UG - Your Droid Has No Clothes - Mike Murray & Allan Zhang

okay shut

my slides doing that right now it

is okay look at that it works ready you good all right I guess we'll get started um I am Mike Maring uh with me is Alan um we have I actually I was telling somebody in the hallway um an old friend that that I haven't been this excited about a talk in at least 10 years because I get to do a whole lot of business e talks these days and I don't really get to do real like zero day kind of anymore and this is super exciting because I've been working with Allen and his company for a while and we've been finding some really cool stuff about Android what's even more fun is we've been telling about telling Google about

it and they've been acting like Microsoft circuit 1999 they've been really not caring which is not the talk that we thought we were going to give at bids we thought we were going to talk about Android and its issues but how Google was being the white knight in security and really helping things out and so it's exciting to get up here and to talk about Android and its security problems and to talk about how bad it actually is and realize that for the first time in at least 10 years that I've been giving a talk I'm going to be the guy that gets up here and goes yeah there's really no hope you guys don't

have a hope of making it better because Android is getting it's blown up it's completely exploding in the marketplace you know the number of devices is growing in an exponential rate someone asked me about and actually while Allan and I were sitting at a table earlier why wouldn't you be in the PC market you know hey Allan why don't you make PC antivirus and you got to realize there's no reason to the number of tablets and phones is completely exploding compared to the number of actual servers and and things with Windows on them these days and it's just going to keep growing year by year the estimates are are showing that the Global Security Market is at 14.4

billion by 2017 now Garner said that so it's probably made up but at the same time it's that kind of global explosion what was it you said to me earlier about that App Store how much did that App Store and trying to sell for the other day 1.9 billion yeah an app store sold for $1.9 billion get your head around that like Source fire sold for that much it's an app store all it all it is is a web page that hosts apps for downloaded sold for $1.9 billion dollar biggest App Store in China and we'll come back to that and because of this the malware guys are figuring it out because this was the

phone that you used in 2017 and this is the phone you use now anybody remember when they got a motor roller razor oh yeah wasn't that the coolest phone of all time for like six minutes I loved my Motorola Razor I was like it's like this thick it's the coolest thing ever and then all of a sudden my phone was a computer and I could install apps and I wasn't doing what was that thing called where you press the number four times to get a t the predictive text thing where you T9 word T9 thank you yes suddenly you weren't using T9 anymore you were using a real keyboard unless you had moved past blackberry

and all of a sudden your phone is a fertile landscape for things to explode and of course as soon as you have a landscape for applications you have a fertile landscape for malware nearly 35% of apps in China secretly steal user data yeah guess what guess not just in trun because there's a lot of stealing of user data going on out there this is what we've we've discovered recently is that it's really really getting ridiculously bad out there because there's all these quotes and I I I don't know if anybody hears in the media but the media loves these great quotes in three years it took three years for Android malware to reach where PC malware got in 14 years in terms of

number of discovered pieces of malware that's unbelievable I mean that's the kind of exponential growth that you just can't even consider I remember in like 1999 there was this statistic that Time magazine or somebody published that the computer grew more in 7 years than the car had grown in ' 85 and Android has grown faster in in three years than the PC grew in 14 it's this the speed of pace of change is unbelievable and it means that the speed of pace of malware is unbelievable it means that where we're going and things that are happening out there is ridiculous we are seeing malicious apps do things that took years for PC to get around to in 1999 there was no such

thing as adware there was no such thing as spyware and all of a sudden instantly as soon as Android malware hits all these things exist we're seeing click fraud we're seeing data stolen we're seeing all the traditional sort of um inappropriate mobile malware like you know inappropriate to 900 numbers and texts to pay services and things like that and it happens over and over and over again at a level that we can't even imagine to the point that people are writing articles like is Google helpless but that makes a huge assumption makes an absolutely huge assumption and the assumption is that Google cares and I assume that too and I know did as well in starting his company I

know he assumed Google care that malware mattered sometimes you make an ass out of you and me because last week um I helped Allan report 500 pieces of malicious software to Google and these apps were genuinely malicious um actually I had a fun discussion on my Facebook page about these apps because what most of these apps do is that they steal info on let me see if I've got the right phone

here yeah that's right do I have it on this one hey Alan toss me the other phone oh no wait got it yeah I did just send my location to a site in

