Study finds 14% of free iPhone apps can snoop contacts

Posted:
in iPhone edited January 2014
A survey of 300,000 applications for both the iPhone and Android devices found that 14 percent of free App Store software has the ability to access a user's contacts on their iPhone.



This week at the Black Hat conference in Las Vegas, Nev., security research firm Lookout revealed that it analyzed more than 300,000 free applications available on both the iPhone App Store and Android Market.



As noted earlier, the mobile security firm revealed a wallpaper application for Google's Android mobile operating system that allegedly captures a handset's SIM card number, subscriber identification and voicemail password, and reportedly sends it to the website www.imnet.us, owned by someone in Shenzhen, China.



In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.



Additionally, 33 percent of free applications on the App Store have the ability to access a user's location. The difference is, Apple's iOS mobile operating system requires third-party software to inform users when the application is accessing their location. Such rules do not, however, exist for contacts. For comparison, 29 percent of free Android software has the ability to access a user's location.



Finally, Lookout also found that 47 percent of free Android applications include third-party code, such as mobile ads and analytics tracking. That number is 23 percent on the iPhone. The survey found that 28 percent of software on the App Store is free, compared with 64 percent on the Android Market.







Lookout's findings were also publicized this week by the Associated Press, which reported that nearly a quarter of tested iPhone applications contained software code with the ability to access either pictures, text messages, or Internet and search histories, in addition to contacts. Reporter Jordan Robertson reached out to both Apple and Google for comment on the survey, but neither company responded.



"Part of the problem is smart phones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations," the report said. "And while Android phones offer robust warnings when applications are first installed, many people breeze through them for the gratification of using the apps quickly."
«134

Comments

  • Reply 1 of 62
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by AppleInsider View Post


    In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.



    Have the ability without the user?s knowledge or consent? If so, that is pretty shitty.
  • Reply 2 of 62
    So where is the list of iPhone apps that can access contacts?
  • Reply 3 of 62
    zeasarzeasar Posts: 91member
    They are using the term "capability", isn't ANY app is "capable" of accessing your contacts if the coder wishes so? And wouldn't that translates to 100% of apps are "capable" of accessing the sensitive information on the phones?
  • Reply 4 of 62
    freddychfreddych Posts: 266member
    Quote:
    Originally Posted by spoonyfork View Post


    So where is the list of iPhone apps that can access contacts?



    Exactly, this is probably some bullcrap Android made up to try to scare us and "respond" to the security allegations that came out earlier today.



    Apple wouldn't allow this to happen.
  • Reply 5 of 62
    mstonemstone Posts: 11,510member
    And what percentage of the paid apps do as well?
  • Reply 6 of 62
    Why does the article title assume the app is "snooping" contacts. The apps that do this are most likely doing it for a feature. Most IM apps probably access the list of contacts. The whole article has a tone that this is somehow bad.
  • Reply 7 of 62
    benicebenice Posts: 382member
    Maybe Apple needs to think about ringfencing certain parts of the phone so you enter an password if you allow an app to access certain parts of the phone.



    For now I'm thinking is that I'm going to only want to use apps from companies that I trust and who have privacy policies or just that 'big company' accountability that you wont get from a no-name app.



    Another thing I was thinking is that maybe iAds ... if Apple are the only recipient of some parts of your information is now possibly going to look like the only free ad sponsored app that can be trusted as long as Apple does the right thing by users.



    The next part of the story I want to know about this is which ad companies are the current ones that are pulling out lots of information and what does iAd do in comparison.
  • Reply 8 of 62
    doroteadorotea Posts: 323member
    Quote:
    Originally Posted by solipsism View Post


    Have the ability without the user?s knowledge or consent? If so, that is pretty shitty.



    Does this mean that the code is actually executed or that a hacker could access the unused code?
  • Reply 9 of 62
    eideardeideard Posts: 391member
    Whoop-de-doo!



    I can exceed every speed limit in the state with my old pickup truck. Does that mean it's unsafe?



    Apple runs like a rabbit to keep up with checking on the apps approved. Android sits around beating their breast about open source freedom. I'll stick with the former spec, thank you.
  • Reply 10 of 62
    wvmb99wvmb99 Posts: 23member
    Seems that the real issue here is that the internet grew faster than people could figure out how to regulate it. You can't record a phone conversation, you can't track people with cameras, or even follow them around (at least usually), yet you can do this. And you can do it on any computerized device. The only solution will be when rules are drawn up that make it illegal to track people. Put it under the laws designed to protect privacy. Never happen mind you, as there is now far too much money involved.



    Notice how you can do a google search, then for days afterwards specific ads for that product appear everywhere? And, searches at work follow me home, I don't know what I did to allow Google to track me like that, but they are looking far too hard at what I do for comfort.



    Anyone with legal experience know where this issue stands? I hear something of it every now and again, but its mostly quiet. I know that by using servers (like google), there is some justification that they are using that goes something like this: in trade for the free service, we keep and use the data you transmit. However, taking contacts, that should be outright theft, should it not, if that is in fact what is happening?
  • Reply 11 of 62
    nagrommenagromme Posts: 2,834member
    Nice scary infographic about “mobile threats.” With “3rd Party Code” and “Accessing Your Location” called out in scary boxes Why are these bad things? Because... they’re in scary boxes! See how scary?



    As for Contacts, if that’s without permission, then it’s a problem, and I’m glad Apple controls the App Store so they can address it. But the poster doesn’t say it’s without permission—and wouldn’t they probably have said that if it’s true? I’ll be interested to know. (I for one am GLAD my Navigon GPS app can access my contacts to direct me where I tell it to go! I’d hate to have to re-enter every contact manually )



    The location thing is bogus—it’s NOT a threat, because you have to give permission. So I wonder about the contacts thing too. Why aren’t they stating it more clearly, if their intent is to show threats?



