On Wed, Nov 20, 2013 at 10:00 AM, Richard Steventon <[email protected]> wrote: > I am pretty sure Google frowns on this sort of thing without a big fat EULA. > However the company in question provides no notes to the developers telling > them this. They just say "include our SDK and get paid". > > Data in question includes: > list of accounts > phone number > lat/long > all device info (serial, imei, etc, etc) > mac address > open udid > list of all installed apps > > I am not sure how to approach this. On the one hand, I don't want to > interfere with a companies business model, on the other hand, what they are > doing is probably illegal (in at least some parts of the world!). > > Thoughts/comments ? On one hand, if the user agrees, then there's nothing you can really do. There's lots of apps that have these invasive practices, including crapware distributed by the handset OEMs and carriers.
On the other hand, you could report it to Google at [email protected]. They might be able to create a Bouncer signature if they don't have one. Or, they might not take a position since the handset OEMs and carriers are distributing the same crapware. You can also report it to the various security companies. Companies like Lookout, Sophos, Malwareytes, Symantec, etc have them. The trick is finding the point of contact. Try secure@ or security@ (if they are RFC 2142 compliant). As for the item "all device info (serial, imei, etc, etc)", the Android architecture encourages the leak. See '"Read Phone State and Identity" should be two separate permissions', http://code.google.com/p/android/issues/detail?id=17675. Add a "me too" vote and Google might fix it one day. Jeff -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
