Study finds 14% of free iPhone apps can snoop contacts
A survey of 300,000 applications for both the iPhone and Android devices found that 14 percent of free App Store software has the ability to access a user's contacts on their iPhone.
This week at the Black Hat conference in Las Vegas, Nev., security research firm Lookout revealed that it analyzed more than 300,000 free applications available on both the iPhone App Store and Android Market.
As noted earlier, the mobile security firm revealed a wallpaper application for Google's Android mobile operating system that allegedly captures a handset's SIM card number, subscriber identification and voicemail password, and reportedly sends it to the website www.imnet.us, owned by someone in Shenzhen, China.
In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.
Additionally, 33 percent of free applications on the App Store have the ability to access a user's location. The difference is, Apple's iOS mobile operating system requires third-party software to inform users when the application is accessing their location. Such rules do not, however, exist for contacts. For comparison, 29 percent of free Android software has the ability to access a user's location.
Finally, Lookout also found that 47 percent of free Android applications include third-party code, such as mobile ads and analytics tracking. That number is 23 percent on the iPhone. The survey found that 28 percent of software on the App Store is free, compared with 64 percent on the Android Market.
Lookout's findings were also publicized this week by the Associated Press, which reported that nearly a quarter of tested iPhone applications contained software code with the ability to access either pictures, text messages, or Internet and search histories, in addition to contacts. Reporter Jordan Robertson reached out to both Apple and Google for comment on the survey, but neither company responded.
"Part of the problem is smart phones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations," the report said. "And while Android phones offer robust warnings when applications are first installed, many people breeze through them for the gratification of using the apps quickly."
This week at the Black Hat conference in Las Vegas, Nev., security research firm Lookout revealed that it analyzed more than 300,000 free applications available on both the iPhone App Store and Android Market.
As noted earlier, the mobile security firm revealed a wallpaper application for Google's Android mobile operating system that allegedly captures a handset's SIM card number, subscriber identification and voicemail password, and reportedly sends it to the website www.imnet.us, owned by someone in Shenzhen, China.
In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.
Additionally, 33 percent of free applications on the App Store have the ability to access a user's location. The difference is, Apple's iOS mobile operating system requires third-party software to inform users when the application is accessing their location. Such rules do not, however, exist for contacts. For comparison, 29 percent of free Android software has the ability to access a user's location.
Finally, Lookout also found that 47 percent of free Android applications include third-party code, such as mobile ads and analytics tracking. That number is 23 percent on the iPhone. The survey found that 28 percent of software on the App Store is free, compared with 64 percent on the Android Market.
Lookout's findings were also publicized this week by the Associated Press, which reported that nearly a quarter of tested iPhone applications contained software code with the ability to access either pictures, text messages, or Internet and search histories, in addition to contacts. Reporter Jordan Robertson reached out to both Apple and Google for comment on the survey, but neither company responded.
"Part of the problem is smart phones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations," the report said. "And while Android phones offer robust warnings when applications are first installed, many people breeze through them for the gratification of using the apps quickly."
Comments
In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.
Have the ability without the user?s knowledge or consent? If so, that is pretty shitty.
So where is the list of iPhone apps that can access contacts?
Exactly, this is probably some bullcrap Android made up to try to scare us and "respond" to the security allegations that came out earlier today.
Apple wouldn't allow this to happen.
For now I'm thinking is that I'm going to only want to use apps from companies that I trust and who have privacy policies or just that 'big company' accountability that you wont get from a no-name app.
Another thing I was thinking is that maybe iAds ... if Apple are the only recipient of some parts of your information is now possibly going to look like the only free ad sponsored app that can be trusted as long as Apple does the right thing by users.
The next part of the story I want to know about this is which ad companies are the current ones that are pulling out lots of information and what does iAd do in comparison.
Have the ability without the user?s knowledge or consent? If so, that is pretty shitty.
Does this mean that the code is actually executed or that a hacker could access the unused code?
I can exceed every speed limit in the state with my old pickup truck. Does that mean it's unsafe?
Apple runs like a rabbit to keep up with checking on the apps approved. Android sits around beating their breast about open source freedom. I'll stick with the former spec, thank you.
Notice how you can do a google search, then for days afterwards specific ads for that product appear everywhere? And, searches at work follow me home, I don't know what I did to allow Google to track me like that, but they are looking far too hard at what I do for comfort.
