The odds are pretty good that if you’re a big consumer of mobile apps, the private information on your phone has been collected and sent somewhere without your knowledge.
That’s the finding of the App Genome Project mammoth study by Lookout, a mobile security company that has scrutinized more than 300,000 apps on both the iPhone and Android mobile phone platforms.
San Francisco-based Lookout provides security such as anti-malware for mobile phones. It decided to decipher exactly what mobile apps do when they run, and it found that apps are tapping into personal data and accessing other phone resources without telling users. The company is unveiling the survey at the Black Hat security conference this week in Las Vegas (where I will do live reporting). At the conference, mobile security will be a hot topic.
About 29 percent of the free apps on Android access a user’s location data, while 33 percent of the tens of thousands of free apps on the iPhone access location data. About 14 percent of iPhone apps access personal contact data, while 8 percent of Android apps do so. The difference is largely due to the different security measures used by the two platforms, said John Hering, chief executive of Lookout. Google, for instance, relies on crowdsourced community policing for its security, while Apple handles security on its own.
Some of the findings are alarming. Hering said that an Android wallpaper app transmitted the user’s phone number to a Chinese developer, for no apparent reason. That app was downloaded by 50,000 people. Another seemingly legit app made phone calls to Somalia, resulting in huge user bills.
The study also found that a large proportion of apps contain third-party code with the capability to interact with sensitive data in a way that may not be apparent to users or the developers of the apps themselves. The third-party code is generally used for advertising or analytics. The project found that 47 percent of free Android apps included this third-party code, while 23 percent of free iPhone apps use it. Third-party code represents a security risk because it is difficult to update (and patch a vulnerability) on a global basis. Apple changed its terms of service for the iPhone recently because of its concerns about what third-party analytics and other companies were doing with private data.
“The App Genome Project is an important step in securing our mobile phones against threats. With a real-time database, we can quickly identify threats in the wild and swiftly move to protect consumers,” said Hering. “Early results show that platform companies can influence how developers access a user’s location and contact information, and point to the need for developers to be more aggressive about protecting consumers’ personal information.”
Lookout will release the full findings of the App Genome project this week and demonstrate some of the vulnerabilities caused by inadvertent developer practices and problems with the platforms themselves. Third-party ad companies typically gather a person’s location data to deliver targeted mobile ads, but users may not be aware that their location is being shared with a third party. That means the third parties are going to have to act responsibly, said Kevin Mahaffey, chief technology officer at Lookout.
Lookout’s software protects a million users on 400 mobile networks in 170 countries. The company has raised $17 million to date from Khosla Ventures, Trilogy Equity Partners and Accel Partners. It has 25 employees and was founded in 2007 by Hering, Mahaffey and James Burgess — three security researchers who met at the University of Southern California. They drew national attention when they showed how easy it would be toexpose the private data on the cell phones of celebrities at the 2005 Academy Awards. Rivals include Symantec and McAfee.