Just How (In)secure are Smartphones?

By  |  Wednesday, July 28, 2010 at 8:24 am

Last week a clever, duplicitous fifteen-year-old got Apple to approve an iPhone flashlight app which contained a secret tethering utility. A few days later, Citi told users of its iPhone mobile banking app that it was storing personal information in a manner which might have left it vulnerable to misuse by other apps or hackers.

Neither incident represented a security disaster, but both provided sobering evidence that the iPhone’s level of security is less than airtight. The tethering app’s acceptance showed that it’s possible to sneak hidden code past Apple’s approval process, and the Citibank storage glitch was a useful reminder that iPhone apps aren’t completely isolated from each other.

Bottom line: If you use an iPhone or other smartphone, you can’t blithely assume that the apps on it can’t make trouble.

That provides interesting context for the App Genome Project, a new study from Lookout, which makes security software for Android, BlackBerry, and Windows Mobile phones. The company automatically scanned almost 300,000 apps in the iPhone App Store and Android Market, then downloaded and analyzed almost 100,000 free ones to check them out.

A few of its conclusions:

  • 33 percent of free iPhone apps and 29 percent of free Android ones can access the user’s location.
  • 14 percent of free iPhone apps and 8 percent of free Android ones can get at the user’s contact data.
  • 23 percent of free iPhone apps and 47 percent of free Android ones incorporate third-party code–usually for analytics and ad tracking–that may be able to interact with data on the phone in a way that’s unclear to both developers and users.

I don’t know about you, but when my iPhone and Droid ask me to grant permission for a new app to access my data, I cheerfully grant it without much thought–even though there’s absolutely no way for a user to know for sure what an app is doing with the information it can see.

The App Genome Project is an ongoing effort. Lookout’s founders are speaking at the Black Hat security conference in Las Vegas today. They say they’ll reveal information on a new class of smartphone vulnerability they’ve detected; here’s hoping it isn’t one that anyone has exploited just yet.


Read more: , , , , , ,

6 Comments For This Post

  1. @willyd357 Says:

    Great article Harry, very informative. I'm looking forward to seeing how this develops. For example, a search-able db that can be quickly referenced before installing an app would be extremely handy.

  2. davezatz Says:

    Another data point… the i.TV television guide and scheduling app stores TiVo.com credentials in the clear. I assume there are many similar gaffes out there. In the real world, I wonder what the real risk is for most of them.

  3. Hamranhansenhansen Says:

    iPhone is more secure than any PC, including the Mac.

  4. Dennis Says:

    Don’t trust this app. I stored my pics on lookout server and it appears in Lookout space!

  5. Michael Says:

    Lookout? in a word… Useless!

  6. pellin10 Says:

    Thanks for making this sort of cool post which is genuinely very well composed. Will be referring many friends regarding this
    convert celsius to farenheit|centimeters to inches|technique de drague|fausse couche |farenheit to celsius