China yes the application is called I fart it's a fart noise generator that's what it does also when you start it it grabs your cell phone identifier it grabs all the information about your carrier it grabs your current location um and it crafts a nice HTTP post request and uploads it there to a try why does it need to do that well I don't know if you guys noticed the post request it's a log it puts all of the information about you your phone your carrier your patch level everything else about you into a log file and uploads it to the uh Ry can you pronounce you're better at this than it than I am

ring uh technology Limited in Beijing and so we reported it to Google they said this wasn't a violation of their terms of service this was completely okay because the lock file didn't matter what's funny to me and you know as somebody who's been in the security Community for a long time watching everyone freak out about the NSA having information like this and lose their minds about privacy two years ago everyone was losing their minds about people posting to for to for square where they were you know what people were heckling General Alexander about privacy today and yeah we don't care if any app can upload whatever they want to wherever they want I'm a little confused I'm

especially confused because when a company hides behind legal Le I get scared I remember reporting the vulnerabilities to Oracle in the early 2000s and watching them ignore them I remember reporting vulnerabilities to Microsoft in the 90s and watching them say it's not a big deal it's a feature it's not a bug and I see the same behavior when someone points me at this and ignores the question when asked if this is really a limited purpose for which the application is allowed to steal your information and it's not like we pick that one we pick that one randomly mostly why did I pick that one it's a fart app it's funny but it wasn't the only one a

Skrillex fan app that steals your IMI and uploads it via HTTP a random video game that steals your IMEI and uploads it via hgp hundreds and hundreds and hundreds of apps in the App Store doing things that when you see other articles about malicious software they call them part of a virus they call them part of malware but because it doesn't violate terms of the service because it's in a log file we're good to go which I know he thinks is ridiculous and I think it's ridiculous too and what this talk was originally going to be about by the way it's funny before we even started this it's so easy to get mware into the app store because you

just have to put everything in a log file and upload it to everywhere and you realize this is the sad part Google's the best of the lot you start looking at app stores around the world Google's got of all the apps that trust look analyzed 3.15% of all the apps are malicious in some way but the store we were talking about earlier that sold for $1.9 billion yes was 91 store 19.7% of apps in a store are malicious one in every five apps you download are stealing your stuff and uploading it somewhere did you want to you want to tell the story about your friend in New York like I'll I'll tell it Alan was tell we were talking earlier

and Alan was talking about a friend of his that develops an app in New York and is is it in the Google Play Store yes yeah it's in the Google Play Store first thing the app does when you start it it steals all your contacts and sends it back to him so that he has all your contacts and Allan was Allan ran it through his product and said dude what the hell and he said oh I didn't know I just thought it was a good marketing move because the app developers don't know any better you guys have all dealt with software developers they don't know about security and privacy you don't expect them to know about security and

privacy and these guys are taking reams of information but as long as it's not a violation of the terms of service in some way as long as it narrowly complies to the idea of oh it's a log file it's use data it's whatever we can steal whatever we want so we can write whatever we want of course this wouldn't be a problem we'll just install AV and AV will protect us yeah right the unfortunate part about this is that antivirus for the Android is stuck in about 2001 and that's being generous maybe 1997 um we ran those same 500 apps through Android we started we started with the top we just picked the top 13

for fun um and that's the detection rate of everybody else it's pretty ugly a huge number of them complete zeros across the board I was amazed so at least they got SMS tracker anybody ever heard of SMS tracker no it's the coolest app ever if I steal your phone and I install SMS tracker it lets me log into a website and see every SMS every phone call and every you know interesting thing you've ever done on your phone really McAfee you missed that seriously come on guys like how do you miss that that is the definition of spyware and if you go to the Google Store it's it it actually says if you install this on someone else's phone you

can do this what at least semantic and Trend caught it I mean I was I was actually I like when I looked it down I was like okay everyone's got to get this right like this is the definition of malicious but nobody's getting it because this software is just the the AV software is literally in 1999 we are back to the old days it's all signature based it is all like way back in the old times if it's not in our signature database we're done unfortunately this is 2013 it's not like the malware Developers for Android are stuck in 1999 we learned about polymorphism back then we learned how to escape heuristics back then we learned how to escape

