*Here's your big chance to catch on early about the little favelas being built inside your chic new handheld.
*Like the man says, this happens over and over again.
Via SANS
TOP OF THE NEWS
–Google Android Apps Reportedly Stealing Data
(July 30, 2010)
Dozens of wallpaper apps being sold for Google Android devices have been
found to be gathering personal information and sending it back to the
apps' developers. Google has suspended one of the applications, which
appears to send collected data to a server in China, while it
investigates the situation. The application is called Jackeey
Wallpaper and contains stolen copyrighted content. The issue
underscores the importance of downloading applications only from known
and trusted sources.
http://www.telegraph.co.uk/technology/google/7918536/Google-Android-apps-collecting-personal-data.html
http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?entry_id=68990
[Editor's Note (Ranum): Is anyone surprised by this? The idea of
"download only from known and trusted sources" is also a non-starter;
eventually the attackers will begin to develop software that is
stealthier about what it does - when the software supply chain is
controlled, it becomes the next logical point of attack. How is the
manager of an application store going to know if there's a sleeper
routine in an app that will cause it to start leaking data in 3 or 4
months? What we're seeing now is the early "smash and grab" stage of
what is going to be a long, horrible battle unless industry begins to
realize that software security is a discipline above and beyond just
issuing patches.]
