Android App Data Theft: Advantage Apple?

Mobile security firm Lookout embarrassed Android by revealing that a popular wallpaper app was sending sensitive user data to a mysterious Website in China.

The discovery, on its face, looks like an argument for Apple’s restrictive iPhone App Store. Certainly, the store’s approval process has an extra layer of security that the Android Market does not, even if it means that some desirable apps aren’t allowed because Apple says so. Still, the advantage for Apple is not so clear-cut.

First, a little background: The Android wallpaper app comes from Jackeey Wallpaper, includes popular brands such as My Little Pony and Star Wars, and was downloaded between 1.1 million and 4.6 million times, VentureBeat reports. Jackeey Wallpaper apps collected SIM card numbers, subscriber information and voicemail passwords if they are programmed automatically into the phone, and sent the data to www.imnet.us , a domain registered in Shenzhen, China.

Ostensibly, an iPhone App Store reviewer would see this kind of activity in an app and disapprove, but it doesn’t always work that way. Last December, Nicholas Seriot, a Swiss iPhone developer, described a proof-of-concept app that could mine contact information, GPS locations, web searches and everything you type except for passwords. Apple would normally reject an app like that, but a malicious developer could try fooling reviewers with changes at runtime, or other delayed trickery. (Click on image to enlarge)

Android has a different way of protecting users. When you download an Android app, it tells you what kinds of information will be accessed, so if a video game announces it will read your text messages, users can see that and determine something shady is going on. Apple, by comparison, guards the apps themselves more closely, but doesn’t tell users what kind of data is accessed.

But Android’s system isn’t perfect either, as shown by Lookout. Jackeey Wallpaper apps, when downloaded, only say they’re collecting “phone info,” which doesn’t really mean anything.

Both the iPhone and Android also face issues with third-party software, Lookout explained. Third-party code is generally used for advertising or analytics, but can access data in ways that users or even developers who implement the code don’t know about. Apple recently banned the collection of iPhone data by third-parties for analytics or advertising, but that was intended more to stop groups like Flurry from spilling the beans on new Apple products.

Lookout did commend both Android and the iPhone for keeping blatant malware out of their stores. Their message in the end was a word of caution to developers and users about the software they use. So I don’t think there’s a huge cause for alarm, nor do I think Apple’s app security approach is indisputably safer than Android’s, or vice versa.