Behavior back then and the bad guys still know it unfortunately the malware Debs don't they have not figured it out at all and because of this it's kind of ridiculous to watch exactly how bad it is when you start actually installing malware you can actually like it takes all of about five minutes to write a piece of malicious code that you don't have your thing ready to write a piece of malicious code that actually can a beat the Google Play store and get into the app stores and B beat all the AV out there and it's ridiculous ly easy um to the point that we're going to do it live like it's literally about 15 lines

of code to steal whatever piece of data we want and if we were to write an app that actually had a decent useful purpose it would be trivial to get Google to accept it because all Google cares about and and any of the app stores I'm not intentionally picking on Google they're just the biggest all these guys care about is does the app do what it says it does so if it makes fart noises effectively it meets the terms of service no matter what other data it steals and and this is where it gets ridiculous I mean we are literally back to that time where companies are hiding behind their terms of service instead of

actually looking to protect and I don't know about you but I talk to people I mean I talk to users a lot are you ready yes I talk to users a lot and these guys I I mean you guys can tell me when I get an Apple app I know that Apple's done some decent job of protecting you know of at least looking to see that the software is doing the appropriate thing Google's not doing the same but people are expecting Google to do the same and that's the frustrating thing is that we expect Google to be successful and they're not being successful and they're not being helpful in making sure that our software is actually

protected so down okay I give a quick D so yeah the this week we report like a 560 mare to Google app store you know I just show you where you know how to yeah get WR bypass detection or you can just uh yeah that's a lot of memor you know do things like that so uh this Dem is really really uh really easy okay uh you can see there's a couple like 10 L code you know maybe less than 10 lines you know um I use a really simple data you know uh a Dem app studio phone number now it could be your picture your contact your um your uh SMS messages your accounting

information you know this is just a your private data you the phone use your phone number you know you you don't want to leave your phone number away you know so so uh there's a couple demon the first demo know we use you know we grab the uh with this app pretty easy when you open it you grab your cell phone number and send it to the ex website so Ste it away that's the first one so the second one is a little bit hard actually we try to chunk the cellone number to several section such as we steal the area code the first time next time we steal the the rest you part then the

thir demo code the demo is you know I will Ste one dat at a time such as I Ste if you have San Francisco B the phone number I steal your four 415 is your are code I steal one number then the the rest time I Ste I KCK another TVP session do another one so the fourth uh demo is um pretty hard you know if you still can't detect the the the one dat I encrypt it I encrypt your cell phone uh your cell phone number using ES encryption algorithm so yeah if you still can detect you know the last one the five Dem code I encrypt it m times so this time I just grab your cell phone

number use eses encrypt one time and get the SC encrypt again now the two layer encryption to say uh we can bypass your detection or not so yeah metion uh um Mur already already mentioned you know if I grab your F number than act server it pretty much bypass every activ virus lers you know so also it can bypass Google Google store so you make a make application directly Ste the cellone number no one can detect yeah you will get it get get P all the testing know and then your user will download it so yeah so this is the code you know so generally what I I do enable first test case I make a APK file I just uh disable

enable second one and make the second APK file so I got a file APK files here let see should be on the so yeah I got a file I got file test cases know is here so here the the the cloud service I used to do analysis you know you grab all the APK files you just U upload that's not on screen oh ready yeah okay let me

just let's do that so this the just look now we P you know you grab it you click it you select all them see I select all them I do I do upload so in five in 5 minutes you know maybe in 2 minutes you know it will show you you know so it got a binary it do a deep analysis of each application you know to see what kind of behavior it could be can bring the harmful things you know causing the security leak now steal your private data your pictures your SMS you know this one is just your cell phone number you know so let's go back you know I don't know let's go back to

the still uploading upload it process okay how how so let's see okay uh where's the first one I cannot see it yeah this the first one okay this the report you know just look gener see what happened you know got a binary it do a de the report it told you this is pretty risky application called highest risky you know so if you see this is the where where that come from from United States you know course you know so this a general description I by because there a lot of information included you know so I only go through the the part this talk you know so in the risk behavior you see it do analysis

