With the proliferation of the data we hold on our mobile devices, it’s no wonder Neil Daswani, CTO of Dasient, says around 8% of the apps they tested have been leaking data. In a similar vein, he states, “The number of malware samples on mobile devices has doubled in the past two years.” Google tends to mop up the apps containing malware as quickly as they can, but what about apps that share your data with 3rd parties when you’d rather not?
Mr. Daswani says that they have studied around 10,000 Android apps and found some of them doing just that. He found some apps apparently sending out SMS messages as well, unannounced. I recently installed an app on my Android and found the app “needed” some fairly far-reaching privileges that may allow similar “features” to complete the install. Apparently, my app is not alone.
The goldmine of personal information, especially your contacts, is a very common object of affection for social media players, and advertisers alike. While they used to lust after your laptop e-mail client contact list, now a handy little app can reap a similar windfall. With the proliferation of tasty apps that do all sorts of things, it can be difficult to track which ones may be the culprits, especially with the number of apps a typical user may have installed, which may eclipse the number of programs installed on their personal laptop these days.
Some have argued Google needs to tighten down the process of allowing apps into the marketplace. The open architecture seems to be one of the major traction points which allowed Android to flourish in an intensely competitive marketplace, could this type of tighter control have a cooling effect on the bustling developer community? Privacy fans would argue that some kind of vetting/control mechanism would be best, we’ll see if the community will pressure Google to act accordingly.
The exact methodology used by Mr. Daswani will be forthcoming at the Blackhat conference in early August, so it will be interesting to see how he has come to his conclusions. Either way, an extra couple minutes investigating what you install on your Android might be in order. As with physical security, a little due diligence may go a long way toward keeping you safe online, even on your mobile device.
Author Cameron Camp, ESET