Saturday, December 7, 2013

Are your smartphone apps selling you out?

from computerworld.com


Just because you're paranoid doesn't mean your mobile apps aren't out to get you

By    December 7, 2013 07:01 AM ET




Computerworld - The president of the United States says he's not "allowed" to own an iPhone, which is why he's sticking with his BlackBerry, according toThe Wall Street Journal.
It's a politically sensitive subject because the iPhone is the big American brand, and the president is a self-proclaimed fan of the late Apple founder and CEO Steve Jobs. He'd love to pander to buy-America voters. (Obama is also probably not "allowed" to have an Android phone.)
Of course, neither the president nor the Secret Service is willing to say exactly how security could be compromised with an iPhone. But one security risk is the unpredictable nature of both iPhone and Android apps.
Sure, there's a lot of flat-out malware flying around online, most of which looks like regular, legitimate apps but in fact are either malware or they compromise privacy or security in some way.
There are certain types of apps that users are wary about and may take precautions about downloading. But others don't seem to have anything to do with user data, so they seem safe.
The Federal Trade Commission announced this week that it reached a settlement with Goldenshores Technologies, which makes a free Android app called "Brightest Flashlight." The FTC said the app harvested data on users' locations and device IDs and sold it to advertisers without telling the users, and even when users rejected the app's terms of service. The settlement forced the company to improve its privacy policy, user communication and data handling.
The FTC said the app had been installed on "tens of millions" of phones.
The whole "Brightest Flashlight" fiasco shines light on an uncomfortable set of facts about smartphone apps. For starters, some apps that have no apparent need to harvest personal data or compromise privacy or security go ahead and do so anyway.
But even those that don't move user data can leave users vulnerable through sheer incompetence.
Silicon Valley computing giant Hewlett-Packard recently conducted a studyabout the security of business apps for the iPhone and concluded that many of them give themselves permission to access phone features and user data that make no sense, given the stated purposes of the apps.
HP found that more than 90% of the business apps it studied had privacy or security flaws.
Many of the flaws involved unencrypted data or insecure protocols. Some 20% of the apps send user data via unprotected HTTP. A similar percentage sent via HTTPS, but didn't do it right. And HP found other problems where an app could compromise user security and privacy not through malice, but through incompetence.
HP isn't the only organization looking at app security and finding a gigantic problem.

No comments:

Post a Comment