Discussion on:

Does your flashlight app know where you are? Probing Android permissions

"If I???m not mistaken, relying on the ???wisdom of crowds??? is a big shift in academia."
Academia already subscribes to this, just look at Wikipedia.

I do not quite understand what you mean. I do find the subject fascinating, so your help would be appreciated.

The professors mentioned in their paper that this was the first case of using crowd-sourcing for studying privacy.

...and one day it wished to update itself. Curious as to why such a simple app would need an update, I did a bit of research. My proxy server wouldn't even allow me to download it, having found something objectionable in the code. If you google it, you'll find several discussions as to what it tries to do, including browser hijacking. Needless to say, I immediately deleted that one.

I always tell my clients what the author says above: There's no such thing as "free". If the app isn't costing you anything to download and install, you have to assume that somebody somewhere is getting something in exchange.

The "App Scanner" is a brilliant idea and I look forward to seeing it launched. The biggest problem though (which is often the biggest problem in IT) is educating the users. The Android interface doesn't allow you to install these app's blindly. You get given a list of what the App is going to do and common sense should tell you that a flash light app doesnt need to have access to your location or address book.

Of course though the majority of the users haven't been told about this and are so used to the whole "just hit next and install already" attitude they never even think about looking at the small print. Hopefully the likes of articles like this and the "App Scanner" will help raise awareness and get people to think about what they are letting App's have access to.

It is scary though how some very popular app's collect massive amounts of data on you and nobody seems to care. A game called Tiny Towers for example recently did a stealth update outside of the marketplace without giving the user any option which completely blocked the game from running until you updated to the new version in the market place. The new version wanted access to GPS, Address book and SMS send&receive (as well as all the standard network access, etc you normally get on ad supported games). The scary part is the amount of people that seemed to update to this new version without even questioning it.

LBE Privacy Guard (https://play.google.com/store/apps/details?id=com.lbe.security.lite) is great for this situation. The program can set permissions for apps at a granular level. If you do not want an app to access GPS or the mobile network it can be turned off. I believe it is only for rooted phones and it is not for the novice either.

2 permissions one for the light and the other to take photos? What would it need access to my camera for at all ever ? Uninstalled!!. I agree no app is truly free someone somewhere is getting something. I wonder what, where and when all the photos are being taken with this app and where they are being stored.

That's a new one on me. I'm not sure why a flashlight needs permission to access the camera

I read a developer's comments of one of those apps, and they explained that the permission was needed for accessing the flash of the camera or even to check if the camera has a flash. I could believe that Android permissions are not fine grained enough to say "I need access to only the flash of the camera".
Now, the GPS thing is different, but maybe it adds a "Batman" symbol if you happen to be in Batman jurisdiction. I don't really care if they want GPS for a free app. The one I try to avoid is phone contacts because it is no longer just affecting my privacy but the people I have contact with. I would not want to subject someone else to unsolicited sms or phone calls because of a free app.

I would love to learn your thoughts as to why it doesn't bother you that a flashlight app is sending your physical location to their servers. Particularly, when they can put together a pattern of your behavior.

I don't mind advertisers knowing what I like. I used to fill out the paper questionnaires in product literature of a new product if it had free postage. Now those are online when you register a product. I often answer feedback requests on websites that often want to know what I'm doing on the site and all that. I dont mind telling them I buy a lot of SciFi books and eat a lot of peanuts and chocolate.
I guess I still have hopes that one day targeted advertising will actually work and I will no longer have to see another bra or feminine hygiene product ad ever again. Show me an ad about the next big SciFi hit instead. And heck, if someone wants to buy me a motorcycle, I'll give them my life's history (boring as it may be), a psychological profile, and a strand of DNA. Um, let me clarify that, a REAL motorcycle.

I was more concerned about GPS location than targeted advertising. That is another subject that I have written about extensively.

How else will they know where to bring the motorcycle?

You plain lost me on that one.