show you still use your phone number and using HTP send it out it's Ste your phone number and send off the device to ex servers you know so if you go to the detail you know it will show you here I think this one is get your phone number and and uh okay here it send the HTTP request there the include a data small portion of the data here and uh from the description you see this is not a hollow World message if there's a hollow World message there's is no risk so this one totally is a user profit data steel you know so you see steal your phone number and send it using HP out send it out you

know so uh I just gave you two phones um that apps installed it should be on the front page uh I think Jack I gave you one with Lookout yeah no pull down the top I think lookout's installed and I gave you the one with Mac installed yes detect it everything is okay everything is okay and you can run a scan you'll find some some sketchy apps on there because I have a lot of sketchy apps on that phone but you won't find this one yeah even though we're stealing your information the current products are not fine like this is this is a state inspection of firewall one all over again this is you know us going back to

1999 and all these products they don't do anything they they are signature based a yeah exactly those are the sketchy apps that are also on there but not this one um they're not doing anything they're not detecting we're stealing important P I mean I'm sorry to me or P your phone number stolen from your phone that's pii and nobody noticed you this could be a picture well your really proy pictures you know I get a p of the picture and send it out so yeah it's if you steal the picture it's hard to detect if you steal part of the picture it's really hard to detect you know so yeah here there there b information icap you know I give you

another one that's just you know um some the code you know where where yeah I also just the portal reverse all the all the other the codes you know and found the yeah here here the the Java code you know and grab your cell phone number and fin it out you know so yeah when it got a binary it just tried to do a reverse engineering and they try to get give you the Java code proof you know there's something still happen Okay so yeah I just skip this one this this pretty easy but this already bypass all the it virus window you know they cannot detect this also bypass Google and Amazon detection if you make an application upload to the

App Store you bypass them you can collect you know you can use any promotion tool to push it to 10,000 users collect all their information you know by the way um so when we were looking those apps um there were a few of those 500 apps that had more than 10 million users that I don't know that scares you guys that scares the crap of me I mean you know I I promise you I does not have 10 million users if I remember right it had between 10 and 50,000 users and it uploads the last known location to some random server somewhere in China somewhere we don't know we don't know anything about them I I mean there was a

big deal a few months ago when Mandy found that a whole bunch of a was going back to one company in China um really we don't care about this let me go through uh okay there's there's okay this one let Meer so I don't of maybe this is the which one test one test two stud progress let's generate this one test three

yeah it it takes like a minute or something to generate the full report so the reverse code you have question talking about revers code how are you getting Java are using ex framewor you the uh tools you know so the tricky part you know such as a big application Facebook it's really large you know it of reverse it load to the page takes forever you know so the the thing I I have done is I only need down the thing that could cause security issues you know such as you know you grab a data when you s it out it may break security um protection you know so I nail down that part give you the

reverse code I didn't reverse everything you know so that's that's a logical you know and also for the normal application maybe not legal you know so the only for for know for the SEC is more than that we show you the the code so

yes we got the T one is a test of five the other still test of five is even more creepy you know you get a your private data encryp encrypt using a for one layer then after you got the B encrypt the second layer you know so that's almost the part everything so see almost no wonder can detect when you grab a DAT picture a encryp it then again do it again maybe you do it 10 layers you know no one can detect you can do anything so this one yeah it's pretty much slow you actually it's a pretty risky Behavior besides that a bunch of stuff you know es encryption algorithm used you know I

will show you later so here you grab your cell phone number three es andion this the case down the key out this the data then finally it will it will doing the encryption the encryption of the data now finally it out when it out there there the message you know there the message here you can see this is not a garbage data you know this your real cell phone number yeah maybe transl many times encrypted two layers or three layers you know and uh which CH into the every data you know it used and when the center of the device we we showed you this is steal the data this is normal this is not a normal Hollow world it's a

