Your IPhone May Be Spying on You
And you thought those iPhone 4 signal problems were bad -- at last week's Black Hat conference, a San Francisco firm called Lookout Mobile Security revealed that third-party smartphone apps are stealing user information and (literally) phoning home with it. And by "home," I mean China.
Between one and four million users of Android phones have downloaded wallpaper apps that swipe personal data from the phone and transmit it to a Chinese-owned server, a mobile security firm said today.
According to San Francisco-based Lookout, a large number of free wallpaper apps in the Android Market scrape the phone number; the user-specific subscriber identifier, also know as the IMSI (International Mobile Subscriber Identity); the phone's SIM card's serial number; and the currently-entered voicemail number from the phone.
[ Also on InfoWorld: Find out what Cringely has to say about the wacky mobile world, now that users are legally allowed to jailbreak their iPhones and build their own Android apps. | Stay up to date on all Robert X. Cringely's observations with InfoWorld's Notes from the Underground newsletter. ]
According to Lookout's App Genome Project, which analyzed more than 300,000 free apps for Android and iPhone handsets, about a third of all apps can access your phone's contact list and/or location information. Overall, iPhone apps are a slightly bigger risk than Android apps, especially the free ones. (That squinchy sound you're hearing is thousands of Apple fanboys simultaneously getting their knickers in a twist.)
Hey, there's a reason why "apps" rhymes with "saps." While you're busy papering your smartphone with anime pix, bad guys are busy scooping up your personal information with both hands and heaving it over the Great Firewall.
The good news? Whoever was collecting that data over in Guangdong Province hadn't done anything nasty with it -- yet. Per the Lookout company blog:
While the data this app is accessing is certainly suspicious coming from a wallpaper app, we want to be clear that there is no evidence of malicious behavior. There have been cases in the past where applications are simply a little overzealous in their data gathering practices, but not because of any ill intent.
The company also demo'd how it was able to hack the Android OS by exploiting a flaw in Linux. Busy little bees, those Lookout guys.
How bad can it get? Last week, Citigroup plugged a hole in its iPhone app that inadvertently stored personal bank account information on the phone. Imagine what a clever hacker could do with that. I'm thinking, vacation house in the Caymans.
Tom's Hardware offers simple instructions on how to check what kinds of info that free Android app is helping itself to. If it makes no sense -- like a wallpaper app that wants access to all your contacts -- delete that app with extreme prejudice.
The fact is, it's not just handsets. Security holes are everywhere, from the device in your pocket to Facebook apps and Google's iGadgets. As the Citigroup example proves, it's not just stupid apps from no-name vendors that are at risk. The company caught the flaw before it did any damage; next time users might not be so lucky.
Next time you want to install some stupid app that wants the keys to your personal kingdom, think about it first. Is it really worth the risk? I think not.
Do you use free apps on your iPhone or Android handset? And if so, are you sure that's a good idea? E-mail me: firstname.lastname@example.org.