Security Holes: Is this the cost of an open source Mobile OS?

Is your data safe? With so many people using smart phones now, it’s only a matter of time before evil deeds begin to unravel. We trust our smart phones with so much private, sensitive info about our lives. We have all our friends and families contact data in there, many have their credit cards and passwords stuffed into notes and applications, banking apps legitimately transmitting your financial data. It’s really scary how much we can stand to share with the wrong folks if a malicious app mines our data. It might not be anything too serious right now, but an article on arstechnica paints a scary picture.

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user.

This is quite shocking and scary to say the least. It brings back memories of an app earlier this year that was sending users cell numbers to a server in China. That might have been a big misunderstanding, but I’d be willing to be that a ton of developers would love to mine data from smartphones for their gain. The MMO gaming industry is full of scams trying to get into your game accounts to sell off your in game goods. Imagine what the marketing data from 1000’s of teens and young adults phones would fetch in the right market. This type of thing, harmless or not, is what makes Apple’s and soon enough, Microsoft’s closed OS more attractive. We complain about how Apple evaluates and scrutinizes each app submitted, but preventing something like this makes me feel better about the process. Would Apple’s reviewers actually catch something like this? I would hope so, but I suppose that some could make it through. With Android becoming more popular each day, thanks in part to Motorola and Verizon’s brilliant marketing, it becomes more of a target to hackers and viruses.

So, according to arstechnica, these researchers developed an app called TaintDroid and proceeded to test 30 popular free Android apps. They found that half of the apps were sending private data to ad servers. This info included GPS data and phone numbers. They also reported that some of them were reporting as frequent as every 30 seconds. Imagine what that does to you phone’s battery.

How can you protect yourself from these types of applications? Well, it’s not as simple as saying yes or no. I guess Google requires the developers to let the user know during installation that the app wants to use your location data, etc. The problem is, sometimes this request doesn’t seem out of line for the type app you are installing. I’ve never seen an app pop up a confirmation box that says, “AppX wants to share your phone number and GPS location with advertisers. Is this ok?”. I guess the best advice to protect yourself is to be careful.

  • Don’t install apps from companies you do not trust.
  • If an app that you know has zero reason to use your location info asks for permission to use it, run away.
  • If you suddenly start experiencing less than average battery performance, evaluate the recent app additions and do some homework online. Maybe something you installed is sending data.

I am sure more on this will come out soon since arstechnica says that these results are being presented next week at the Usenix OSDI conference.

Update: Looks like Engadget has some new info regarding this report, including the list of apps and a corporate mumbo jumbo response from Google on the matter.