Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The App Genome Project found that about 47 percent of Android apps and 23 percent of free iPhone apps include some third-party code. These “application frameworks” make it easier to build an app, but can make a finished app do things the developer didn’t intend. “A lot of this leakage of information is not because the developer wanted it there, but because the application frameworks put it there,” says Hering.

Trevor Hawthorn, managing principal of the software assurance firm Stratum Security, says many app developers don’t know how to check whether third-party code is malicious or not. For example, Hawthorn has found that some gaming apps collect location information in a way that can be used to track players as they move around a city or across the country. This is possible, says Hawthorn, simply because most developers know the concepts of software security without knowing the specifics. “When they integrate third-party software into their app,” Hawthorn says, “very rarely do they perform an application security assessment or code review. Attackers know this.”

Lookout researchers say that third-party components can introduce software vulnerabilities that attackers could use to take control of a phone. “Apple and Google are doing a great job trying to keep these platforms secure, but that does not mean anything if the developers are introducing vulnerabilities using third-party development kits,” Hering says.

It’s difficult for update third-party software, so vulnerabilities may persist for longer, says Hawthorn. “We saw the same thing when the Internet took off, peer-to-peer file sharing, wireless, social networking, cloud, and now mobile,” he says. “Only after the security community starts to poke at it do we start to figure out the security and privacy [implications] of technology.”

3 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, security, software, iPhone, privacy, Android, mobile phones, hackers, app store

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me