Tag Archives: Cloud clients

The Phantom Threats We Face

This is a copy of my weekly Loose Wire Service column.

By Jeremy Wagstaff

We fear what we don’t know, even if it’s a guy in Shenzhen trying to make an honest living developing software that changes the background color of your mobile phone display.

Here’s what happened. I’ll save the lessons for the end of this piece.

A guy who prefers to go by the name Jackeey found a  niche for himself developing programs—usually called apps—for the Android cellphone operating system.

They were wallpaper applications—basically changing the background to the display.

That was until an online news site, VentureBeat, reported on July 28 that a security company, Lookout, had told a conference of security geeks that  that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification, voicemail phone number password” and send all this data to a website owned by someone in Shenzhen, China.

Yikes! Someone in China is listening to our conversations! Figuring out what we’re doing on our phone! Sending all this info to Shenzhen! Sound the alarum!

Word did indeed spread quickly. About 800 outlets covered the story, including mainstream publications like the Daily Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. Firstly, VentureBeat had the story wrong: The applications in question only transmitted a portion of this data. No browsing history was transmitted, no text messages, no voicemail password.

VentureBeat corrected the story—sort of; the incorrect bits are crossed out, but there’s no big CORRECTION message across the top of the story—but the damage was done. Google suspended Jackeey’s apps. Everyone considered Jackeey evil and confirmed suspicions that a) Android was flakey on security and b) stuff from China was dodgy.

All kind of sad. Especially when you find that actually Jackeey himself is not exactly unreachable. A few keyword searches and his email address appears and, voila! he’s around to answer your questions. Very keen to, in fact, given the blogosphere has just ruined his life.

Here’s what he told me: He needed the user’s phone number and subscriber ID because people complained that when they change their phone they lose all their settings.

That’s it. That’s the only stuff that’s saved.

Needless to say he is somewhat miffed that no one tried to contact him before making the report public; nor had most of the bloggers and journalists who dissed his applications.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer has posted some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters.

The story sort of ends happily. After investigating them Google has reinstated the apps to their app store and will issue a statement sometime soon. It told Jackeey in an email that “Our investigation has concluded that there’s no obvious malicious code in your apps, though the implementation accesses data that it doesn’t need to.”

VentureBeat hasn’t written an apology but they have acknowledged that: “The controversy grew in part because we incorrectly reported in our initial post that the app also sent your text messages and browser history to the website.”

For his part Jackeey is redesigning his apps to take into account Google’s suggestions. He points out that to do so will require him to have users set up an account and enter a password, which some users may be reluctant to do. And the Google suggestion is not entirely secure either.

Obviously this is all very unsatisfactory, in several ways.

Firstly, the journalism was a tad sloppy. No attempt was made to contact the developer of the app for comment before publishing—how would you feel if it was your livelihood on the line?—and the correction was no real correction at all.

Secondly, the internet doesn’t have a way to propagate corrections, so all the other websites that happily picked up the story didn’t update theirs to reflect the correction.

Thirdly, Google maybe should have contacted Jackeey before suspending the apps. It would have been kinder, and, given they’ve not found anything suspicious, the right thing to do.

Fourthly, us. We don’t come out of this well. We are somehow more ready to believe a story that includes a) security issues (which we don’t understand well) and b) China, where we’re perhaps used to hearing stories that fit a certain formula. Suspicious?

And lastly, perhaps we should look a little harder at the source of these reports.  We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

So spare a thought for Jackeey. If you do a keyword search for him, the first hit is the story “’Suspicious’ Android wallpaper app nabs user data”, and links to 863 related articles. Below—a week after the hoo-ha, and after Google has sort of put things right–are headlines like: “Jackeey Wallpaper for Android steals your personal info”, “Your Rotten App, Jackeey Wallpaper” and “Jackeey steeling [sic] info on Android devices”.

In other words, anyone who checks out Jackeey’s wares on Google will find they don’t, well, check out.

I got back in touch with Jackeey to see how he’s holding up, a week after the storm broke. I’m in some pain, he says, “because mass negative press said that I steal users’ text messages, contacts and even passwords.” People have removed his applications from their phone, and people have been blasting him by email and instant messaging, calling him “thief”, “evil person” and other epithets.

