More iPhone than Android apps can access sensitive user information

Posted on July 29, 2010


Privacy Becoming a significant concern with mobile APP's

Mobile Marketer Daily- Applications developed for iPhone are more likely than those on the Android platform to access sensitive information on mobile devices, according to mobile security company Lookout.

Lookout found that 14 percent of free iPhone applications have the ability to access users’ contact lists, as compared to 8 percent of free Android applications. The company’s research notes that most applications contain third-party code, often used for advertising or analytics, which can access permissions that users and application developers might not intend.

“The big point is that users should pay more attention to the permissions that apps are accessing,” said Kevin Mahaffey, cofounder and chief technology officer at Lookout, San Francisco. “Developers should also pay careful attention to what data they are accessing and how they are storing and protecting user data.”

Lookout is a mobile security company that produces applications designed to protect a variety of smartphones. It is investigating security threats in applications as a part of its App Genome Project.

The App Genome Project has scanned almost 300,000 applications and fully mapped close to 100,000 in order to understand how applications are interacting with personal data on phones and identify prominent security threats.

So far, findings suggest that Android applications tap into sensitive data, such as contact lists, less often than comparable applications for the iPhone.

For example, 33 percent of free applications on the iPhone can access a user’s location, compared to 28 percent of free Android applications.

Third-party code is common on applications for both iPhone and Android devices, creating cross-platform vulnerabilities.

While more free Android applications (47 percent) include third-party code than comparable iPhone applications (23 percent), Lookout says that the permission model of the iPhone platform makes it easier for such code to cause applications to access sensitive data.

For example, some iPhone applications interact with a user’s address book simply based on the presence of third-party code.

The same activity would be more difficult on the Android platform.

The application developer would both need to integrate the third-party code and request a permission from the operating system to access the contact list.

As such, developers on the Android platform have more control to choose which permissions applications access.

Lookout says that developers need to be vigilant in protecting the privacy of their applications’ users.

Mr. Mahaffey made a number of suggestions he says application developers need to keep in mind, including:
• Only ask for the necessary permissions, because once a developer has accessed sensitive user data, it has a responsibility to protect it
• Be diligent in protecting user data
• When implementing third-party code for purposes such as advertising and analytics, make sure to understand what permissions that code is accessing

Privacy a growing concern
Significant attention has been directed towards privacy concerns attached to mobile devices, owing to the uniquely personal nature of handhelds.

For example, congress has requested information from Apple pertaining to its data collection practices for a variety of services.

Similarly, mobile advertisers face a litany of privacy complaints related to push advertisements that users had not opted in for.

Because applications are newer pieces of the mobile space, it remains to be seen just how big a privacy threat third-party code might prove, and what privacy concerns will look like on different platforms in the long run.

“The app markets are still young and the rate at which new apps are being introduced to the markets is increasing,” Mr. Mahaffey said. “We are still very early in our findings with the App Genome project, but we hope to continue to provide analysis to help consumers better understand what the mobile apps on their phone are doing.”