Last week a clever, duplicitous fifteen-year-old got Apple to approve an iPhone flashlight app which contained a secret tethering utility. A few days later, Citi told users of its iPhone mobile banking app that it was storing personal information in a manner which might have left it vulnerable to misuse by other apps or hackers.
Neither incident represented a security disaster, but both provided sobering evidence that the iPhone’s level of security is less than airtight. The tethering app’s acceptance showed that it’s possible to sneak hidden code past Apple’s approval process, and the Citibank storage glitch was a useful reminder that iPhone apps aren’t completely isolated from each other.
Bottom line: If you use an iPhone or other smartphone, you can’t blithely assume that the apps on it can’t make trouble.
That provides interesting context for the App Genome Project, a new study from Lookout, which makes security software for Android, BlackBerry, and Windows Mobile phones. The company automatically scanned almost 300,000 apps in the iPhone App Store and Android Market, then downloaded and analyzed almost 100,000 free ones to check them out.
A few of its conclusions:
- 33 percent of free iPhone apps and 29 percent of free Android ones can access the user’s location.
- 14 percent of free iPhone apps and 8 percent of free Android ones can get at the user’s contact data.
- 23 percent of free iPhone apps and 47 percent of free Android ones incorporate third-party code–usually for analytics and ad tracking–that may be able to interact with data on the phone in a way that’s unclear to both developers and users.
I don’t know about you, but when my iPhone and Droid ask me to grant permission for a new app to access my data, I cheerfully grant it without much thought–even though there’s absolutely no way for a user to know for sure what an app is doing with the information it can see.
The App Genome Project is an ongoing effort. Lookout’s founders are speaking at the Black Hat security conference in Las Vegas today. They say they’ll reveal information on a new class of smartphone vulnerability they’ve detected; here’s hoping it isn’t one that anyone has exploited just yet.