WP8 Privacy Nightmare?

SoloXCRacer

New member
Apr 5, 2012
219
0
0
Visit site
I was going to post something similar, but hopmedic beat me to it. He nailed it.

As a developer, I think I can speak directly to this issue. Depending on which services are being requested, it can be many things. Sometimes locations are requested because of the advertisements - to give the advertisers locations will give more directed ads, and the developers will be paid a higher rate (measured in "cents per thousand impressions"). Sometimes the media is needed for sounds in a game, the camera is needed for bar code reading, or if the app is one where you can take a picture, or even to modify a photo (Pictures Lab, etc.). Sometimes the phone identity is used in order to track statistics (I have done this, just to get how many unique users of my apps) - without phone identity, you don't know if a repeat instance of your app is the same user using the app again, or a different user. Sometimes User identity (or is it Owner Identity? - I don't remember exactly) is used for reasons of tracking purchases - say for instance you have subscription content or something, maybe you had in-app purchase, or maybe you're participating in something where your identity does matter. These are all valid reasons to use these services.

Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.

My personal opinion is that if the capabilities are checked, but not used, either the app should fail certification, or perhaps Visual Studio should automatically uncheck the unused capabilities during the final build so that they are unchecked. The reason for this, to me, is because with the knowledge that this is happening out there, it diminishes the value of having the capabilities listed and the value of asking permission prior to allowing the app to install. Since I know this happens, when I look at a game or app that I know can't possibly need these capabilities, I figure that this must be the case - lazy, or forgetful, or uninformed programming. So I end up allowing the app. But the problem with that, is that just when we get into that habit, that's when it will bite us. That's when the note-taking app that doesn't do anything in the background will be the one that ends up running in the background, tracking our location, and sending it home to the server every step we take. Or whatever the case may be. No system is perfect, and it is the social engineering that is the weakest.

In Windows Phone 8, the capabilities listed in WMappManifest.xml are:
Appointments
Contacts
Gamer Services
Device Identity
User Identity
Camera
Location
Media Library
Microphone
Networking
Phone Dialer
Push Notifications
Sensors
Web Browser Component

So, if you see an app that lists ALL of those capabilities (though it will be worded in a more user-friendly way), odds are it was lazy, forgetful, or uninformed programming, and not that it's actually using all of them. If something's missing from that list, I'd wonder, because the developer was in the file, and obviously removed something, so why not the rest of what wasn't needed?

For WP7 apps that were recompiled for WP8, the list could be different. If it is an app created (or updated) for or after Mango, the list can be the same as above. But if it is an older game or app that wasn't updated to the Mango (WP 7.5) update (Fruit Ninja, for instance), then the list of capabilities would be shorter:

GAMER SERVICES
IDENTITY DEVICE
IDENTITY USER
LOCATION
MEDIA LIB
MICROPHONE
NETWORKING
PHONE DIALER
PUSH NOTIFICATION
SENSORS
WEB BROWSER COMPONENT
 

MikeInBA

New member
Apr 20, 2011
106
0
0
Visit site
Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.

This is the most likely culprit. PhoneGap does the same (at least the last build i dl-ed), and you have to manually edit the manifest to remove what you dont use. I havent used vs2012 yet, so I wonder if tools such as ReSharper or CodeRush will notify you like they do of unused variables/namespaces.
 

manicottiK

New member
Nov 24, 2011
660
0
0
Visit site
As another developer, let me share with you what we did with our app to inspire user understanding and confidence in the list of seemingly broad permissions that our app uses. As background, our app access lots of personal data for students, faculty, and staff from almost a dozen university information systems. We support Android, BlackBerry, iOS, webOS and WP using native design styles and no porting. (The webOS app was pulled after HP killed the platform.)

To assuage users, we added a privacy page to the app that described, in plain language, the permissions needed for specific functions. This seems to have helped (people stopped asking about our permissions needs). Still, there has to be a trust between the user and the developer for the user to believe that the dev is doing only what's described.

