Today, the story got a bit more complicated. First of all, the anti-spyware vendor which originated the story “clarified” their findings, saying:
While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior.
The apps do send your SIM card number, subscriber ID, phone number and voicemail number to a remote site; however, they don’t send the IMEI or serial number, so they do not send enough information to clone your phone.
So there’s a privacy violation, but no potential for fraud that I can see.
Meanwhile, the developer of the wallpaper apps maintains that the accusations are false.
Well, somewhat. The original claims are false in part; he didn’t ever steal browser history or contact information. However, he admits that he does request the ability to read the phone’s state and identify information. His explanation for why:
I collected the screen size to return more suitable wallpaper for the phone. More and More users emailed me telling that they love my wallpaper apps so much, because that even “Background” can’t well suited the phone’s screen.
I also collected device id,phone number and subscriber id, it has no relationship with user data. There are few apps in Android market has the favorites feature. Many users suggest that I should provide the feature so I use the these to identify the device, so they can favorite the wallpapers more conveniently, and resume his favorites after system resetting or changing the phone.
You don’t need phone state/identity access to obtain the screen size. There are at least two ways to do it without needing any special permissions. The first is to use DisplayMetrics to obtain the DPI and screen resolutions. If, on the other hand, you want the desktop size (i.e. the screen size minus things like the status bar), you can wait for your app’s initial Intent to render, and then query the size of your top level layout object using View.getWidth() and View.getHeight().
You don’t need special permissions to uniquely identify handsets for favorite/bookmarking functionality either. There’s a 64 bit unique ID held in ANDROID_ID. Yes, it may change after a system reset–but my experience is that I’ve changed phone number, SIM card number or voicemail number far more often than I’ve performed a hard (data-losing) system reset.
So I’m now inclined to think that this whole episode is the result of poor programming by a developer, combined with overeager desire for publicity from a security software provider. It looks as if no actual serious data privacy breach occurred.
That said, I stand by my conclusions yesterday: Google should probably apply more scrutiny to what they allow in the Android Market, particularly for apps requesting permission to access sensitive information.
Update 2010-08-05: Google confirms that the wallpaper apps weren’t malware.