Phone applications giving away your private information

In a scan run by Lookout Inc., nearly 300,000 free applications for Apple's iPhone and phones built with Google's Android software were tested, and it was found that many of them had software that is secretly pulling private information out of your phone.

This private info includes full details about your contacts, your pictures, text messages, and Internet search histories. This is a huge concern everyone who actively use the free applications available on the services.

In general, this info is used by companies to personally tailor ads to the specific person, the danger is malicious hackers, and can enable people to easily commit the crime and identity theft if the company isn't careful about the security of the information.

Lookout released the info at this weeks Black Hat computer security conference held in Las Vegas.

Lookout stated that they found nearly a quarter of Apple applications and almost half Android capable applications, had this software hidden within it.

The code used has been written by 3rd parties, and is placed in the applications, primarily for the purposes of the adverts. But the code winds up forcing the application to collect more information than it actually requires. Developers may not even realize that this is happening on their applications. John Hering, CEO of the San Francisco-based Lookout had this to say:

"We found that not only users, but developers as well, don't know what's happening in their apps, even in their own apps, which is fascinating,".

The problem arises when the smart phones don't inform the users of the data that they are accessing and sending to the company. iPhones only alert the user when the application is accessing their location, not when it is accessing other personal information. Android applications have a wider set of warnings, but most users would go straight through them without properly reading what is being said.

Neither Apple or Google responded when questioned about this topic, it may be best to be more careful when downloading free applications from either service in future.

Report a problem with article
Previous Story

Socom 4 delayed untill 2011

Next Story

Adobe teams up with Microsoft to issue early security alerts

28 Comments

Commenting is disabled on this article.

Isn't the same thing happening on the web? Analytics and targeted-advertising services are pulling almost all the personal data a browser can provide

Why didn't Apple's quality control catch this when they tested all the Apps before making them available at App store? They are blocking or baning Apps which for Apple seems to be questionable content but when 1/4 of all Apps include spyware and are sending sensitive data home to the developer, Apple doesn't care... way to go Apple!

I am VERY surprised, not that this is actually happening but that nobody ever thought it might happen and bothered to check.

One of the first things that ever entered my mind about apps was the possibility of them taking data without your knowledge even with some safeguards and testing already in place it was bound to happen

Teebor said,
I am VERY surprised, not that this is actually happening but that nobody ever thought it might happen and bothered to check.

One of the first things that ever entered my mind about apps was the possibility of them taking data without your knowledge even with some safeguards and testing already in place it was bound to happen

Oh its been known for a while now. Some iPhone developer even published a proof of concept back in Dec 09: http://www.neowin.net/forum/to...phone-app-proof-of-concept/

NotSoBad said,
Are they going to release the list of apps. so we can delete the offending ones

I have an idea - how about an app that gets a list of all your software, sends it back for analysis, then lets you know if you're running anything that collects data about your device and usage.

+1 Best idea yet.

Neb Okla said,

I have an idea - how about an app that gets a list of all your software, sends it back for analysis, then lets you know if you're running anything that collects data about your device and usage.

The title should read, "Millions of Android Users Affected by Malicious Data Theft App," because that's what it's really about. That Associated Press article used by Yahoo is rather incomplete and inaccurate.

An Android wallpaper app collected personal information (browsing history, text messages, SIM card number, subscriber identification, voicemail password), and sent the data to someone in China.

Also, Lookout only logged 100000 Android and iOS apps data activity. And the percentages given (50% of Android-based apps, and 25% of iOS-based apps) are related to 3rd-party code used in the app, and are not malicious code. Of course, some of those 3rd-party code can be malicious. The AP article is misleading at best.

The article by VentureBeat is much better:
http://mobile.venturebeat.com/...was-downloaded-by-millions/

A questionable Android mobile wallpaper app that collects your personal data and sends it to a mysterious site in China, has been downloaded millions of times, according to data unearthed by mobile security firm Lookout.

That means that apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas today.

“Even good apps can be modified to turn bad after a lot of people download it,” MaHaffey said. “Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it.”

The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.

It collects your browsing history, text messages, your phone's SIM card number, subscriber identification, and even your voicemail password. It sends the data to a web site, http://www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times. The exact number isn't known because the Android Market doesn't offer precise data. The search through the data showed that Jackeey Wallpaper and another developer known as iceskysl@1sters! (which could possibly be the same developer, as they use similar code) were collecting personal data. The wallpaper app asks for “phone info,” but that isn't necessarily a clear warning.

The Lookout executives found the questionable app as part of their App Genome Project. Lookout is a mobile security firm, and it logged data from more than 100,000 free Android and iPhone apps as part of the project to analyze how apps behave. It found that the apps access your personal data quite often. On Android, each user is asked if they give their permission to access an app, but on the iPhone, where Apple approves apps, no permission is needed.

Roughly 47 percent of Android apps access some kind of third-party code, while 23 percent of iPhone apps do. The executives also found that many apps use third-party software programs to do things such as feed ads into an app. Often, developers unquestioningly use the software development kits of those third parties in their apps, even if they don't know what they do. In many cases, there is a good reason for the use of personal information. Ads, for instance, can be better targeted if the app knows a user's location.

Hering said in a press conference afterward that he believes both Google and Apple are on top of policing their app stores, particularly when there are known malware problems with apps. But it's unclear what happens when apps behave as the wallpaper apps do, where it's not clear why they are doing what they are doing.

Ikshaar said,
Oh please, the report is from the company selling security software.... don't be so naive. And the report is mostly FALSE.

http://www.webpronews.com/topn...uses-android-security-scare

PS: next time post a link instead of stealing text from other website.

Lookout provides completely free security for the Android platform, in the form of an app that scans downloads and apps, and can back up your information online, as well as allowing you to remotely send a siren tone to your phone in the event that you misplaced it.

It's highly rated, heavily downloaded, and well respected in the community. Oh, and it's ad free (there is no paid version).

I have no idea if it exists for the iPhone.

http://www.appbrain.com/app/com.lookout

Phone manufacturers need to tighten up the permissions for applications or give us explicit control over what can be assimilated.

article said,
iPhones only alert the user when the application is accessing their location, not when it is accessing other personal information. Android applications have a wider set of warnings, but most users would go straight through them without properly reading what is being said.

So on Apple it's a development problem, and on Android it's a user-problem.
Security is always a user-problem, so...

LiquidSolstice said,

As opposed to your....what, exactly?

Probably his worker's paradise - where the Government forbids private cell phone use and ownership.

MindTrickz said,
****ing hell.. I now have look through what applications are important to me and delete the rest.

How will that help? The article explained that the Devs don't even know what their software is doing. That's the kind of problem you can have when a bunch of novices start cranking out software. You get a ton of diversity in the app-space, but the guts aren't pretty. In the case of Apple you'd think they'd take the responsibility to check apps for this sort of data collection and at least put a little warning flag. Ultimately you should only use software you trust - and ensure (with the help of other users) that the trust is well placed.