ARN

Are your smartphone apps selling you out?

Just because you're paranoid doesn't mean your mobile apps aren't out to get you
  • Mike Elgan (Computerworld (US))
  • 07 December, 2013 12:04

The president of the US says he's not "allowed" to own an iPhone, which is why he's sticking with his BlackBerry, according to The Wall Street Journal.

It's a politically sensitive subject because the iPhone is the big American brand, and the president is a self-proclaimed fan of the late Apple founder and CEO Steve Jobs. He'd love to pander to buy-America voters. (Obama is also probably not "allowed" to have an Android phone.)

Of course, neither the president nor the Secret Service is willing to say exactly how security could be compromised with an iPhone. But one security risk is the unpredictable nature of both iPhone and Android apps.

Sure, there's a lot of flat-out malware flying around online, most of which looks like regular, legitimate apps but in fact are either malware or they compromise privacy or security in some way.

There are certain types of apps that users are wary about and may take precautions about downloading. But others don't seem to have anything to do with user data, so they seem safe.

The Federal Trade Commission announced this week that it reached a settlement with Goldenshores Technologies, which makes a free Android app called "Brightest Flashlight." The FTC said the app harvested data on users' locations and device IDs and sold it to advertisers without telling the users, and even when users rejected the app's terms of service. The settlement forced the company to improve its privacy policy, user communication and data handling.

The FTC said the app had been installed on "tens of millions" of phones.

The whole "Brightest Flashlight" fiasco shines light on an uncomfortable set of facts about smartphone apps. For starters, some apps that have no apparent need to harvest personal data or compromise privacy or security go ahead and do so anyway.

But even those that don't move user data can leave users vulnerable through sheer incompetence.

Silicon Valley computing giant Hewlett-Packard recently conducted a study about the security of business apps for the iPhone and concluded that many of them give themselves permission to access phone features and user data that make no sense, given the stated purposes of the apps.

HP found that more than 90% of the business apps it studied had privacy or security flaws.

Many of the flaws involved unencrypted data or insecure protocols. Some 20% of the apps send user data via unprotected HTTP. A similar percentage sent via HTTPS, but didn't do it right. And HP found other problems where an app could compromise user security and privacy not through malice, but through incompetence.

HP isn't the only organization looking at app security and finding a gigantic problem.

A new report from Trend Micro found that there are now 1 million "malware and high-risk apps" in the wild.

"High-risk apps" are defined in the report as those that "aggressively serve ads that lead to dubious sites," and represent one quarter of the total.

An information security company called Trustwave said this month that file-sharing apps for iPhones and iPads can compromise user security -- even simple picture-sharing apps or apps that enable users to exchange documents.

The problem is that some of these apps open up an insecure file server on the device, which theoretically makes the file vulnerable to copying or could enable malicious crackers to upload files of their own. Some apps don't even require user authentication. The problems tend to be worse when apps run on older versions of iOS.

Some of these reports come from companies that sell solutions to the smartphone apps' security and privacy problems, so their conclusions should be taken in that context. However, it's clear that the problem is real and widespread.

So what can users do about it? Do you have to become a security expert just to keep your personal data private?

The unfortunate answer is: Yes, kind of.

Education is the best defense. Certain types of smartphone security products, such as iPhone fingerprint readers or Android anti-malware apps, protect against some risk but not most of the problems associated with apps.

In general, we all need to be more selective about the apps we download and not assume that just because it's highly rated or popular that it's OK.

We also need to think about which data we want to keep private, and which data we don't. For example, if you're concerned about protecting your location data, there are a set of steps you can take to reduce the risk of that information getting out.

If, on the other hand, you carry financial data around on your phone, well, there's an entirely different set of actions you need to take.

The take-away here for all users is that the Apple App Store and the Google Play Store and the other Android stores are jam-packed with apps that can compromise your security and privacy without you ever knowing anything bad happened.

So be careful about what you download, don't be lulled by security features that can't protect you against bad apps, and take deliberate action to protect the private information you most want to safeguard.

This article, Are your smartphone apps selling you out?, was originally published at Computerworld.com.

Mike Elgan writes about technology and tech culture. Contact and learn more about Mike at http://Google.me/+MikeElgan. You can also see more articles by Mike Elgan on Computerworld.com.

Read more about mobile apps in Computerworld's Mobile Apps Topic Center.