Most mobile geeks usually don’t think twice about downloading an app to their mobile device but a new study suggests that smartphone users might want to use the same caution they consider when downloading desktop apps from the web.
New findings from the security firm Lookout implores users to pay attention to what they’re downloading because that “really great” app you found could be transmitting your sensitive data to unknown entities.
According to Lookout, a number of users recently downloaded a malicious app (Jackeey Wallpaper) in the Android market meant to give users cool wallpapers, unfortunately instead, it allegedly sent user information to China. The information compromised apparently included a litany of private data such as SIM card #’s, voicemail passwords and subscriber identification to a website located in China.
This all came to light as Lookout began to analyze over 300,000 iPhone and Android apps for their App Genome Project, an initiative created to determine precisely what mobile apps do when they’re running on your device.
Another interesting tidbit revealed claims third-party codes used by developers to input ads/analytics may be accessing things they shouldn’t or at the very least not making you aware that your information is being gathered.
Lookout will be sharing its research this week at the Black Hat Security Conference (July 28-29 ) so to end on a positive note, they’re working hard to expose these vulnerabilities to the development community.
Lookout posted these early findings on their blog:
29% of free applications on Android have the capability to access a user’s location,
compared with 33% of free applications on iPhone
Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)
47% of free Android apps include third party code, while that number is 23% on iPhone
* Examples of third party code includes code that enables mobile ads to be served and analytic tracking for developers.
(via Venture Beat, Lookout Blog ) ( image source Lookout )
I always check to see what resources an app requires. But does this article imply that if an app uses third code that they can hide the resources that the app will access? I would hope that the Android OS only allows resources that I deliberately allow. Would be nice to have a kit that let’s me run an app in a sandbox and see what data is sent out.
Hi Ed,
From what I’ve read, yes it is possible it (3rd code) will do things you weren’t aware it was doing. I am not a dev so I can’t advise you exactly how it’s possible. If you check out the Lookout site you can find more info. As Tony had mentioned “Android does this for every app you download.. unfortunately just like desktop apps people are too used to clicking ‘OK’” something I didn’t catch.
“both the Android market place & app store may want to make people aware “if you download this app it will access your ____ “ that way the user can make the choice.”
Android does this for every app you download.. unfortunately just like desktop apps people are too used to clicking ‘OK’.
If a screen saver requested access to my address book for example I wouldn’t install it – and would probably post a review warning others. Lots of people just click blindly… user education is the key.
Tony, you’re right about us “click happy” people, I didn’t notice that happening with Android.
Sending some info is unavoidable for certain apps, like weather and what’s on? type apps.
As for my app downloads, I first identify a need then go look to see if there is an app for it, I don’t just look at “all free apps” and d/load the lot.
I don’t own an iPhone but I do, an iPod Touch and only from the Apple Store do I download applications for my device and even then, I use a modicum of caution when doing so: only the official ones for a trusted entity will I download to my iPod Touch.
Bruce R, I believe in a lot of cases the app itself is not malicious but what they’re doing with the information is. Yes, there are ‘controls’ in place but both the Android market place & app store may want to make people aware “if you download this app it will access your ____ “ that way the user can make the choice.
BTW- Jackeey (wallpaper app ) just changed their name to “Call Me Jack”.
I meant to include the mention of all the Android apps as well here, sorry!!!!!!!
What I don’t understand here is, who controls the content of what goes *to* the app stores before approval for distribution to the open market. Doesn’t Apple have some kind of restrictions in the first place? Also, I would think that the app *upload* sites would run anti-virus & malicious software scans prior to allowing the final product onto or into the app stores before even considering distribution. Any thoughts here???