If anyone has questions on this, private message me rather than further hijacking this thread. Below is the privacy statement built in to our app.

how we exploit your phone, not you

DrexelOne Mobile takes advantage of many services that your phone offers. Find out how it uses those services while protecting your privacy.

location services: GPS and cell tower location information is used to show your location on campus maps and to compute walking distances and times to shuttle bus stops. Location information is never transmitted to Drexel.

picture, music, and video library: Holds pictures for custom page backgrounds and used to submit photos to Candid Campus.

phone identity: Provides make, model and other information about your phone for crash reports (to help debugging) and gets a unique ID for your phone so that we can count downloads without double-counting reinstalls. Your user-id and device ID are linked and sent to Drexel when push notification is turned on so that we can know which updates to send to which phone.

data services: The data that the app shows comes from Drexel's servers and some outside service providers; the phone uses the network to access those servers. Heavy cellular use of Candid Campus, News+Events, and Athletics (which all contain images) will consume more of your data plan.

push notification services: Used to setup notification for grades and holds and for sending live tiles. When turned on, your accent color and a unique identifier for your phone is sent to Drexel so that we can compose the right tile and notification information for you.

Camera: Lets users take photos for custom page backgrounds and to submit to Candid Campus. The only images ever transmitted are the ones that you submit to Candid Campus.
 

manicottiK

New member
Nov 24, 2011
660
0
0
Visit site
So, if you see an app that lists ALL of those capabilities (though it will be worded in a more user-friendly way), odds are it was lazy, forgetful, or uninformed programming, and not that it's actually using all of them.
I thought that MS was now analyzing our xaps and rewriting the manifest permissions list based on which calls the app makes. Is this something that I dreamed up?
 

eldnar

New member
Dec 7, 2012
6
0
0
Visit site
Hmmm, it seems many of the answers boil down to some form of, "Well, I personally don't care about my privacy, you shouldn't care about yours." That's fine, I'm not sure why you're even responding to the thread. It's a fact that the majority of users do care about their privacy. More Than Half of Mobile Users Avoid Certain Apps Due to Privacy Concerns - Pew Research Center

Just because an app needs different reqs on different OSes, doesnt mean its malicious.
I agree. It doesn't mean it's malicious. It also doesn't mean it's not maliciious. Why not simply prevent abuse...by restricting access in the first place? What about the fact that most things that are malicious...started of as something that wasn't malicious? Why are you against nipping potential abuse it in the bud? Netflix does not need the ability to see my .mp3 collection, in order to stream videos. NewEgg does not need to see my .mp3's or photos to sell me a laptop.

No, I just dont care if they have access to my music and videos. I dont get what POSSIBLE harm could that do me. So I dont care.
Fair enough. This was mainly for people who are concerned about privacy. If you're not concerned about your privacy, you're welcome to ignore the thread.

If you think there are people looking at your personal content, you're wrong.
How do you know this? Do you have data to support it or is it your opinion? I have data to support that it does happen: GCreep: Google Engineer Stalked Teens, Spied on Chats (Updated) All it takes is a bad employee(s) at a good company.

Your information is out there. If somebody wanted to, they could find it and use it without your permission.
I'm not worried about my general information, it's obviously out there, but my private phone videos, business documents and meeting notes aren't out there.

But nobody cares about your family pictures.
If they don't care about it, then why do they need to access it?

You're not that important.
Then why do companies pay incredible amounts to obtain our data? Companies don't spend millions on something that's not important.

If some software somewhere analyses my content they won't find anything of interest.
Good for you. Some of us have business data, downloaded word documents and attachments, recorded business meetings, private business documents, etc. The flashlight developer doesn't need to access those things. If you only have pictures of your grandma's birtday party I understand your lack of concern. You're welcome to move on to a thread that is a bit more relevant to you.

It's for advertising purposes. Advertising is a way of life. You can't get away from it. If some program wants to check my info and send advertising that actually pertains to my life, so be it. I would rather have customized advertising than just random crap sent to me that I could care less about.
The flashlight developer doesn't need advertising data for an application that is not ad supported.

