Security

'Clueful' App-Interrogation Tool Coming To Android

Bitdefender is preparing to launch Clueful in the Google Play Store; the same privacy protection app that was forcibly removed from the Apple App Store last year. We quizzed Bitdefender’s leading security bods about what the new app offers Android users.

Clueful is a security tool that analyses other apps installed on your phone, including what data they share, whether they use excessive battery life and how they store data. Its chief purpose is to review the level of privacy each app affords the user.

For example, it will inform you which apps track your location, whether they access your Facebook or Twitter accounts and which ad networks they use. Alongside a thorough overview of the types of data it accesses, each app also receives a privacy rating which lets you know whether it’s safe to use.

In July last year, Apple pulled Clueful from the app store for undisclosed reasons. The banned application was subsequently retooled as a webapp for iPhone. Now, Android owners are getting a version of their own.

Bitdefender revealed this to Lifehacker exclusively during a media lunch with the company’s senior e-threat analyst Bogdan Botezatu and global PR coordinator Andrei Taflan. They explained why personal data is the next frontier in security management.

Privacy in Android apps

“Can I please have a look at your phone’s contacts list and write down who you know?” Botezatu joked. “Of course you’re going to say no. But this is something many of your apps do, and often there is no good reason for this.

“Many applications are capable of taking a lot of private data from your device and sharing it with third parties, such as aggressive advertising services. Some require every possible permission, which is really surprising and shocking.”

In a recent large scale study, Bitdefender analysed 130,000 popular free Android apps for signs of user privacy breaches. It discovered that nearly 13 percent of the analysed apps collected and broadcasted users’ phone numbers without explicit notification

A similar number of apps were also found to access and distribute location data, while 7.72 per cent accessed and distributed personal email addresses. Around 6 per cent of analysed apps also accessed browsing history, with a handful even accessing personal photos.

Often, the app developers aren’t even aware this is happening due to the use of pre-existing advertising frameworks that are imported to help monetise the app. Even if this data isn’t being collected for nefarious purposes, anything can happen once it gets loose in the wild.

“The bottom line is, you don’t know anything about this third-party operator and you have not entered into an agreement with them,” Taflan said. “How careful are they with your details? Is he using protection for his servers? You don’t know anything about it.”

Clueful for Android

So why install Clueful? As any competent Android user knows, the majority of permissions flagged by Clueful are already displayed to the user prior to installing an app. However, these can be a chore to wade through and the specifics of what they actually allow is not always clear — especially for mainstream users. To make matters worse, many users simply install the apps without checking any of the T&Cs. (We’re willing to bet that most of you have been guilty of this from time to time.)

The Android version of Clueful is akin to a crib sheet or magnifying glass: it presents a checklist of permissions in easy-to-understand language along with their potential invasiveness levels. Your device also receives an overall privacy score, based on every app that is installed on it.

“This is what Clueful sheds light on: it takes these permissions which are often incomprehensible to normal humans and explains exactly what the app is capable of doing. It makes the dangers more specific and lays red flags when needed.”

We were given a brief demo of the app in action on a Galaxy S III. Interestingly, even trusted, popular apps like Angry Birds were flagged as having moderate privacy issues.

“It’s a big question why a game such as Angry Birds needs to monitor and track your location and then send this information over the internet,” Teflan said. “These guys are sharing your personal details with third parties. Ideally, this kind of information should only be shared with your data carrier.”

One of the caveats of Clueful and equivalent privacy tools is that the damage is already done once the app has been installed — you’re basically getting a heads up after the pin has been pulled from the grenade. The Android version will circumvent this by pausing the installation and digging into the data permissions before the app is fully installed. You can then opt to continue or abandon the process based on its findings.

Bitdefender eventually hopes to offer Clueful as a cross-platform webapp that will aggregate Android and iOS apps in one place for users with multiple devices.

“These days, people have three, four, five or more devices which are often on different networks and operating systems,” Botezatu said. “You’re also using cloud services a lot, so you need protection for all these environments.”

iOS safer than Android?

Botezatu also hinted that the need for security was greater on the Android platform; particularly when it comes to cybercrime and malicious malware.

“In order to become an application developer on iOS you need to be verified by iTunes or at least have Apple sign your application with a digital certificate. This doesn’t happen in the Android ecosystem — you can basically create your own application and send it to your customers and that’s it.

“This kind of freedom leads to extreme things, like for instance developing a malicious application and not being worried that it’s going to be stopped somewhere in the process. Google has subsequently introduced an anti-malware scanner in Android 4.22 but it’s a piece of software that doesn’t solve the issue, especially seeing as they still have malware on the official app store.

“But malware is just one slice of the whole cake. We anticipate in the future that our focus will be to cover the user and their digital identity more than specific hardware. It’s about protecting the user, not the machine.”

Clueful for Android will be available to purchase in mid-May. Pricing has yet to be announced, but we expect it will roughly match the iOS version’s $4.99 asking price.