your private data your pictures maybe your SMS message and your credit card information okay yeah that's pretty much my demo you know all the in M you Ste one dat you know we can do all the rest we can do that every code One D and incp one time inp M times so the funny thing about this I mean I don't know if any where any of you guys earlier Android presentation I actually missed it um and I was but I was talking to those guys in the speaker room earlier and it was funny because they were they were actually see do I have slides again oh look at that wow that's good um we were talking about it and and

they were the earlier Android presentation was like at 11:00 they were talking about the need to go past signature and to really get to the point where they're not where we're not doing signature-based analytics anymore and I mean obviously that's what we're talking about here the idea of doing signature-based AV against a modern advanced persistent threat is stupid you know there's a reason that we have moved past signatures across the rest of all of our controls but if we're on Android for some reason signature based a seems like the idea and those guys were like yeah we should have some heuristics and I actually showed them some of these reports and I was like hey guys you should see this

though they're like oh wow that's kind of exactly what we were talking about um and you know we're just tired of seeing everybody else do crappy work I mean really that's what it comes down to I've been and I Allan and I have been in this industry too long I we worked together first 10 years ago and we've been around forever and we're tired of watching a an entire industry make exactly the same mistakes over and over and over again um the bad guys are way past signature based a I mean obviously there's hundreds or thousands of apps in these app stores that are stealing info that are doing really sketchy things and nobody seems to care Mar

should be 300,000 three person 300 I need to drink more if there 300, th000 malicious apps in the App Store yeah because there's there's what a um that's Google that's Google it's a million apps now and and we found and 3% of them are malicious that's the sa the afterland yeah and that's the best that it gets you imagine how do you know how many apps are in the are in the Chinese one I think um maybe half million off every day and 20% of them are malicious 19.7 sorry are you kidding me you imagine if one in five PC apps you downloaded were malware I mean it's crazy talk but that's that's the world that we're

living in with these phones it's insane and no one cares and I I mean honestly we didn't expect to get up here I I honestly did not expect to get up here and do this talk and be like no one cares I I feel really depressed having giving that message but when Google goes oh hey it's a logged file that's cool what are we doing oh they the one cares inprise yeah yeah you're right 7 the Enterprise cares 70% the Enterprise you I'll right the Enterprise cares and that's why everyone that I know goes oh hell no we'll use iPad but we won't use Android and and so I I mean that that's the that's our talk like that was what

we came here to talk about holy it's bad out there I'm really depressed I need to go drink more at the bar and um yeah it's when you start actually reversing these apps and you start actually figuring out what's happening it is horribly horribly uncomfortable to know what crap is on your mobile device questions go what oh question what what do you propose as like an alternative you want to go in the iOS route you like to do the

sign up for his beta program I I don't I don't work for trust by the way I I I have my own company I I'm just Allan and I have been friends forever his stuff the stuff that he was just showing you it's the only thing I've seen that's any good and I feel like a sales guy saying that I I you know I hate coming to a conference and having like a pitch because I'm not that guy but what the hell else do you do it it all sucks you're saying upload your own app to best I got and it's still but best thing about that it's still in beta it's not even out yet so

sorry sign up for the beta good luck man I I honestly I I've been so depressed about my own phone lately what were we gonna say yeah do you think the the Android kernel soon will allow users to like check with the access rights the users allow the app all right let's be honest how long you been in this industry how stupid are users users are going to say yes to whatever you ask right that's the problem the problem and yes it already does right when you install an app it goes this app needs access to your phone number and your and sends text messages and whatever it already does but it's like check boxes

that you can choose what the app gets get maybe someday I mean what do you think now is you know Google only displays the first seven or eight permissions that we used and normally all the developers they make things easier they develop everything they want to read your application features they want to monitor your Mount amount five system they want doing all the SMS sending and receiving SMS they want to hook your start a service when your phone is Bo they want everything you know so it's we need a system can make sure what kind I broad you cannot read my contact right but no no I does not no no not now but this was about the future

the when you're looking at the discussions on XA developers and stuff they really wants to have some kind of yeah Google have a really beautiful framework for the androoid I think it's better than iOS but is everyone build the permiss system you know so now it's every every try to get 20 or 30 you will see some of the security window they deserve like more than 40 permissions you know and they want list everything there even Yahoo and and a big of window yeah I cannot mention their name you know they doing the same thing the is a lady they don't want to make a API call Api call reject they want deser the permission even they don't want to use