    I suspect there IS some room for Apple and Google to improve here, but burying it in fearmongering seems to cloud the important issues. But... reality is complex, while simple is more marketable



    I do like that Apple’s location warning pops up when you USE that feature the first time, not when you install an app. If Android’s warnings are only on install, then they’ll be ignored and not much protection.
  • Reply 12 of 62
    daharderdaharder Posts: 1,580member
    Love to see the 'Keepers of the Fruit' response to this, as we await the flood of 'Walled Garden Defenders' to arrive...
  • Reply 13 of 62
    ....what kind of BS FUD reporting is this? Garbage. On the heals of discovering an app on Android that steals a lot of info without notice or permission, accessing contacts as a stated function in an iPhone app, with full knowledge and permission, gets even mentioned in the same breath in a security article. Absolute garbage.



    Accessing the contacts and pinpointing your GPS location, is the whole point to the app. These functions are the reason users downloaded them in the first place. Obviously Lookout, and Apple Insider are only interested in creating controversy and FUD because that is their business model.
  • Reply 14 of 62
    mac voyermac voyer Posts: 1,283member
    At least 14% of the free apps I download had better access my contacts as that is why I downloaded them. Messaging apps, voice dictation apps, mapping apps, and many other types work best when they can access your contacts. Throw in social location apps and you have a bunch more that can access both your contacts and location. What is the point of this article? Oh, wait, this is supposed to show that the iOS platform is just as vulnerable to attack as Android, thus mitigating the embarrassing article this morning. I get it now. Good luck with that.
  • Reply 15 of 62
    tribalogicaltribalogical Posts: 1,181member
    There's a distinction missing in all these articles.



    Apps that CAN access certain data -vs- those that simply DO.



    Of course I want to know if an app is taking it upon itself, "secretly" in the background, to snoop and transfer my personal data (such as my contact list) offsite to a server somewhere. That is quite simply "malicious" data theft.



    However, I know of a number of apps that have the ability to access my contacts. Mail for example, and quite a few others. But they don't do so unless I implicitly tell them to, for example, "Send to a friend" functions, which when evoked pop up and access my contact list to choose the recipient.



    That's innocuous functionality. And to present such an app's functions as something sinister isn't right. Now, if that same app uses that function to "scrape" my contact list and send it off to someone? That's a different story altogether.



    Right now, the entire body of reporting feels a bit alarmist to me. Not all apps having that ability are bad... let's find and ID the bad ones that are actually stealing data, and isolate them from the many that offer a "feature" as a harmless convenience.
  • Reply 16 of 62
    Quote:
    Originally Posted by nagromme View Post


    Nice scary infographic about “mobile threats.” With “3rd Party Code” and “Accessing Your Location” called out in scary boxes Why are these bad things? Because... they’re in scary boxes! See how scary?



    As for Contacts, if that’s without permission, then it’s a problem, and I’m glad Apple controls the App Store so they can address it. But the poster doesn’t say it’s without permission—and wouldn’t they probably have said that if it’s true? I’ll be interested to know. (I for one am GLAD my Navigon GPS app can access my contacts to direct me where I tell it to go! I’d hate to have to re-enter every contact manually )



    The location thing is bogus—it’s NOT a threat, because you have to give permission. So I wonder about the contacts thing too. Why aren’t they stating it more clearly, if their intent is to show threats?



    I suspect there IS some room for Apple and Google to improve here, but burying it in fearmongering seems to cloud the important issues. But... reality is complex, while simple is more marketable



    I do like that Apple’s location warning pops up when you USE that feature the first time, not when you install an app. If Android’s warnings are only on install, then they’ll be ignored and not much protection.



    Totally agree. This is just more FUD from the Android camp for the most part. Security researchers are known for their binary personalities and extremist positions also, so there's that grain of salt to take into account also.



    I find it especially interesting that they even *talk* about location sharing as if it was a threat. Location sharing is the thing the average user is *most* frightened of, but also the thing that is least likely to be a security threat the way Apple has implemented it.



    They don't mention the warning that the user gets when it's used, and they don't mention the fact that Apple added that icon to the status bar that tells you explicitly when an app is accessing your location data.



    How much more biased can they get?
  • Reply 17 of 62
    povilaspovilas Posts: 473member
    Quote:
    Originally Posted by Prof. Peabody View Post


    How much more biased can they get?



    It's only a start. More coming.
  • Reply 18 of 62
    tribalogicaltribalogical Posts: 1,181member
    iOS vs Android. It's rather like the Mac vs PC wars all over again... beginning with creating unnecessary perceptions of vulnerability and hazard... tons o' FUD.



    And, once again, one is very prone, while the other, not so much...



    I'm glad I don't own an Android phone. That "open market" of apps is a security nightmare waiting to happen. Or, more accurately, not waiting to happen...
  • Reply 19 of 62
    cubertcubert Posts: 728member
    "Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data."



    BUT, the big difference is that the app can't (if Apple is doing their job, that is) do anything malicious with the info. Besides, the only bad thing that could result is spam emails and solicitation phone calls. Much better than having passwords stolen.
  • Reply 20 of 62
    gqbgqb Posts: 1,934member
    Quote:
    Originally Posted by DaHarder View Post


    Love to see the 'Keepers of the Fruit' response to this, as we await the flood of 'Walled Garden Defenders' to arrive...



    Um, the Android breach of personal info to China yesterday makes that defense unnecessary.

    Hope you and your new Chinese friends enjoy your Android.
Sign In or Register to comment.