Security firm details privacy concerns; developer tells us its side of the story
Let's recap: Late Wednesday night (or early Thursday morning), we reported on a story published at Mobile Beat that came out of the Black Hat online security conference. At the conference, Kevin MaHaffey, CTO at mobile security firm Lookout, told of an app from developer "jackeey,wallpaper," which basically is a portal for downloading wallpapers for your Android phone. The story told the tale of "a questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, (and) has been downloaded millions of times."
We've been in contact with Lookout -- which reiterates that the apps, while suspect, aren't necessarily malicious. We've also have a response from the developer in question. Updates from both, after the break.
Lookout's clarification
Early Thursday morning, we received an e-mail from MaHaffey regarding the "jackeey,wallpaper" apps. He clarified the following from the Mobile Beat piece, as well as our story:
He also added "while the data the wallpaper apps are accessing are certainly suspicious coming from wallpaper apps, we're not saying that these applications are malicious."
Blog post explains the methodology
On Thursday afternoon, MaHaffey posted a lengthy explanation on Lookout's blog, detailing the code in question and reiterating that while the code in question is suspect, "there is no evidence of malicious behavior." And that's an important distinction to make.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
So what's the big deal? Here's how MaHaffey explains things:
The developer responds
We've been in contact with the wallpaper applications' developer today and asked exactly what information the apps collect, and why any information would be sent to a server. (That the server is in China likely is irrelevant.)
You can read the entire response below, much of which is rendered moot by Lookout's previous clarification that text message and browsing history indeed was not collected. As for what was collected, the developer told us the following:
So, that's where we stand. And this isn't necessarily a new thing for Android. Apps can have access to parts of your phone they don't necessarily need, but with no malice intended. (That's where these recent "X percent of Android apps can get at your personal data!!!" stories have come from.) It's just a matter of coding and intent, right? That said, you do need to pay attention to the the warning you get every time you install an app. Our previous example rings true: If, say, a calculator said it needed to see my text messages, I'd worry. A lot. It's either a poorly coded app, or it's up to no good. Either way, I don't want it on my phone.
Is this all FUD? When a security company says we need to be wary, we're wary -- and the fact that a security company makes its money selling security software is not lost on us. But take your time and read MaHaffey's post again. And read the developer's response again below.
The moral of the story is mind what you download, read as much as you can, and keep on top of things. Lookout's MaHaffey says so as well, ending with "Overall, our goal is to help users and developers alike across all mobile platforms to be responsible and vigilant in ensuring a safe mobile experience."
Indeed.
Jackeey Response
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.