A lot of apps require access to the media hubs to save images or interact with them at all. As the ability to save images (like wallpapers) is pretty common in WP since it encourages media-richness, this will be common. Pretty sure apps also need those permissions to integrate into those hubs, so, from the Music & Videos hub you can open the app since that movie you were watching got you thinking, that sort of thing.

The Flashlight one is more interesting. There's no actual API to allow direct access to the flash, except through the camera. So, for the flashlight to work, it basically tells the phone it's a camera, turns the flash on, then doesn't actually capture any video stream. I remember reading about the dev end of things back when that came out. A weird but clever workaround, is what that is.
Well, Flashlight XT requires video and still capture. It's simple, to the point, makes sense, and works as advertised. Why do the others need to access every bit of data on the phone to turn on the light? Examples:

Flashlight X - Phone identity, owner identity, video and still capture, media playback, mircophone, data services, movement and directional sensor.
Flashlight <insert model> - All of the above plus .mp3 collection, photos and videos,

As a developer, I think I can speak directly to this issue. Depending on which services are being requested, it can be many things. Sometimes locations are requested because of the advertisements - to give the advertisers locations will give more directed ads, and the developers will be paid a higher rate (measured in "cents per thousand impressions"). Sometimes the media is needed for sounds in a game, the camera is needed for bar code reading, or if the app is one where you can take a picture, or even to modify a photo (Pictures Lab, etc.). Sometimes the phone identity is used in order to track statistics (I have done this, just to get how many unique users of my apps) - without phone identity, you don't know if a repeat instance of your app is the same user using the app again, or a different user. Sometimes User identity (or is it Owner Identity? - I don't remember exactly) is used for reasons of tracking purchases - say for instance you have subscription content or something, maybe you had in-app purchase, or maybe you're participating in something where your identity does matter. These are all valid reasons to use these services.
I'm not saying there aren't legitimate uses for accessing certain data. I'm fine with that. My concern is why NewEgg needs to access my .mp3 collection to sell me a motherboard? Can you explain why Flixster needs to access my pictures to tell me what time the next movie starts? I was reading that games that have media files can be played from the applications directory without accessing the user's directory. Is that true?

I just wonder if eldnar would read these articles... headlines like "close to 10% of android apps a festering pit of malware, trojans, and premium sms senders, getting worse", or "Android Trojan Records Phone Calls", and the like, if he feels any differently now?
Thanks for these, while I had read some before, they actually provide the exact reason we should be concerned with application over reach. WP8 has been out roughly a month, it has not been put through the years of trials and attacks that Android and IOS have experienced. Do you think that handing applications access to data they don't need increases the chance for abuse or decreases it? Those other platforms are tightening security...WP8 seems to be leaving it wide open. It sounds like your philosophy is, "I haven't seen abuse yet, so it can't possibly exist". My philosophy is, "If you leave your car door open with the keys inside in a crowded area with the engine running, someone will eventually take it."

Now that we've covered valid, let me also say this... When you create a project in Windows Phone, the WMappManifest.xml file, which is where all of the capabilities are enabled/listed, by default, has all of the capabilities enabled. So, if a developer is lazy, forgetful, or doesn't know he needs to remove the unneeded capabilities from this file, then when they submit it to the store, it will list these capabilities, whether they are used or not.
Does it instill confidence to you that a lazy, forgetful, or uniformed developer has access to your data and media? Do you think this lazy, forgetful, or uniformed guy put proper security measures in place?

Since I know this happens, when I look at a game or app that I know can't possibly need these capabilities, I figure that this must be the case - lazy, or forgetful, or uninformed programming. So I end up allowing the app.
Isn't that backwards? Shouldn't you trust the lazy, forgetful, or uniformed guy...less?

But the problem with that, is that just when we get into that habit, that's when it will bite us. That's when the note-taking app that doesn't do anything in the background will be the one that ends up running in the background, tracking our location, and sending it home to the server every step we take.
This is part of my concern. It sounds like you largely agree with me, but we differ on the potential scope for abuse.