it they want to reserve it first yeah so uh so obviously this is really like a social engineering thing where users always download if they want to but for people who are really conscious security there isine and L and C do have options where you can manually go in and check do not give this information so you can install it but when it's actually requesting information it won't return the values so it's more of like a function man in the middle won't return the private information but I mean this is this is an issue where you either have to Google us go boom we're not allowing this app otherwise there's nothing you really can do because most people aren't going to

care and most people AR going to go and my but you you actually brought up a really good point and and even in this community let you know hands up for a second how many of you guys are actually using sanen M what like six of you in this room like this is the most security aware Community I would bet on the planet right you self- selected to come to a talk about this you're as good as it getset but dude we're not talking about sketchy app some of these have 50 Alan was telling me earlier what what was that app in China be app 91 no no no we was it we chat yeah so how many millions

of users what it is but realize so Alan was telling me and I mean Allan is was born in China and and understands that market better than this one necessarily and check this out this app has replaced text messaging and it does all of this I mean you you know we're not talking about necessarily just like ifar and it's it's a silly choice of apps right it it it's the point but I mean realize lots of apps are doing this and it's not just the sketchy ones and that's the that's the hard part right there's lots of apps that are stealing this kind of data I was talking to a friend of mine in the security

Community the other day and I was explaining that our talk to him I was like dude this is crazy and he went well it's not really crazy if I wrote an app I'd steal all that stuff too and I'd sell it I went you're an and he yeah right but I mean the thing is it's not just the sketchy apps that are doing it and that's where it gets weird right it's all kinds of apps that are stealing this kind of data you you had a question earlier um just wanted to point out that uh just this past week Google 4 uh with 4.3 as then exp built into the um the device as well as no rout so they're

obviously trying to make improvements the the OS team is definitely making improvements and you know you have better insight into this than me the OS team is definitely getting it but the OS team and the store team are different yeah right the store team is is their their goal is more apps let's sell more stuff which reminds me of Microsoft in 2000 so uh I also found you know AA more than thousand applications that you on R right they run you in your phone when you open the application yeah the why want try to find all the ways to get root you know when you open up they get rot when they get root all the security

framework you know and joy have Define it by pass they can do anything installs hide in the hiding mode install applications know stop other service you know I install applications they don't you never see them so really large security Windows they do that they think that's the only way we can defeat the room wirus you know yeah they have really good accus to do that but that's totally a hack you get you get around you bypass all the enjoy the framework the design in the past yeah 10 years I mean you guys you guys have been around how many times do you really need to run Su Dash to run your app come on and

that's what that's what these are doing I mean you know this is UNIX we're all I mean enough of us are old Unix admins you don't need to run Su Dash to run everything unless you really want to be sketchy about something do you want to talk about why anir will

never sure and also C I mean yeah I mean you you CPU issues all the time and how crappy like ma is yeah you see if you grab the security Windows you will see they running more than 30 service in in your phone actually they have 150 activities you know in the application you know yeah the only thing they do you install your battery will be sucked you know really quick so if you see any application have more than 30 the don't install it I I'll be honest they hook everything you know your phone your message you're receiving a message you send out a message they want to look into everything even you mount SD card I'm want SD card they want

to get it you know you want to download the app you install app they want all the behaviors you know and they told you I want to make you secure I think you know that's the that's their send your phone number back as well some of them actually there there's a blog entry we that that he hasn't published yet that he he passed by me about a big antivirus vendor that's really that acts more like remember those like a couple years ago there was that whole scareware thing like fake antivirus it acts more like that than it does a real AV it's kind of sketchy um to your point I'm gonna sound like a sales guy again sorry his stuff's

actually kind of cool because what it really does is just do you know crypto like hash of the app and check the app up in the cloud and the cloud does all that stuff CU because if you put that on the client you're you're you can't that on CL it's this thing is basically like a you know 2001 Pentium 4 right it's not going to be able to do really significant analysis has pretty much so put the analysis in the cloud where it belongs and be done with it and and you know do something intelligent yes there's there's some difficulties with that but if you do it right you can solve that I mean the

