It is certainly possible - look for example at the "Phone Recorder"
app (available via Market).
There are actually many issues with this IMO - one is the fundamental
thing that you can record phone calls but not key presses. The next
thing is that the wording of the warning during install should mention
that the app is able to record incoming and outgoing calls. (currently
it's too vague and doesn't mention anything about outgoing calls).
Another thing is that if such app is installed behind your back and
without your knowledge, then the user should still get a visible
and/or audible notification that the call is being recorded (a red
recording icon in the "header" for example). ("Phone Recorder"
displays a short toast when recording starts but this is coming from
the app itself AFAIK and a malicious app would not show that.)
Tauno
On Mon, Dec 1, 2008 at 8:55 PM, Jean-Baptiste Queru <[EMAIL PROTECTED]> wrote:
>
> This is the kind of discussion that might turn out to be more
> appropriate for android-security-discuss, though since android-discuss
> is pretty much a catch-all it's hard to be off-topic here ;-)
>
> I think that the point is valid, though. Sure, the density of
> information and the ease with which it can be filtered is far higher
> with a keyboard capture than with a voice capture, but if you ignore
> that specific aspect the fundamental security concern is indeed
> similar for phone calls and keyboard capture.
>
> I was however under the impression that on the G1 at least anything
> related to the audio part of phone calls was entirely isolated from
> the application processor, so I'm not actually sure whether it's
> really possible to capture a phone call the way you're thinking of. I
> might be very wrong.
>
> JBQ
>
> On Thu, Nov 27, 2008 at 2:19 AM, tauntz <[EMAIL PROTECTED]> wrote:
>>
>> Hi all
>>
>> Was wondering why is capturing key events (key press, key release
>> etc..) from a background app considered a more serious security issue
>> than capturing phone calls from background apps?
>>
>> If you are going to make a phone call capturing app, then the
>> installer notifies the end user of:
>> "Phone calls - Intercept outgoing phone calls" and "Hardware control -
>> record audio"
>> Notice that it won't directly tell the user that the app will actually
>> record outgoing AND incoming calls - only that it want's to record
>> some kind of audio and it intercepts outgoing calls and does not tell
>> anything regarding incoming calls.
>>
>> So it's possible for a malicious app to record ALL your phone calls
>> without you noticing it (after installing the app). A malicious user
>> can take your phone if you leave it unattended and install the app
>> there and you have no idea that all your calls are being recorded and
>> uploaded to the net for example.
>>
>> Why isn't the same logic applied to capturing key events? Some people
>> have said that it would be a huge security risk if you would allow an
>> app to do that (eg capturing usernames/passwords). Now why is this
>> considered a bigger security risk than recording phone calls? The
>> average user won't enter any of his/her usernames anyway on the
>> G1after he has registered the phone with his g-account the first time
>> the phone boots. The average user makes/receives phone calls, sends
>> SMS or plays some games.. and once in a while browses some websites
>> that do not require a log in.
>>
>> Recording phone calls allows an attacker to get n-times more
>> sensitive/personal details about the user than recording
>> usernames/passwords. I mean.. so what if an attacker gets a password
>> for the average mailbox/forum - he will find only pictures of LOLcats,
>> the occasional "Joe sent you an e-card" and huge amount of ...
>> enlargement spam. Now imagine if an attacker gets access to all your
>> phone calls... to me at least, this seems WAY scarier.
>>
>> I just want to understand the reasoning behind allowing recording and
>> disallowing key events. It's a decision that I just can't understand
>> :(
>>
>> (And no, I personally don't care if an app can/can't do any of the two
>> things - they are not features that I need.. I'm just curious)
>>
>>
>>
>> Tauno
>>
>> >
>>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Android Discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/android-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