As another developer, let me share with you what we did with our app to inspire user understanding and confidence in the list of seemingly broad permissions that our app uses. As background, our app access lots of personal data for students, faculty, and staff from almost a dozen university information systems. We support Android, BlackBerry, iOS, webOS and WP using native design styles and no porting. (The webOS app was pulled after HP killed the platform.)

To assuage users, we added a privacy page to the app that described, in plain language, the permissions needed for specific functions. This seems to have helped (people stopped asking about our permissions needs). Still, there has to be a trust between the user and the developer for the user to believe that the dev is doing only what's described.
You are a diamond in the rough, most apps and developers don't do this. I would use your company's products without hesitation.
 

hopmedic

Active member
Apr 27, 2011
5,231
0
36
Visit site
I thought that MS was now analyzing our xaps and rewriting the manifest permissions list based on which calls the app makes. Is this something that I dreamed up?
If they've started this, it's news to me. It's possible, though - I haven't had time to do much since this summer.


The flashlight developer doesn't need advertising data for an application that is not ad supported.


Well, Flashlight XT requires video and still capture. It's simple, to the point, makes sense, and works as advertised. Why do the others need to access every bit of data on the phone to turn on the light? Examples:

Flashlight X - Phone identity, owner identity, video and still capture, media playback, mircophone, data services, movement and directional sensor.
Flashlight <insert model> - All of the above plus .mp3 collection, photos and videos,


I'm not saying there aren't legitimate uses for accessing certain data. I'm fine with that. My concern is why NewEgg needs to access my .mp3 collection to sell me a motherboard? Can you explain why Flixster needs to access my pictures to tell me what time the next movie starts? I was reading that games that have media files can be played from the applications directory without accessing the user's directory. Is that true?
I wasn't answering for your instances directly - I was answering in general.

Thanks for these, while I had read some before, they actually provide the exact reason we should be concerned with application over reach. WP8 has been out roughly a month, it has not been put through the years of trials and attacks that Android and IOS have experienced. Do you think that handing applications access to data they don't need increases the chance for abuse or decreases it? Those other platforms are tightening security...WP8 seems to be leaving it wide open. It sounds like your philosophy is, "I haven't seen abuse yet, so it can't possibly exist". My philosophy is, "If you leave your car door open with the keys inside in a crowded area with the engine running, someone will eventually take it."
A couple of the differences between Android and Windows Phone: Our apps get tested. Thiers don't. Our apps operate in a sandbox in the phone, within a very strict set of APIs that they are allowed to use. Android's can do just about anything the developer wants to do. As a developer, I can write two apps. If I save data in the phone in one app, I cannot use the other app to access that data. They're isolated. In Android, I can write an app that can access just about anything, whether I put it there or not. If Google discovers malware, they remove it from Play. That's it. It's up to the user to determine that he's downloaded a malicious app, and remove it (assuming he can). With Windows Phone, if Microsoft discovers that a malicious app got through testing (one did - EXACTLY one), they can remove it from the store, and revoke the security certificate. The act of revoking the security certificate prevents it from running on any phone except developer unlocked phones. The next time the user runs the app, he will see a messagebox that says something to the effect of "Microsoft has revoked the security certificate and this app will be uninstalled." You can press ok or cancel. If you press ok, it will uninstall. If you press cancel, it will stay, but the next time you run it, same thing will happen. You can't run it. No action on the part of the user at all to keep the app from doing anything harmful on his phone once discovered.

Does it instill confidence to you that a lazy, forgetful, or uniformed developer has access to your data and media? Do you think this lazy, forgetful, or uniformed guy put proper security measures in place?


Isn't that backwards? Shouldn't you trust the lazy, forgetful, or uniformed guy...less?