Anyone with legal experience know where this issue stands? I hear something of it every now and again, but its mostly quiet. I know that by using servers (like google), there is some justification that they are using that goes something like this: in trade for the free service, we keep and use the data you transmit. However, taking contacts, that should be outright theft, should it not, if that is in fact what is happening?
As for Contacts, if that’s without permission, then it’s a problem, and I’m glad Apple controls the App Store so they can address it. But the poster doesn’t say it’s without permission—and wouldn’t they probably have said that if it’s true? I’ll be interested to know. (I for one am GLAD my Navigon GPS app can access my contacts to direct me where I tell it to go! I’d hate to have to re-enter every contact manually )
The location thing is bogus—it’s NOT a threat, because you have to give permission. So I wonder about the contacts thing too. Why aren’t they stating it more clearly, if their intent is to show threats?
I suspect there IS some room for Apple and Google to improve here, but burying it in fearmongering seems to cloud the important issues. But... reality is complex, while simple is more marketable
I do like that Apple’s location warning pops up when you USE that feature the first time, not when you install an app. If Android’s warnings are only on install, then they’ll be ignored and not much protection.
Accessing the contacts and pinpointing your GPS location, is the whole point to the app. These functions are the reason users downloaded them in the first place. Obviously Lookout, and Apple Insider are only interested in creating controversy and FUD because that is their business model.
Apps that CAN access certain data -vs- those that simply DO.
Of course I want to know if an app is taking it upon itself, "secretly" in the background, to snoop and transfer my personal data (such as my contact list) offsite to a server somewhere. That is quite simply "malicious" data theft.
However, I know of a number of apps that have the ability to access my contacts. Mail for example, and quite a few others. But they don't do so unless I implicitly tell them to, for example, "Send to a friend" functions, which when evoked pop up and access my contact list to choose the recipient.
That's innocuous functionality. And to present such an app's functions as something sinister isn't right. Now, if that same app uses that function to "scrape" my contact list and send it off to someone? That's a different story altogether.
Right now, the entire body of reporting feels a bit alarmist to me. Not all apps having that ability are bad... let's find and ID the bad ones that are actually stealing data, and isolate them from the many that offer a "feature" as a harmless convenience.
Nice scary infographic about “mobile threats.” With “3rd Party Code” and “Accessing Your Location” called out in scary boxes Why are these bad things? Because... they’re in scary boxes! See how scary?
As for Contacts, if that’s without permission, then it’s a problem, and I’m glad Apple controls the App Store so they can address it. But the poster doesn’t say it’s without permission—and wouldn’t they probably have said that if it’s true? I’ll be interested to know. (I for one am GLAD my Navigon GPS app can access my contacts to direct me where I tell it to go! I’d hate to have to re-enter every contact manually )
The location thing is bogus—it’s NOT a threat, because you have to give permission. So I wonder about the contacts thing too. Why aren’t they stating it more clearly, if their intent is to show threats?
I suspect there IS some room for Apple and Google to improve here, but burying it in fearmongering seems to cloud the important issues. But... reality is complex, while simple is more marketable
I do like that Apple’s location warning pops up when you USE that feature the first time, not when you install an app. If Android’s warnings are only on install, then they’ll be ignored and not much protection.
Totally agree. This is just more FUD from the Android camp for the most part. Security researchers are known for their binary personalities and extremist positions also, so there's that grain of salt to take into account also.
I find it especially interesting that they even *talk* about location sharing as if it was a threat. Location sharing is the thing the average user is *most* frightened of, but also the thing that is least likely to be a security threat the way Apple has implemented it.
They don't mention the warning that the user gets when it's used, and they don't mention the fact that Apple added that icon to the status bar that tells you explicitly when an app is accessing your location data.
How much more biased can they get?
How much more biased can they get?
It's only a start. More coming.
And, once again, one is very prone, while the other, not so much...
I'm glad I don't own an Android phone. That "open market" of apps is a security nightmare waiting to happen. Or, more accurately, not waiting to happen...
BUT, the big difference is that the app can't (if Apple is doing their job, that is) do anything malicious with the info. Besides, the only bad thing that could result is spam emails and solicitation phone calls. Much better than having passwords stolen.
Love to see the 'Keepers of the Fruit' response to this, as we await the flood of 'Walled Garden Defenders' to arrive...
Um, the Android breach of personal info to China yesterday makes that defense unnecessary.
Hope you and your new Chinese friends enjoy your Android.