We would also like to remind those reading our work that while we have identified the set of applications on which we tested TaintDroid, we have not identified which are using information in ways that users may deem inappropriate and which are not. There is no reason to believe that an application we have tested is any more or less likely to misuse data than any other android application that requests access to the same data. Rather, the applications we identified were presented in our research paper so as to make clear how we sampled the pool of possible applications to test and to allow other researchers to reproduce our results.
We hope that the technology in TaintDroid will soon be more widely available so that users can learn how different applications use their data. To sign up for future testing, send email to firstname.lastname@example.org. For now, we ask that users not assume that applications are guilty simply because they were among those we tested.
The following is the email sent to Sean and the ZXing team on September 30, 2010.
Hi Sean and the ZXing team, First off, please accept my apology for incorrectly listing the permissions that the Barcode Scannner application requests in our paper. There was a bug in my script that parses permission lists given an app name. It turns out that my script incorrectly parsed the permission list of com.froogloid.kring.google.zxing.client.android.apk. We fixed the Table 2 in the OSDI paper and uploaded the fixed version to our web site (appanalysis.org) as well as sent it to USENIX. I hope that this makes it clear to the users of BS that the application accesses neither phone information nor location, thus having nothing to do with the applications reported in Table 3. Once again, I am sorry about the mistake and thank you for notifying us. Jaeyeon