“I am afraid that it will destroy my reputation and affect my livelihood forever,” he says.

I’m not surprised. We owe to folk like Jackeey to make apps for our phones, so we should treat him a little better.

Phantom Mobile Threats

How secure is your mobile phone?

This is an old bugaboo that folks who sell antivirus software have tried to get us scared about. But the truth is that for the past decade there’s really not much to lose sleep over.

That hasn’t stopped people getting freaked out about it.

A security conference heard that some downloadable applications to phones running the Android operating system would “collect a user’s browsing history, their text messages, the phone’s SIM card number and subscriber identification” and send all this data to a website owned by someone in Shenzhen, China. Some outlets reported that it also transmitted the user’s passwords to their voicemail.

About 700 outlets covered the story, including mainstream publications like the Telegraph and Fortune magazine: “Is your smart phone spying on you?” asked one TV station’s website.

Scary stuff.

Only it isn’t true. It’s not clear who misreported all this—the journalists and others covering the event, or the company releasing the fruits of their research, but it gradually emerged that the applications—downloadable wallpapers—only transmitted a portion of this data. (See a corrected version of a story here.)

Indeed, the whole thing got less suspicious the more you dig.

This is what the developer told me in a text interview earlier today: “The app [recorded’] the phone number [because] Some people complained that when they change the[ir] phone, they will lose the[ir] favorite [settings]. So I [store] the phone number and subscriber ID to try to make sure that when [they] changed the phone, they have the same favorites.”

Needless to say the developer, based in Shenzhen, is somewhat miffed that no one tried to contact him before making the report public; nor had any of the 700 or so outlets that wrote about his applications tried to contact him before writing their stories.

“I am just an Android developer,” he said. “I love wallpapers and I use different wallpaper every day. All I want is to make the greatest Android apps.”

Now of course he could be lying through his teeth, but I see no evidence in the Lookout report or anything that has appeared subsequently that seems to suggest the developer has done anything underhand. (The developer shared with me some screenshots of his app’s download page which show that they do not request permission to access text message content, nor of browsing history.)

In fact, he seemed to be doing a pretty good job: His apps had been downloaded several million times. He declined to give his name, but acknowledged that he was behind both apps provided under the name Jackeey, and under the name iceskysl@1sters!

Not much longer. One website quoted Lookout as saying “We’ve been working with Google to investigate these apps and they’re on top of it.” They have: Google has now removed the apps from their site. So I guess Jackeey, as he asked me to call him, is going to have to look for other ways to spend his time. (He told me that Lookout had contacted him by email but not, apparently, before going public.) 

Seems a shame. Obviously, there is a mobile threat out there, but I’m not sure this is the way to go about addressing it. And I don’t think a guy in Shenzhen doing wallpaper apps is, frankly, worth so much hysterical column ink.

Let’s keep some perspective guys, and not embark on a witch-hunt without some forethought.

Lookout has since been backtracking a bit from its original dramatic findings. “While this sort of data collection from a wallpaper application is certainly suspicious,” it says on its blog, “there’s no evidence of malicious behavior.”

Suspicious? We seem very quick to attribute suspicious behavior to someone we don’t know much about, in some scary far-off place, but less to those we do closer to home: Lookout’s main business, after all, is prominently displayed on their homepage: an application to, in its words, “protect yourself from mobile viruses and malware. Stop hackers in their tracks.”

Conflict of interest, anyone?

Why Google Needs China?

Playing with the AdMob data on iPhone and Android devices—which is a bit old now, the U.S., a much bigger iPhone/Android market than the rest of the world, reflects the worldwide distribution of iPhone vs Android devices (the blue is iPhone):

image

The pattern seems to be mirrored elsewhere, but not evenly. In Australia, particularly, there seems little room for Android right now. Look at China, though: Almost as many Android devices as there are iPhones:

image

Ironic, really, that Google is so dependent on China to make headway with its phone OS. The third tier of countries follow a similar distribution:

image

The Shape of Things to Come

This is from my weekly newspaper column, hence the lack of links.

By Jeremy Wagstaff

We’re all touch typists now.

