Privacy Leaks Come Bundled In Free Apps For iPhones & Androids

Used to be "there's no such thing as a free lunch." Today "there's no such thing as a free app," as 100s of thousands free apps on the market today are security risks. According to the App Genome Project undertaken by the mobile security company Lookout, users' privacy is threatened with apps that collect and transmit their private data.

While developers who develop applications for iPhones and Android smartphones are required to disclose an app's functionality when they submit an app to either Apple or Google, many don't reveal an app's data-harvesting capabilities. According to a Technology Review report, "this may not be deliberate - developers often include third-party software components in their apps without vetting that component's behaviors."

Lookout reported a third of all free iPhone and 29 percent of Android apps attempted to access the user's geographic location data, while a smaller percentage seized a users' contact lists as well.

In this YouTube video it appears that the iPhones are actually considered better "snoops" than Android phones, where there is an extra level of security built into the Android platform.

"Mobile apps are doing a lot of things that people would not expect," says Lookout CEO John Hering. He adds that third-party software components often collect information without warning developers. "End users and developers have very little idea what is happening in the applications they are using and writing." He adds, "a lot of this leakage of information is not because the developer wanted it there, but because the application frameworks put it there," says Hering."

Lookout researchers say that third-party components can introduce software vulnerabilities that attackers could use to take control of a phone. "Apple and Google are doing a great job trying to keep these platforms secure, but that does not mean anything if the developers are introducing vulnerabilities using third-party development kits," Hering says.

"Some gaming apps collect location information in a way that can be used to track players as they move around a city or across the country," says Trevor Hawthorn, managing principal of the software assurance firm Stratum Security.

"We saw the same thing when the Internet took off, peer-to-peer file sharing, wireless, social networking, cloud, and now mobile," he says. "Only after the security community starts to poke at it do we start to figure out the security and privacy [implications] of technology," notes Hering.

Ironically enough, Lookout's free downloadable app claims to be the easiest means to protect your phone from these types of risks. Its Web site promo indicates that it can provide the Android, Blackberry and Windows Mobile platforms from threats of viruses, hackers, loss and theft (oddly, iPhones are not mentioned as one of the products they protect). Like McAfee or Norton for desktops, Lookout is designed exclusively for mobile phones and can isolate trojans, worms, and other malware capable of stealing a user's private data.

To date, I haven't been able to find any research that indicates the number of "paid" apps that also are security risks. It would be an interesting study to determine if more "free" apps than "paid" apps are prey to these kinds of threats. If you know of any, please provide us with some feedback below.