The recent story (reported on Mobilitysite HERE) about a wallpaper app in the Android store found to be sending user data off to China by a security software company was all over the web this weekend. Not surprisingly, the backlash has begun. Antonio Wells at AndroidTapp declared the initial reports on the vulnerability and malware to be FUD and contacted the Chinese developer, jackeey wallpaper, to find out the “truth”.
FUD has become one of the most abused terms on the internet. FUD stands for Fear, Uncertainty and Doubt and the acronym was originally coined in the seventies to describe IBM’s habit of spreading false information about competitors by creating hints and rumours. The term would end up being most identified with Microsoft’s claims against Open Source software in general and Linux in particular. These days, it is more or less used by fanbois to describe any information they don’t like or that disagrees with what they believe, usually with a villain named, as in “Antennagate is just FUD from Google”.
As could be expected, the developer of the wallpaper software denied all wrongdoing and stated they feel horribly victimized and hurt by the whole situation. Well, to be accurate he actually said…
I do not collect user data likes what the CEO of Lookout said in venturebeat.com. He said that I have collected the text message, it is bullsh*t.
Jackeey wallpaper raised the standard banner that everybody is doing it, and that his apps don’t gather as much data as some other similar apps. He also noted that he doesn’t use the data he gathers (?) and his app does not gather user data per se, but device data like the device ID, phone number and voicemail info. Personally I think the distinction is silly, I consider my phone number and voicemail details to be personal information and it is data that a wallpaper application has no call to be gathering. The developer claims it is part of his efforts to add a “favorites” feature to the software but then why wasn’t that ever mentioned in the information about the software. The information gather still looks highly suspicious and I for one would think twice before installing the app.
Lookout has stood by their initial report, reminding everyone that they said directly that they had no evidence of misuse of the data, just that a wallpaper app gathering it sure looked suspicious. The also reminded people that they reported the information to make clear that there are a lot of Android applications playing very fast and loose with data and doing suspicious things.
AndroidTapp came to the following conclusion after speaking to both the developer and Lookout.
True all users should indeed be aware of what they are installing from the Android Market. True the openness of the Android Market are its strengths and weakness as something like this could be exploited. In this particular instance… it may not be the case, especially for what seems like a developer trying to improve his app by grabbing device data to make a “favorites” feature in-app. Maybe his approach was suspicious and overzealous as Lookout corrected, but was the mass negative press without covering the complete story warranted???
I believe Lookout’s reassessment should have been issued in the beginning versus retroactively clarifying; it makes me question their app security scanning and protection features of Lookout Mobile Security. Hopefully Google’s investigation will put a final ruling to this.
I’ve leave you with these 3 words… Fear, Uncertainty, and Doubt.
Pot, meet kettle. Certainly it is in the best interest of software security firms to make the most of, even to overplay, vulnerabilities. Just as the man selling you a car alarm will harp on car theft statistics, so the man selling you security software will paint a bleak picture of the web. However, they stated in their original report they did not have evidence of malice, not in any sort of “reassessment” as AndroidTapp falsely implies. The fears about the wallpaper app being Malware were added by bloggers reporting on the situation (such as yours truly, my bad). Bloggers are panicky, hysterical, view-mongering beasties, we all know that…the inaccuracies and hyperbole that we bloggers wrapped around their report isn’t Lookout’s fault, nor do they detract from Lookout’s work.
Lookout got the facts right by the developer’s own admission and reported them…the only open question was motive. Since the main purpose of what Lookout was doing was to raise awareness about vulnerabilities, the motive really wasn’t important. If this mess causes Android users to be more aware and developers to be more open and careful about the data the access, then mission accomplished. For AndroidTapp to say that this situation has caused them to question Lookout’s abilities or professionalism then that is the worst sort of FUD. Using vague statements to try and discredit the messenger, therefore blunting or invalidating the message, is classic FUD.
As G.I. Joe taught us, knowing is half the battle…so we all owe Lookout a thank you, even if some of us bloggers owe jackeey wallpaper an apology as well for jumping to conclusions…FUD or no FUD.