Yesterday I blogged about a security company that found a high percentage of apps for the iPhone and for the Android were stealing user information. I call it stealing because the user is not aware of what personal data is leaving their phone.


At the Blackhat Security Conference in Las Vegas the same company, Lookout Inc. reported that as many as 4 million Android users downloaded a malicious app that claimed to let them change the wall paper on their mobile phones, but it also sent things like text messages and voice mail passwords back to the malicious developers.

What does this have to do with math? When you decide to download something, whether it is to your phone or your computer, you need to do a quick little cost/benefit analysis. This is a simple math ration of the potential cost of the application and the potential benefit. If the benefit is higher than the cost then there is a better chance that it is a good idea.

Cost is not measured by money alone. Let’s take a look at the app that “Jackeey Wallpaper” made available for Android users to download. First we’ll look at the benefit. You have a device you use for talking to people, chatting with people, searching the web for information, perhaps using for maps and social networking. Maybe you use the calendar features, the alarm, and a few other nice functions. Now there is this app that lets you make the background look cool, mostly when the phone is in your pocket. That seems like a really, really low benefit to me.

Now we will look at the potential cost. First we’ll start with money. Let’s assume the app is free. At this point the meager benefit of a pretty picture that mostly is displayed when nobody is looking at it is still more significant than the cost, but don’t stop with the money. Risk is part of potential cost. The risk includes the fact that the app may crash your phone if it is not properly written. So far to me it looks like the ratio of cost to benefit is getting closer to equal. There is also the risk that the application will steal your text messages. To me it looks like the potential risk has just wiped out all benefit of a pretty picture you rarely see anyway. The app might steal your contact details and text them, making it look like your texted them. The app might steal your contact details and spam your friends. The app might steal your voicemail password. There are many things an app can do. The math is simple here, the potential cost, which includes is far greater than the potential benefit. The silly thing is that it really is easy to download a picture or copy a picture of your choosing onto an Android phone and change the wall paper yourself. You eliminate virtually all risk that way. Take a picture with your camera and use that for a wall paper. There is no rational cost benefit equation for downloading a wallpaper app from an unknown developer.

There are other apps that have greater benefit. The benefit might be simple amusement. The benefit might be productivity. In order to bring the potential cost down you need to know the reputation of the person or company that developed the application. Time can be a great mitigator. Wait until the app has been around for at least a couple of months so that there is time for people with far lesser math skills to be the guinea pigs.

There are also other ways to mitigate risk. Although the iPhone is not immune to malicious applications, the model that Apple uses significantly decreases risk. The problem is that by doing so Apple significantly decreases choice. There is another cost/benefit ratio. If you are willing to give up some choice for better security then the iPhone is probably a much safer choice for you. If you want an Android anyway, then using AT&T as a provider reduces some risk as they only allow you to download apps that they have approved.

Windows Mobile phones and Blackberry phones appear to be far less attacked than the iPhone or the Android but there are not as many frivolous apps for these devices either.

I have no doubt that the Android will emerge as the most attacked smart phone of all time. With little cost and the ease of distributing applications for the Android coupled with curious people who can’t do simple math, the platform is very, very attractive to the criminal element. I’m not faulting Google for allowing choice, but you need to do the math when you decide what you will install on any smart phone, or computer for that matter.

Randy Abrams
Director of Technical Education
ESET LLC