...for his efforts to feed the marketers' hunger for data.
So, obviously, they do need to know where he is

I was responding to the ???pattern of your behavior??? bit. I think the advertisers associated with the apps think of GPS coordinates as just another piece of targeted advertising. If I live in Maine, they may want to sell me snowshoes, but if I live in Hawaii, that would be a tough sell. Of course, the advertisers would like to get even more fine grained and let me know "Hey, you're just around the corner from pizza!", and that's fine with me. My biggest problem with GPS on cell phones right now is that it drains my battery too fast so that I have to leave it off most of the time.
If cell phones were a government device, I wouldn???t be using one. I would not want to see ???1984??? in the real world.

And all I have is my phone, I just turn on the camcorder and the light from that without actually recording anything. Works just about as fast as any app would I imagine having to turn on the app then activate the flashlight. Pretty much the same steps. Turn on the camcorder and then its light. Voila no app needed at all and its already built in.

This also works well if you need to read a wallplate for a network drop but its behind a desk or some other place you cant easily see but can reach. In that case then you actually record it then playback the video to see the wallplate info.

Are you referring to the video feature of the Android camera app or a different app? I tried with the Android one and the light did not turn on. I was hoping it would as that is a great idea.

Video feature of the phone itself. I have a Motorola Atrix. I have used the built in video tricks several times now. Sometimes I will just take a pic too if I cant see the port too easily or even if I can so I wont forget the port number when back in the server room.

I learned the picture trick myself. I used to carry a small dentist mirror. Not any more, as you I just take a picture. And, I always take a picture of my parking spot. I've been known to forget where I park.

I just activate the display.
In actual darkness, the glare of the screen is enough to scrape by by (or to avoid the scraping, preferably).

Then, I broke down and bought a flashlite app and big difference. My eyes need more light than the screen can provide.

But if the auto brightness feature is turned on then in a darker environment then it might not light up as bright as needed.

Was the app author contacted and asked why the extra info was needed?

I will ask the professors.

Would it be feasible for an OS like android to install and run the app, without giving it the permissions it asks for?
With PCs we can do that, we can terminate a service run by a program for instance. If the service isn't crucial to the program functioning, then the program keeps running, and we can even disable the service or make it so that it starts only after we OK it.
With an outgoing firewall, we can do the same with programs that wish to phone home. We can say No to that.
Far as I gather, mobile apps are different: Either we take it (all) or we leave it. No crippling the spyware but keeping the functionality.

I'm researching an app right now that may just be the answer. Hopefully, I will have an article ready in short order.

This is exactly what I was thinking. I thought the whole point of Linux/Android/Open Source was to be more secure, but here this is obviously being broken by the service vendor.
Shouldn't there be an area in the programs menu that let's you check off the various phone components that the OWNER wants them to have access to? Sure the app may not work if it can't get to something it insists (whether in truth or not) it needs to work, but then I can just as easily remove an app that has shown it has alterior motives that I don't approve.

Seems to me that should be simple to do...

I would rather be able to control what permissions an app had. Don't think it needs access to GPS? Revoke that permission for that app.

The flashlight app has to be able to use your GPS. How else will it know where on earth to shine the light;-)

The GPS permission is needed because of the ads. A lot of ad networks provide targeted advertising by GPS location. The 'Read phone state' permission is also needed by some networks. It enables developers to access a unique identifier of the phone which helps tracking.

As a side note there are two permissions to access location data: access coarse loacation and fine location. The frist one uses wifi and Cell tower data, the latter one uses the GPS.

My flashlight app recently asked for new permissions (phone identity). I also wondered why a flashlight app would need full network access and read the identity of the phone. Is this not crazy?

So I uninstalled it and looked for alternative apps. I found Search Light. This one needs only the permission to operate the flash. Proof that all the rest is useless.
https://play.google.com/store/apps/details?id=com.scottmain.android.searchlight

I found a new flashlight application which, does not ask for the useless permissions and values your phone privacy.

https://play.google.com/store/apps/details?id=ganesha.quicols.app.flashlight.free

Pls check it out.

I am looking at the Permissions for the Flashlight App referred to;
https://play.google.com/store/apps/details?id=ganesha.quicols.app.flashlight.free
I doesn't control GPS but it does have control of Camera & Network functions.
Why????
I would rather pay a little for an app and have it only has access to what it needs to.
An app should have to ask permission before accessing any info or function not specifically required
for it to operate. Or at the vary least, notify the user everytime it does. I believe that there would be a lot of people
deleting apps if this were to be implemented.
HW