Mobile apps phone home
According to security experts from US firm Lookout, numerous applications for Android smartphones and Apple's iPhone send more sensitive data to third parties than users probably realize. Announced at the Black Hat security conference in Las Vegas, the findings are based on an analysis of more than 100,000 apps. In the App Genome Project, John Hering and Kevin Mahaffey, the founders of Lookout, plan to study thousands of small applications to see what they actually do once installed on a smartphone.
The firm says it has already taken a look at nearly 300,000 apps, more than 100,000 of them thoroughly. The initial findings revealed that a third of the applications studied on the two platforms have access to geo-data. While 14% of iPhone apps can access contact data, only 8% of the Android programs could do so.
Almost half of the Android applications investigated were found to contain code from third parties used, say, for advertising or to analyse user behaviour; the figure for iPhone's was just below one quarter. A lot of users – and, indeed, apparently some app developers themselves – apparently do not know what this code actually does.
It's not clear whether such access is legitimate or merely serves to secretly spy on users, but spying cannot be ruled out. For instance, a popular app, called "Jackeey Wallpaper", that has been downloaded on the Android market millions of times, sends personal data to an unknown third party. The Wallpaper app, which looks harmless, reportedly sends the user's SIM number, information about the cell phone user, and password for voice mail to a server registered in China.
Of course, app stores are trying to stop the spread of such apps. But while Apple reviews apps to see whether they comply with the rules, the company has been tricked a number of times – most recently by a 15-year-old who smuggled a tethering app past Apple's reviewers. While access to Google's Android market is open, checks are performed there as well. For instance, Google recently took thousands of spam apps off the market. In cases of doubt, Google can also remotely delete offending apps.
- Google uses remote delete to remove Android apps from smartphones, a report from The H.