Bejeweled is a very popular game introduced by PopCap Games
which was recently acquired by Electronic Arts. The addicting game can be found
on almost every platform that supports gaming from personal entertainment
systems on airplanes (my wife and I killed 8 hours on a flight from Tokyo to
Seattle that way), to the PC, to gaming consoles, and as I discovered, on
Android phones as well.
When I bought my T-Mobile HTC MyTouch 4G Slide I started
looking at the pre-installed software and I was startled when I saw that the
demo version of Bejeweled 2 that comes pre-installed on the device had been
granted permissions that would allow for the most egregious forms of spyware.
The demo game takes permissions that are far in excess of those required by the
paid version, and completely unreasonable for the game to have. I understand
the concept of a free game that is paid for by advertising and that in this
model some personal information is going to be transmitted back to a third
party, however, the Bejeweled 2 demo is not an advertising paid game, it is a
crippled demo version and the permissions it has commandeered are far in excess
of what is required for marketing.
By way of comparison, if you go to purchase Bejeweled 2 on
the Android market, the game only requires the following permissions:
Modify/Delete SD card contents
Full Internet Access
Read Phone State and Identity
Prevent phone from Sleeping
The pre-installed demo version of Bejeweled not only co-opts
these permissions but also has taken the following additional permissions:
Read and write contact data
Send SMS messages
Receive SMS messages
Course (network-based) location, fine GPS location
Record Audio
Not only does this demo version of the game co-opt these spyware
like capabilities, but the device owner is never asked to accept this intrusion
and the only way to remove the software is to void your warranty (http://randy-abrams.blogspot.com/2011/12/htc-do-you-want-privacy-and-security-or.html).
According to HTC, they can’t remove the software because
they have an agreement with T-Mobile. If T-Mobile agreed to let them remove it,
they might, but it isn’t assured. Wondering why the game requires such invasive
permissions I contacted Electronic Arts and I must say I am quite impressed
with their open and communicative approach to dealing with people.
According to Electronic Arts, Bejeweled 2 has not been
programmed to be able to record audio, send or receive SMS messages, or read
and write contact data. The permissions exist, but are not implemented. I was
also told that EA is actively working to correct the privilege problems with a
future update.
Outside of tedious reverse engineering or having the source
code to examine, the only way to know if Bejeweled 2 is spyware is to examine
the traffic flowing in and out of the device. This requires both analysis of
Internet traffic and GSM traffic. Unfortunately this type of analysis is not a
standard capability of an Android phone and well beyond the technical
capabilities of most people. A representative of Electronic Arts has indicated
that they are not monitoring my SMS’s, accessing my contacts or recording my
audio and I believe them, however given HTC’s track record and the research
from North Carolina State university (http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf_)
the permissions that exist still may present serious privacy and security
problems. Even if Electronoc Arts issues an update, this does not completely
solve the permissions issue. As long as the update can be uninstalled, which is
normal for updates to pre-installed applications, there is potential for
malicious apps to potentially take advantage of the lax permissions, either as
they exist, or by uninstalling the updates.
When first discovered the excessive permissions I seriously
wondered if Bejeweled 2 is spyware. I think it is a safe assumption that
Bejeweled 2 is not spyware, but I can’t say that about Facebook for HTC Sense,
which cannot be uninstalled and takes even more invasive permissions? What
about Flickr or other pre-installed apps?
HTC could issue an uninstaller for pre-installed apps that a
user doesn’t want. HTC could present user agreements for each invasive app and
remove the app if the user does not agree, but your privacy and security is not
their business. The same is most likely true of all Android phone manufactures.
According to the representative I corresponded with from
Electronic Arts, the new version of Android “Ice Cream Sandwich” will allow
users to block pre-installed apps and not show their icons. This is a positive
step, but falls short of protecting users and respecting privacy and security.
Randy Abrams
Independent Security
Analyst