beautiful thing about about 2013 is we can put a ton stuck in the clat holy crap I mean have you guys used Heroku oh my God that stuff's cool say I got two questions uh the first one's actually more of a response to the comment about updating Android uh you know if you're an end user and you're updating Android sometimes you've got to go through your actual say for example your mobile service whoever they are AT&T Verizon they don't ship updated Hardware not even close the the hardware you're getting could be two three years old in some cases so you're basically looking at stuff that's actually not going to be up to date and users are not

buying up toate Hardware they're not going to be buying stuff that's going to be up to date for another 5 years at this rate my second question is do you guys have any speculation as to what's being done with all this data that's being harvested where is it being sold who's using it we just we have a lot of data know in the back end you know but we don't know how do we release it you know so we want to release our lawyer C you know now not that stage you know it's too big you know you don't want to just so that's why you you we cannot disclose all the applications you know we want to throw

the proper channel to do it you know so so to your question like even further about what these people are doing with it have no idea man I mean honestly do do who that company was that I show the other stuff involv not L many more than 10 million users in application you know they are a company they are raise a lot of money you know if Google shut them down it's I don't know we tried to throw the proper channel to to pursue them actually let them fix the the scen you know yeah but and and to that point I mean some of these companies some of these companies are like a friend they

steal this information and they use it for marketing I mean honestly if if I was writing an app I would want to know the geographic position of everyone who used my app because then I could Target ads to places I was going to say that's that's actually something it's part of the Facebook API if I recall correctly right yeah absolutely and and there's I mean there's all kinds of uses but no because you have no idea who's behind all this crap that you know there's millions of these apps I mean even the 500 we reported to Google they're across the board we have no idea what they're doing honestly I'm more scared of that than I am of the NSA at least the I

honestly Keith Alexander showed up we could have talked to him this morning I have no idea who these 500 people are and and they're doing crazy with all kinds of of my info and I have no idea what they're going to do with it so you you showed three antivirus vendors and how they performed yeah have you was the only three you have checked no we just picked those three we we so which one was the best of the ones that Just sh Norton Norton was the best we did them so against a bunch of those we did them all on a bunch of these phones um it it got to the point where it's embarrassing

I mean you know it's embarass Norton actually did better than anybody else that I saw do you do you agree with that Norton was the best I saw you see anybody else and for the priz stuff you know the thing I show you in the five test Cas no one can catch yeah some of the not Max they they have a they have a maras they will detected cover all the example they had so they know only they know all the RS that they didn't know they affum good here they they have the biggest database that we we we we pretty much R the time you know last question you know yeah we're we're getting we're getting a t

back there yeah last one last question go for it what do you guys

does expect maybe uploading a photo as opposed to apps that Sak do this we didn't uh the thing we show here we didn't do any assumption we didn't collect any user agreement the thing we show you is by default you open the app what will happen so no interaction no inaction so this is there's we didn't show you our assumption it's a fact the score is show you the thing we already saw actually there's no false the score is based on what we saw the fact and so so you know what to be honest there will be a there will be a false positive to I mean let's be honest this product's in beta they're still working on it it's

not perfect which is one of the reasons as he said that the lawyers don't want us to be going like hey 500 apps everybody run away from these because it's not perfect but guess what if you start really looking at the I you know what send him an email or send me an email I'll make sure he does it send you you pick an app out of that 500 I'll send you the report for it and you tell me it's not doing sketchy crap it I looked at a ton of those and I went I there were only two that I remember that I went ah this might be a false positive most of them were

like I'm sorry why does the ifart app need my my location I it does not need to know exactly where I was when I made a fart noise I'm sorry it doesn't like and and it was that kind of egregiousness like that's not a false positive that's just BS and you know unfortunately it fits within the terms of service and it fits within what's okay for somebody else it needs to stop it needs to get fixed and that that that's really like I'm sorry I don't mean to be like so ranty about it but I remember what it was like reporting stuff to Oracle in 2001 when they would be about it and to see somebody do this in 2013

is complete would be my answer grantly sorry all right I think we just got waved um if you guys have questions come talk to us here find this stuff is awesome