Lookout's App Genome Project warns about sketchy apps you may have already downloaded
By Tim Stevens 
posted July 29th 2010 8:15AM
posted July 29th 2010 8:15AM
Update: We received a note from Jussi Nieminen, who indicated the data fields being retrieved, as reported by VentureBeat, are incorrect. Texting and browser history are apparently not retrieved, but your phone number, phone ID, and voicemail fields are. And, since it's not unheard of for voicemail entries to include a password when setup on a phone, it's possible they could wind up with that too. Also, the popularity of the app was apparently misstated, with actual downloads somewhere south of 250,000.
Update 2: Kevin, one of the Black Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you'd like to read. Meanwhile, estimations of just how many people have downloaded this particular wallpaper app are all over the place, ranging from as low as 50,000 to over four million.
Think of you smartphone as a computer (it's), apply the following to stay safe:
1. Use Firewall app for your smart phone or any other smart device with internet access
2. Encrypt and hide your private and important data.
3. Backup.
@Ahmed Alzayani This warning can't be said enough.
@Ahmed Alzayani
Well Microsoft may want to disagree with you on the smart phone = computer thing...
I’m really flattered, fpad77.
Still Apple is no near the search giant that Google is. Apple is getting their money from phones and hardware. Google is getting their money from… ad revenue and hence personal (pseudo-anonymous) data collection.
People aren't mature enough to administer their smartphones.
Apple does it for them, but they never do their job properly.
Android forewarn them but dumb people are dumb.
End of story.
@tatose
Compromise your personal info & send it to servers in China?
Droid does!
@Joao Cagao
Upload who-knows-what in 75mb chunks to Apple every night without you even knowing it?
iOS does!
rule of thumb, avoid anime art on any smart phone app.
All digital information is subject to hacking and being stolen. If it's digital it isn't completely safe, regardless of the platform.
It's human nature not to read the fine print. Everyone is way to "busy" to stop and read.
you gotta wonder why would anyone make a wallpaper that needs access to the contacts (as an example)
one app that would be nice to have is something like what the iTunes store had.(that was removed)
an App that allows Hotspot Wifi Tethering without paying 30 bux lol and all you have to do is turn the color flashlight app to Purple and tap the upper right hand part of the purple screen to do it. heh!
@DoomLight good thing there are multiple wifi tethering apps on android. In the market and otherwise.
@Danrarbc Don't some of the carriers (say Verizon) forbid it and thus those phones aren't allowed to get "free" tethering apps from the market? There are multiple tethering apps for the (jailbroken) iPhone as well.
Has anyone actually tried the Lookout app? Does it work? How good are the data backup/recovery features? Does it slow the system down much? I'm primarily interested in the Android version but would like to hear comments on any platform.
@jeffreytz
Installed from day one. Works awesome. Only slowdown is the additional scan an app gets when it's downloaded.
Man comments 80% of the comments is garbage. Too many fandroids. Defend your Android OS boys keep on trashing Apple because you love it.With all seriousness grow some balls and be fair but none of you guys have it because all of you are juvenile.
On Blackberries, the security was always very tight and allowed you to allow or deny access to each protected feature (protected APIs) for an app. Actually quite annoying that it used to force the user through a series of these dialogs - now you can allow deny all when installing. At least that was the case - haven't tried the most recent versions of the OS.
Rather worth mentioning in this article I think as Blackberry is a large chunk of smartphone sales still and security is and always has been one of their core selling points. As archaic as some aspects of the OS is, I know that I have greater trust there.
Yesterday I downloaded my first Android app ever (on a sweet brand new Samsung Galaxy S Vibrant that my company got for software development testing). It was a game - a clone of 1942. It prompted me that it needed intent access. At one point without prompting it opened the browser and took me too a page to buy something, with lots of Visa and Mastercard logos and prompts for my credit card info. Not that creepy but still kind of freaked me out - i expect that sort of thing on the desktop but on my phone i'd rather not have a game go to the internet on its won for any reason other than multi-play or posting high-scores.
@SHoe
To expand on the Blackberry comparison: I haven't spent enough time with Android yet so I don't know, but does Android allow you to install and app but allow/deny to any of these features? If so, why the hell not?
I am a fan of the Android OS. Given the track record of the Android UI which is not the greatest, I agree that a lot of improvements could still be made to the Android market and the UI to better secure personal information by users. Maybe training users on what the security features mean and how to use them could be included as part of a tutorial although many users skip that portion so they can start playing with the phone immediately.
I can only say that there's an amazing trend in these comments of people doing the math of 1 + 1 and coming up with the answer "koala"...
The research provided is certainly interesting but I don't see anything here that is actually useful, yet. The Music Genome Project at least delivered Pandora, although damned licensing restrictions yanked away that particular cookie.
I don't particularly care whether an app looks at my contacts. But sending my browsing history, SIM info, texts etc to some foreign server? No thanks. I guess "Droid Does" data hijacking. But who knows? Maybe this server's gathering of data is completely accidental. Nah, no one with a clue would believe such a thing. I mean, if Google street view cars gathered personal. . .oops.
@Perspective
Read the update.
Giving warnings is one thing, but if you give users too many "maybe useful" warnings, then users won't even care reading them. This is the problem with Android. I mean even the simple apps/widgets will have a warnings that it will require things like net access and access to info on your phone, without being specific enough on what info they sent/access. This gives lay users no benefit, as they only see these warnings as another step/button to click (how many people downloaded IE toolbars?).
In a way, maybe there's a benefit of Symbian, where it asks everytime an app wants to access the net. It's a trade-off, just like UAC in Windows.
