Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

Your Apps Could Be Leaking Private Info

Many apps collect and share sensitive data, and the developers may not even realize it.

A study of iPhone and Android apps has revealed that many of these programs secretly collect and transmit users’ personal information.

The App Genome Project, launched by the mobile security company Lookout, analyzed every app available through Apple’s App Store and Google’s Android Market. Developers must disclose an app’s functionality when they submit an app to either store. Apple performs its own review before making an app downloadable.

Lookout researchers scanned more than 300,000 mobile applications and performed a deeper analysis of about a third of them. The project revealed that many developers do not disclose an app’s data-harvesting behavior in their descriptions. But this may not be deliberate–developers often include third-party software components in their apps without vetting that component’s behavior, the researchers say.

A significant number of the applications studied were found to do something that the developer hadn’t disclosed. For example, a third of all free iPhone apps attempted to access the user’s geographic location. For the Android platform, about 29 percent of free apps tried to access location data. At least 8 percent of all free Android apps and 14 percent of all free iPhone apps tried to access a user’s list of contacts as well. Both the iPhone OS and Android issue warnings to users when an application wants to access sensitive information. But the warning doesn’t tell the phone’s owner what data the app wants to collect, or where it might send it.

The researchers found that one Android app that lets users change the background on their phone also sends the device’s phone number and other user-specific information to a server in China.

“Mobile apps are doing a lot of things that people would not expect,” says Lookout CEO John Hering. He adds that third-party software components often collect information without warning developers. “End users and developers have very little idea what is happening in the applications they are using and writing.”

The App Genome Project found that about 47 percent of Android apps and 23 percent of free iPhone apps include some third-party code. These “application frameworks” make it easier to build an app, but can make a finished app do things the developer didn’t intend. “A lot of this leakage of information is not because the developer wanted it there, but because the application frameworks put it there,” says Hering.

Trevor Hawthorn, managing principal of the software assurance firm Stratum Security, says many app developers don’t know how to check whether third-party code is malicious or not. For example, Hawthorn has found that some gaming apps collect location information in a way that can be used to track players as they move around a city or across the country. This is possible, says Hawthorn, simply because most developers know the concepts of software security without knowing the specifics. “When they integrate third-party software into their app,” Hawthorn says, “very rarely do they perform an application security assessment or code review. Attackers know this.”

Lookout researchers say that third-party components can introduce software vulnerabilities that attackers could use to take control of a phone. “Apple and Google are doing a great job trying to keep these platforms secure, but that does not mean anything if the developers are introducing vulnerabilities using third-party development kits,” Hering says.

It’s difficult for update third-party software, so vulnerabilities may persist for longer, says Hawthorn. “We saw the same thing when the Internet took off, peer-to-peer file sharing, wireless, social networking, cloud, and now mobile,” he says. “Only after the security community starts to poke at it do we start to figure out the security and privacy [implications] of technology.”

The AI revolution is here. Will you lead or follow?
Join us at EmTech Digital 2019.

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.