Of course, the definition of touch type has had to change a little, since most of us don’t actually learn touch typing as we’re supposed to. Watch people tapping away at a keyboard and you’ll see all sorts of cobbled-together methods that would make the office secretary of yesteryear blanch.

But for now keyboards are going to be with us for a while as the main way to get our thoughts into a computer, so some sort of touch typing is necessary.

But the mobile phone is different. After ten years most of us have gotten used to entering text using the predictive, or T9, method, where the phone figures out you’re trying to say “hello” rather than “gekko” when you tap the 4,3,5,5,6 keys.

Texting has gotten faster—Portugal’s Pedro Matias, 27, set a new world record in January by typing a 264-character text in less than 2 minutes, shaving 23 seconds off the previous record—but that’s still slower than your average touch typist, who manages 120 words-say 480 characters—in the same amount of time.

Blackberry uses have their QWERTY keyboards, each key the size of a pixie’s fingernail, and while some people seem to be quite happy with these things, I’m not.

And the iPhone has given us, or given back to us, the idea of little virtual keyboards on our screen. I’ll be honest: I’m not a big fan of these either.

The arrival of the Android phone hasn’t really helped matters: The keyboard is usually virtual (some of the earlier phones had physical keyboards, but most have dropped them in favor of onscreen ones) and I really didn’t enjoy typing on them.

To the point that my wife complained that she could tell when I was using the Android phone over my trusty old Nokia because she didn’t feel I was “so reachable.” By which she means my monosyllabic answers weren’t as reassuring as my long rambling Nokia, predictive text ones.

But that has changed with the arrival of software called ShapeWriter. ShapeWriter is software that provides the same virtual keyboard, but lets you swipe your words on it by dragging your fingers over the keys to, well, form a shape.

Typing “hello,” for example, is done by starting your finger on “h”, dragging it northwest to “e”, then to the far east of “l”, lingering there a second, then north a notch to “o.” No lifting of the finger off the keyboard. Your finger instead leaves a red slug-like trail on the keyboard, and, in theory, when you lift your finger off the keys that trail will be converted to the word “Hello.”

And, surprise, surprise, it actually works. Well, unless you’re demonstrating it to a skeptical spouse, in which case instead of “hello” it types “gremio” or “hemp.”

Now this isn’t the first time I’ve used ShapeWriter. It has been around a while—it was first developed by IBM Labs in the early 2000s. It’s gone through quite a few changes in the meantime, not least in the theory behind it.

But the main bit of thinking is the same as that with predictive text (and speech recognition): what is called the redundancy of language. Taking, for example, the whole body of emails written by Enron employees, the most frequent email sender wrote nearly 9,000 emails in two years, totalling about 400,000 words.

That’s a lot of words. But in fact the number of actual words was about 2.5% of that: That email sender only used 10,858 unique words.

Now of course, Enron employees might not be representative of the wider population, but researchers have to work with data, and the Enron case threw up lots of data. The Enron Email Dataset is a 400 megabyte file of about 500,000 emails from about 150 users, mostly senior management of Enron. Making it a goldmine for researchers of language, machine learning and the like.

Learning from the words used—though presumably not their morals—researchers are able to figure out what words we use and what we don’t. Thus, ShapeWriter, and T9, and speech recognition, are able to tune out all the white noise by only having to worry about a small subset of words a user is typing, or saying. Most words we either don’t use because our vocabularies aren’t that great, or because we haven’t invented those words yet.

ShapeWriter has 50,000 words in its lexicon, but it gives preference to those 10,000 or so words it considers most common (presumably

In ShapeWriter’s case, they produce a template of the shape of each word they decide to store in the software, so the shape you’re drawing—left-far right, up, down, along—is recognised.

In its latest incarnation it actually works surprisingly well, and I’d recommend anyone with an Android phone to check it out. (It’s free.) There’s a version for the iPhone too, as well as Windows Mobile and the Windows Tablet PC. Only downside: For now, at least, only five–European–languages are supported.

I am not convinced this kind of thing is going to replace the real keyboard, but it’s the first decent application I’ve come across that has gotten me back into actually enjoying tapping out messages on my device.

My wife, for one, is happy.