@pika2000
That's not a trade off. As a long time S60 user it was the most annoying aspect of using the phones. Surely I would like Opera Mini to access the internet!? Asking me every time I started the app was beyond frustrating. IT also didn't leave any scope for auto starting useful apps as they would still need you to grant permission at runtime.
The reality is we have these smart phones to do near enough mobile computing. They would be useless if they were locked out of the hardware we purchased. What is the point of 3G/4G data, GPS, loads of storage, cameras and speakers if the apps we buy are locked out of using them?
I just did a test and installed Skype from the App Store into my iPod Touch. At no point does it tell me it will need access to the internet, although that's a given. It doesn't tell me it will read my address book, but it does. It will also need access to the hardware for the speaker and mic. No warning of this is shown. I know on my Nokia I would have been warned about each of those things. Informative, yes, but annoying to have to agree each time, which some apps chose to do.
It's a balance. Apps are going to do this either way. Some people prefer not to be told at all and some prefer to be told every time. It depends on which extreme you flow towards.
For me Apple and Nokia's S60 are at either end of the extremes and Android is somewhere in the middle...it tells you what will be accessed one during install (you can always check in the Application Manager menu, whi9ch I'm shocked you can't do with iOS).
It comes down to, how much do you trust each manufacturer and the developers of your apps? Google and Apple have both let code that wasn't what it says it was into their markets, but at least Google warns you what you're giving up first.
@Tes funny, Skype on my iPhone only accesses my contacts when I ask it to.
@Tes
"What is the point of 3G/4G data, GPS, loads of storage, cameras and speakers if the apps we buy are locked out of using them?"
Locked out? Asking for permission != being locked out.
"but at least Google warns you what you're giving up first. "
Is it better to give people a vague warning? Yeah, this app will need access to the internet. For what? That's too vague. And some apps have like more than five of these warnings being listed, without actually telling the user the exact info being accessed or why the app needs to access it. This is what's happening in Android. The lay users will see these list of vague warnings as just another step to download the app, and wouldn't bother looking at them anymore as these warnings don't tell them much. It's like reading a EULA or the fineprint, nobody does.
22 apps average? i have 150! :-X
Wonder when Engadget will update this story, since much of the information was redacted in the original article. None of the following information was collected: "aggregates your browsing history, voicemail password, text messages,"
Funny thing about all this: it doesn't look like this story has even played itself out yet.
WHY DO PEOPLE CARE SO MUCH IF SOMEONE CAN FIND YOUR LOCATION.
Woah they know I'm sitting here at my house, are they going to come and fucking kill me? no.
Woah they know I'm in the McDonalds drive-thru, are they going to fucking kill me? no.
God people are annoying.
@thrash1256
Well if they know your home address and know that you are not home, then they can break into your house and steal your leftover chicken McNuggets.
@chilipalm
Brilliant! lol
To the layman, this might appear that Apple has weaker device security, and a larger number of apps that could abuse your data.
Major differences:
1) access to other app data in iOS is exclusively through approved API. On Android, it's possible to access the file system directly to get this data in some cases. Such attempts in iOS are easily spotted by inspection of the app and Apple's built in API diagnostics and (now) fairly advanced app testing tools. (they used to not exist, or been weak, but they're much improved over 2 years of experience)
2) Apple screens the use of this data for all apps. Google does not. Apps that both access this data and make use of internet services are much more strictly monitored, and what is done with data must be explicitly explained to Apple and of necessity for the apps basic operation.
3) Apps in Apple can not send an e-mail on their own, they must open a message in the mail app with pre-filled in fields. It is not possible to e-mail out accessed data. Apps in Android can access their own SMTP services outside of the local mail app, leading to easy breech of data trust, and google does not prevent this.
4) Anyone putting an app on Apple goes through a soft of background check, must be grounded in the country they're submitting apps for distribution for, and must have tracible accounts. Those found stealing data could be not only quickly blocked (by remote uninstalling offending apps, and auto-notifying all apple accounts that downloaded the app), but they have a lot of valid info to supply to the FBI as well, Google offers limited protection there due to alternate approved markets. Those who jailbreak apple devices do so at their own risk to access unapproved apps, but on android that is native and requires little knowledge to do (thus more likely security faults in user behavior).
5) # of apps combined with # of possible access points leads you to believe the issue is potentially larger on apple's front, but in reality, large numbers of trojans and ID stealing apps are in various marketplaces (still in distribution in many cases even though we know what the apps do), yet the worst offender on Apple's platform merely collected e-mail addresses from saved contacts, and never actually used that data illegally or against consumer trust (yet they still got thrown out).
@zelannii actually, to access the file system the way you say apps could on android requires superuser access.
There are various other errors in your comparison, but I though I'd at least give you the heads-up on that one
The nice thing about android is they warn you before you download each app what the app will have access to. Some require your contact data when there's no reason they would need that information so I don't download. Others make sense.. gps apps are of course going to need to know your gps location. It's a scary subject, imo. It's sort of like the patriot act.. giving up some of your privacy for a bit more of something else.
Who would have thought we'd get to the point where we'd have to worry about micro sized applications downloaded directly through your phone stealing all your information?
The smartphone has proposed a challenge, to each of the houses: "The House that gather the most information will control the marketplace. There are no set territories, and no rules of engagement." Vast armies have arrived. Now, three Houses fight for control of Dune; The Noble Apple, The Insidious Google, The Evil Microsoft.
Guess who ends up as the tyrant.
lol I love the usual engadget update : we spread total FUD. but we "corrected it" in an update that nobody who read the article in the first place will ever read so we do not need to apologies.
Hint engdget : usually it's better to verify information BEFORE posting it.