When a company writes a white paper they send out a press release to get as many news sites as possible to mention the report in their own stories. This strategy worked all too well on Tuesday when security firm SMobile Systems published a scary sounding report about Android apps. The story was picked up by many news outlets with sensational headlines like:
Even CNET (Note: ZDNet and CNET are both part of CBS interactive) got in on the action with an article by Elinor Mills originally called "Report: A fifth of Android apps expose private data". ZDNet compounded the error in its Tech Update Today newsletter which was emailed to subscribers with the subject line "Android privacy holes".
It turns out the only holes were in the report and in its coverage by the media.
SMobile Systems neglected to mention industry ties that rendered its report less credible. For example, their President and Vice President of Operations are former AT&T employees. AT&T is listed as a strategic partner of SMobile Systems on the company web site. (AT&T of course is the sole US carrier for Apple's iPhone, a competitor to Android). And SMobile itself sells security software to address perceived threats that its reports "expose".
How about the facts in the report? SMobile analyzed the permissions requested by 48,694 applications in the Android Market and noted that "one in every five applications request permissions to access private or sensitive information that an attacker could use for malicious purposes". For example, 4,203 apps requested permission to read the user's contact information.
So what, said alert readers in the comment section of the CNET article. This response was typical:
Of course some apps have access to sensitive information. If an app is meant to help organize contacts, for example, of course it has access to your contacts. This is true on any platform, and is obvious and unavoidable. The nice thing about he Android market is that, whenever you download an new app, it informs you of exactly what sensitive information it has access to, so one can make an informed decision. The fact that an app has access to information does not mean that it misuses it, as this article implies that 20% of all apps do.
A Google spokesman quickly refuted the claims made by SMobile Systems:
This report falsely suggests that Android users don't have control over which apps access their data. Not only must each Android app get users' permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious.
At first, Ms. Mills was defensive, writing this at 8:54 AM Wednesday:
I'm not saying anything; I'm merely reporting analysis that SMobile has done. Pick your bone with them.
But then at 10:11 AM she relented:
After looking into the matter more I must humbly apologize to my readers and acknowledge that the headline is misleading and the article failed to mention that users are granting permission to the apps to access data and do other activities when they download the apps. I will be updating it shortly. I appreciate the feedback.
The article was updated to "change misleading headline and add information throughout stating that users are granting permission to apps when they download them". See if you can pick up on the subtle difference in the headline:
Kudos to viligant readers for catching the mistake and insisting it be corrected, and to Ms. Mills for accepting responsibility. I wonder if the other outlets that jumped on the story will do the same. Sadly, there is no place for comments on the security vendor's site.