts. Services that cost you money, your messages, phone calls- Google Voice has the ability to directly call phone numbers and send SMS messages. Isn’t that sort of the point? I don’t think I need to address this one.

Google Voice has the ability to directly call phone numbers and send SMS messages. Isn’t that sort of the point? I don’t think I need to address this one. Network communication- Google Voice has full Internet access. Voice uses the Internet to function.

Google Voice has full Internet access. Voice uses the Internet to function. Your accounts- Google Voice has access to your Google Voice account, can manage the accounts list, and use authentication credentials of said account. It would be rather difficult for the Google Voice app to function without access to your Google Voice account, no?

Google Voice has access to your Google Voice account, can manage the accounts list, and use authentication credentials of said account. It would be rather difficult for the Google Voice app to function without access to your Google Voice account, no? Hardware controls- Change your audio settings. There are loud people that you definitely don’t want yelling in your ear. For this purpose, there’s the volume buttons.

Change your audio settings. There are loud people that you definitely don’t want yelling in your ear. For this purpose, there’s the volume buttons. System tools- Prevents phone from sleeping. Depending on how your phone is setup (especially if you’re using wifi), the phone going into sleep would completely interrupt your internet connection, thus terminating the call with your rich uncle that was offering you a boatload of money. On a completely unrelated note, can you introduce me to your uncle?

So, as we can see, yes, Google Voice has the “type of access to sensitive information as known spyware does” but it uses this information to function properly. I don’t think that we could really classify it as “spyware,” could we? Now are there some spyware application in the Market. Absolutely, as with any other app store, no matter how close walled. The best thing to do is to report these apps if they’re encountered, instead of just uninstalling them and saying nothing.

The Android Market is a diverse shop that allows the user the choice to supplement or replace their existing stock applications with something that may work better for them. True flexibility. For this, the slight chance of running into a malicious or buggy program could be considered worth it for many people.

[via cnet]