Thursday, January 5, 2012

The Mysterious Permissions of Bejeweled 2


Bejeweled is a very popular game introduced by PopCap Games which was recently acquired by Electronic Arts. The addicting game can be found on almost every platform that supports gaming from personal entertainment systems on airplanes (my wife and I killed 8 hours on a flight from Tokyo to Seattle that way), to the PC, to gaming consoles, and as I discovered, on Android phones as well.

When I bought my T-Mobile HTC MyTouch 4G Slide I started looking at the pre-installed software and I was startled when I saw that the demo version of Bejeweled 2 that comes pre-installed on the device had been granted permissions that would allow for the most egregious forms of spyware. The demo game takes permissions that are far in excess of those required by the paid version, and completely unreasonable for the game to have. I understand the concept of a free game that is paid for by advertising and that in this model some personal information is going to be transmitted back to a third party, however, the Bejeweled 2 demo is not an advertising paid game, it is a crippled demo version and the permissions it has commandeered are far in excess of what is required for marketing.

By way of comparison, if you go to purchase Bejeweled 2 on the Android market, the game only requires the following permissions:

Modify/Delete SD card contents
Full Internet Access
Read Phone State and Identity
Prevent phone from Sleeping

The pre-installed demo version of Bejeweled not only co-opts these permissions but also has taken the following additional permissions:

Read and write contact data
Send SMS messages
Receive SMS messages
Course (network-based) location, fine GPS location
Record Audio

Not only does this demo version of the game co-opt these spyware like capabilities, but the device owner is never asked to accept this intrusion and the only way to remove the software is to void your warranty (http://randy-abrams.blogspot.com/2011/12/htc-do-you-want-privacy-and-security-or.html).

According to HTC, they can’t remove the software because they have an agreement with T-Mobile. If T-Mobile agreed to let them remove it, they might, but it isn’t assured. Wondering why the game requires such invasive permissions I contacted Electronic Arts and I must say I am quite impressed with their open and communicative approach to dealing with people.

According to Electronic Arts, Bejeweled 2 has not been programmed to be able to record audio, send or receive SMS messages, or read and write contact data. The permissions exist, but are not implemented. I was also told that EA is actively working to correct the privilege problems with a future update.

Outside of tedious reverse engineering or having the source code to examine, the only way to know if Bejeweled 2 is spyware is to examine the traffic flowing in and out of the device. This requires both analysis of Internet traffic and GSM traffic. Unfortunately this type of analysis is not a standard capability of an Android phone and well beyond the technical capabilities of most people. A representative of Electronic Arts has indicated that they are not monitoring my SMS’s, accessing my contacts or recording my audio and I believe them, however given HTC’s track record and the research from North Carolina State university (http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf_) the permissions that exist still may present serious privacy and security problems. Even if Electronoc Arts issues an update, this does not completely solve the permissions issue. As long as the update can be uninstalled, which is normal for updates to pre-installed applications, there is potential for malicious apps to potentially take advantage of the lax permissions, either as they exist, or by uninstalling the updates.

When first discovered the excessive permissions I seriously wondered if Bejeweled 2 is spyware. I think it is a safe assumption that Bejeweled 2 is not spyware, but I can’t say that about Facebook for HTC Sense, which cannot be uninstalled and takes even more invasive permissions? What about Flickr or other pre-installed apps?

HTC could issue an uninstaller for pre-installed apps that a user doesn’t want. HTC could present user agreements for each invasive app and remove the app if the user does not agree, but your privacy and security is not their business. The same is most likely true of all Android phone manufactures.

According to the representative I corresponded with from Electronic Arts, the new version of Android “Ice Cream Sandwich” will allow users to block pre-installed apps and not show their icons. This is a positive step, but falls short of protecting users and respecting privacy and security.

Randy Abrams
Independent Security Analyst