This is part of my concern. It sounds like you largely agree with me, but we differ on the potential scope for abuse.
I don't see us disagreeing at all. No, it doesn't instill confidence that lazy programmers are out there. It disgusts me. It also makes me that much more diligent in what I do, even as inexperienced as I am, to make sure that I do it right, or at least as right as I can with what I know. No, it isn't that I trust the lazy forgetful guy more, I guess it is that I realize that they're out there, and that I realize that I'm OCD and anal, and not everyone is, and I try to accomodate that. I also realize that there are people out there that are smarter than me, who are checking for things like this (which is how the single app that was malicious was found), and that Microsoft is testing each app as well. I know that some may get through the cracks, but I also am careful about what I do, and I am also knowlegable about the operating limitations within which an app must operate within the phone, so I know that when an app is suspended it can't be doing anything malicious, since it can't be doing ANYTHING. It is BECAUSE of my programming understanding that I feel most confident in the Windows Phone of all the phones out there (other than perhaps Blackberry, which, of course, isn't near as much fun), and why I tell all of my friends that I would get rid of those Virus Phones (Androids). And while iPhone is pretty good, compared to Android, you have to wonder, with the story not long ago about even Angry Birds tracking locations in iPhones while the app was not running (how they did that, I do not know - I do know that it would NOT be possible in Windows Phone).

So it isn't a matter of my view being all that much different than yours, on security. It's that I know the phone, how it works, what a developer can do, and what he can't do, that makes me comfortable. That's why I've been carrying a Windows Phone for over a year and a half.
 

jimski

New member
Dec 11, 2010
2,253
8
0
Visit site
A developer can correct me if I am wrong, but my understanding is that "access" is simply that, access to an area. But not uncontrolled access. For example, if you give an app access to your photos, the app can't copy or scan all your photos into its sandboxed data storage area. So the app will be allowed to open your photos hub and select a photo of your choosing. Or, it will be allowed to drop a photo into your hub. Same for accessing your contacts list, to forward a contact, or for speed dialing apps. WP has restrictions on what data can actually be transferred off of the device.
Sent from my Lumia 900 using Board Express Pro
 

rockstarzzz

New member
Apr 3, 2012
4,887
1
0
Visit site
A developer can correct me if I am wrong, but my understanding is that "access" is simply that, access to an area. But not uncontrolled access. For example, if you give an app access to your photos, the app can't copy or scan all your photos into its sandboxed data storage area. So the app will be allowed to open your photos hub and select a photo of your choosing. Or, it will be allowed to drop a photo into your hub. Same for accessing your contacts list, to forward a contact, or for speed dialing apps. WP has restrictions on what data can actually be transferred off of the device.
Sent from my Lumia 900 using Board Express Pro

This was my understanding too. Now I am happy for an app developer to blow this out of my mind by creating an app with all these permissions and then like a kung-fu panda "view" all my photos on his PC while he plays with himself and then also take them off my phone and upload on his SkyDrive and email it back to me as he should also have my email address, cc in all my work mates and my mum.

I am happy to pay ?1.29 for this app if it passes MSFT store and it does all of the above without my intervention of course.
 

Daniel Ratcliffe

New member
Dec 5, 2011
3,061
0
0
Visit site
This was my understanding too. Now I am happy for an app developer to blow this out of my mind by creating an app with all these permissions and then like a kung-fu panda "view" all my photos on his PC while he plays with himself and then also take them off my phone and upload on his SkyDrive and email it back to me as he should also have my email address, cc in all my work mates and my mum.

I am happy to pay ?1.29 for this app if it passes MSFT store and it does all of the above without my intervention of course.

*troll face* Challenge accepted!
 

daddymanAZ

New member
Nov 19, 2012
21
0
0
Visit site
From a non-technical users standpoint, WP8 is no different than Android or iOS....you want to use that app....you have to agree to give access to portions of your phones data repositories. Get over it or go back to your LG flip phone! :winktongue:
 

WPenvy

New member
Jun 5, 2012
391
0
0
Visit site
I saw this to when I checked out some of the apps I would like to install when I finally get my lumia920.

For example:
Angry birds: photo, music, and video libraries. Why the **** is this necessary for a game!?

