Android Security wakes the sleeping blogger

The blog is currently being ported from WordPress to over 12 years of static pages of content. If there's an article missing that you're hoping to see, please contact me and let me know and I'll prioritize getting it online.

April 16, 2012


Can’t believe it’s been so many months since I blogged last. Even quitting Facebook link 1, link 2 wasn’t enough to blog about, but this one deserves a post.

Update, April 19, 2012:

It seems that Google isn’t showing my user review on the app. At best, they’re holding it for human eyes to review since it was both a 1-star review and contained a URL back to this blog post. At worst, they mark those comments as spam so only the author of the comment can see it. Here’s a screenshot of my comment:

screenshot of my review

Update, November 2016

My review still isn’t showing up for anyone but me and this is really alarming. When I originally wrote this post in 2012, version 1.3.3 had been published on March 2, 2012. As of late 2016, it says 1.3.3 is still the latest version, but marks a publish date over a year later, April 22, 2013. I reinstalled the app and published notes to Google Drive and it STILL shares the document with eancase@gmail.com as the editor!!

Introduction

At work, I’m the permanent scrum-master for my team, and was looking for tools that would help semi-automate the process, or at least provide a better way of taking notes to share with other teams than writing on a notepad and typing it up on my system afterward. Elmter Thomas was always much better at this sort of thing, using some tool that would generate nice notes based on markdown.

The App in Question

Scrum Master Assistant, on the surface, looks like a great tool. You can set up multiple kinds of meetings, add participants, add notes, new issues, it even has a timer so you can track who’s a chatterbox during scrum to keep things running quickly and smoothly. They’ve recently added a “publish to Google Docs” feature which makes a pretty neat spreadsheet. I figured I’d test it out before our actual scrum meeting and could NOT believe what I saw.

The Problem at Hand

In the settings, I had already told the app which Google account to use for publishing to Google Docs:

screenshot of the app settings

When you publish to Google Docs for the first time, the app prompts you for permission, which I would have expected:

screenshot of the app asking permission to access Google Docs

A second prompt asked for access to Google Spreadsheets, which I also allowed.

Once published, I logged into Google Docs, and saw that the spreadsheet for my sample meeting, where I was the only attendee, had sharing permissions set to “only the people listed below” but to my horror saw that the app developer added THEMSELF as a shared person on the document. If that wasn’t bad enough, they added themselves as an EDITOR to the document:

screenshot of Google showing the app developer was an editor on my document

I couldn’t believe that the developer would pull such a blatant move. I immediately [left feedback on Google Play](https://play.google.com/store/apps/details?id=com.ean.scrumtimer&reviewId=10165753931568085562 and uninstalled the app. Then I reinstalled it to grab screenshots.

App Permissions

When you install the app, it tells you about the following permissions:

  • modify/delete USB storage
  • take pictures and videos
  • full internet access
  • act as an account authenticator, use the authentication credentials of an account
  • read contact data
  • view network state
  • discover known accounts

On the surface, those permissions seem fine, given the published list of features of the application. Namely, it would use your contacts to add people to meetings, it could take a picture of who was at the meeting, needs Internet access to publish notes online, and needs access to your Google account to push to Google Docs. I suppose it needed access to your USB data in order to save notes to your device.

Version 1.3.3 of the app, published March 2, 2012, says it fixed a few defects and removed unnecessary user permissions. As of version 1.3.1, it said it was no long ad-supported yet maintains a full name of “Scrum Master Assistant (adware)“, and added the Google Docs integration.

The Description of the app says this:

**** No Ads ****
**** Publish reports to Google Docs (Beta) ****
**** Adapted for tablets ****

The application will help Scrum Masters at daily Scrums to gather
impediments and help team members stay focused, restrict the meeting
duration to 15 minutes. Every meeting is immediately followed by a
scrum report with all the collected issues and meeting details to
show who was too talkative.

Features
- Meeting duration timer and timer for every participant to keep
  everyone focused on agenda
- Participant details, photo can be imported from Phone Contacts.
  Contacts can be synchronized with Google contacts
- A photo can be also captured using a phone camera or taken from
  a picture gallery
- Collected Action items, issues can be shared via Google Docs or
  sent as Excel report to e-mail

Key words: Agile tool, Scrums, Daily Scrum, Standup, Scrum Master,
Meetings, Meeting Notes, Meeting Minutes

There is NO notice anywhere within the app that tells you the app is going to share every document with the dev. There’s no disclosure of why they need access to USB storage.

How have no others users reported this yet??

My Review Text

Wtf, google docs get shared with app developer I can’t believe the app developer would blatantly share google docs with his account by default. What a horrible security hole! Users beware!!! See http://goo.gl/GTLoN for screenshots. How have 1,000-5,000 installed users not reported this?!