Sunday, 19 June 2011
Lookout opens unwanted data connections all by itself and punches holes in DroidWall
If you switch off mobile data in the Android settings menu or with widgets like Dazzle or Extended Controls you'd expect your data connection to stay quiet, even after a reboot. You definitely don't want apps to switch it on behind your back.
But when I reboot my phone I always see network traffic in the status bar, and my Dazzle data indicator turns green. After a few seconds the rogue data connection switches itself off again. If you don't keep looking at your screen you'll probably never notice that something phones home upon boot.
Of course I wanted to know how the data connection got switched on, which apps used it, and how to put an end to this. Testing conditions: Motorola Defy running Froyo, installed apps include DroidWall (with a long list of blocked apps), AdFree, and Lookout (not set as device administrator, which didn't make any difference). Mobile data was switched off before rebooting with either Dazzle, Extended Controls, Quick Settings, or WidgetSoid. I didn't use the APN rename method, just the plain data switch.
Even though mobile data was supposed to be off I always found traffic by mobile virus scanner Lookout. Other apps went online too, even though DroidWall should have blocked most of them. This is possible because DroidWall doesn't block anything until it has written its iptables. Blocked apps can go online in between booting your phone and DroidWall doing its thing if there is an open data connection.
The apps that hitched a ride were GO SMS Pro and Make Your Own Clock Widget (both bypassing DroidWall), YouTube, and GoogleServices Framework. The latter includes the calendar and contacts sync adapters. Of course I had syncing switched off but Google doesn't care about that. Other apps may also sneak unwanted traffic through if they manage to squeeze in between booting the system and DroidWall getting out of bed.
GO SMS Pro, Make Your Own Clock Widget, YouTube, and the Google Services Framework didn't go online at every restart, but often enough to notice. I guess they sometimes woke up in time to hitch a ride, and sometimes started late and found a closed connection. But Lookout always managed to go online in the few seconds that the rogue data connection was live. Maybe it activated the connection by itself?
To verify that Lookout was the guilty one I rebooted my phone a few times with Lookout uninstalled or frozen with Titanium. Without Lookout my data connection never activated by itself, and I didn't detect any stowaway data traffic from the other apps. With Lookout defrosted or reinstalled the unwanted traffic came back. Not only from Lookout, but also from the apps that hitched a ride.
Lookout may have good reasons to switch data on by itself, such as phoning home if your phone gets stolen so you can lock it or wipe it remotely. But Lookout has no reason for not including an off switch. If you only use the virus scanner part of the program there's no need for Lookout to snoop online on startup.
It's ironic that an antivirus program causes blocked apps to leak data. An internet connection that starts up by itself before apps like DroidWall or LBE Privacy Guard wake up is a major security problem. It can also lead to unpleasant surprises on your phone bill if you're traveling abroad and pay a fortune for international data roaming.
You can prevent unwanted data connections with apps like APNdroid, the APN renaming switches in Quick Settings and Widgetsoid, or by any other method that renames your access points into something unusable. But this defeats the purpose of Androids built-in off switch that doesn't rely on the clumsy workaround of renaming your access points.
I'll try some alternatives to Lookout to see if there's a good security app out there that doesn't open the doors when it shouldn't. Stay tuned!
Update: I ditched Lookout for avast.