Just a simple flashlight app which is the most downloaded in the store:

  • phone identity
  • owner identity
  • video and still capture
  • photo, music, and video libraries
  • microphone
  • data services
  • movement and directional sensor
  • camera
  • compass
  • WVGA (480x800)
  • media playback
  • HD720P (720x1280)
  • WXGA (768x1280)

And if you say this isn't a big of a deal, Angry birds and this simple flashlight app can look at all of your pictures and videos taken. That's insane!


These are just 2 examples, almost every top app in the market has these kind of insane permissions. I am on android now, and I can safely say that apps do not have these permissions there.

Isn't it obvious? It's the Eagle Eye project....lol
 

Dave Blake

Mod and Ambassador Team Emeritus
Jan 11, 2008
5,657
6
0
Visit site
There is a lot of good information on this page about WP8 and security:

Windows Phone Security | Windows Phone (United States)

If you read through some of whats in this PDF about WP8 security features you will began to understand a few things.

http://go.microsoft.com/fwlink/?LinkId=266838

Apps are sanboxed and cant access any data from another app without your taking some action. Even is you approve an app to access the camera functions it cant remove data from the camera unless it is linked through the cloud. There is much more information's in the PDF check it out. Just because and app needs to access the Music player functionality to operate doesn't mean it can upload music from your library for example.
 

brmiller1976

New member
Aug 5, 2011
2,092
0
0
Visit site
Frankly, I agree that privacy issues on smartphones are a concern.

However, I know LOTS of people who are concerned about their privacy to the point where they won't use Facebook or mobile apps, but:

1) Have a credit/debit card (and use it) -- creating a massive profile of their lives that allows data miners to determine every aspect of their lives from sexual orientation to religious background
2) Bank with one of the 100 largest US banks -- which resell data about purchases, checks, salaries and balances to other companies
3) Own or rent property in a public records state -- where I can look up how much they paid for their home (or in rent)
4) Own a new car made since 2006 (with a tracking computer on board) -- where data is recorded about driving habits and can be transmitted to insurance companies
5) Own a featurephone with built-in GPS (and the ability for government agencies to obtain location and travel data without a warrant)
6) Fly regularly -- and provide a full, high-resolution naked photograph of themselves to government agents every time they wait in line to board.

If you really want to see privacy, you need to tackle the systemic cancer of the surveillance society.
 

rockstarzzz

New member
Apr 3, 2012
4,887
1
0
Visit site
Frankly, I agree that privacy issues on smartphones are a concern.

However, I know LOTS of people who are concerned about their privacy to the point where they won't use Facebook or mobile apps, but:

1) Have a credit/debit card (and use it) -- creating a massive profile of their lives that allows data miners to determine every aspect of their lives from sexual orientation to religious background
2) Bank with one of the 100 largest US banks -- which resell data about purchases, checks, salaries and balances to other companies
3) Own or rent property in a public records state -- where I can look up how much they paid for their home (or in rent)
4) Own a new car made since 2006 (with a tracking computer on board) -- where data is recorded about driving habits and can be transmitted to insurance companies
5) Own a featurephone with built-in GPS (and the ability for government agencies to obtain location and travel data without a warrant)
6) Fly regularly -- and provide a full, high-resolution naked photograph of themselves to government agents every time they wait in line to board.

If you really want to see privacy, you need to tackle the systemic cancer of the surveillance society.

honey_boo_boo_is_philosophy_genius_07.gif
 

hopmedic

Active member
Apr 27, 2011
5,231
0
36
Visit site
The best app is the Adobe PDF app. There are no other permission request to access any other info on your device. I wish all apps were like that

But the Adobe PDF app is garbage, and went nearly (or perhaps more than) two years between updates. Please don't use this as a "best app" example. And if you're on Windows Phone 8, the pdf app is not by Adobe... But on WP7, it is.
 

Members online

Forum statistics

Threads
322,910
Messages
2,242,884
Members
428,005
Latest member
COME ON WIN ANDROID (ADI)