Appolicious powers Verizon Educational Tools

Mobile apps can create security issues

by Phil Hornshaw

A few months ago, Citibank (C) notified users of its iPhone mobile app of a potentially huge boo-boo it had made.

The app was saving personal user identification info in a hidden file on the iPhone. The file was completely unprotected, and would sync to the phone owner’s computer when the iPhone was plugged in. Basically, if you knew where to look, you could get all the information you needed to access someone’s bank account, care of the bank itself.

This isn’t exactly a controlled incident for mobile security breaches, but it was a big one. Citibank has since corrected the issue with its app. And according to an article from Technology Review, it’s not an Apple-only problem.

There are security issues when it comes to iPhone apps, specifically because apps all have access to the data of other apps. Occasionally the user has to give an app permission to do certain things, but this is usually very limited. Apple is supposed to screen all the apps that go into the App Store to prevent shady apps from getting on your phone and stealing your data.

For Android users, things are a little safer – but not by much. Apps on the Google (GOOG) operating system don’t automatically get to access each other’s information, and they are required to ask permission from the user before they access the Internet, write to the phone’s SIM card, or access GPS data. But just because an app asks you permission, it doesn’t mean it has to tell you why it’s asking permission.

Researchers at Pennsylvania University, Duke University and Intel Labs are working on an app security solution for Android, after they investigated 30 of the system’s available apps. They write in the paper about their discoveries that several apps ask for information – like the phone’s GPS location, for example – as part of advertising functions. The trouble is, this information is never divulged to the user in the app’s license agreement. You’re never told you’re signing on to give up information about yourself so an app can advertise to you.

The researchers found some more glaring privacy violations during the course of their work as well. In response, they plan to announce a program called TaintDroid at Wednesday’s Usenix Symposium on Operating Systems Design and Implementation in Vancouver, Canada. It vets Android apps to monitor where they’re sending your information.

On the Apple side of things, iPhones aren’t necessarily more secure than Android-based phones, even though Apple checks each app before it comes to market. The company might be screening its iPhone apps, but it isn’t dissecting them – Apple checks their functionality in some pretty basic ways, and if they pass muster, pushes them on to the store. Consider the fact that hundreds of new apps hit the App Store every day, and that they’re only delayed by the approval process an average of around six days; there just can’t be that much intense checking going on.

So iPhone users may or may not be more secure when it comes to apps, and sleeper agents meant to steal personal information might populate the App Store even now. And while there are some security apps available on the App Store, there’s nothing that’s the official work of Apple – and if there’s one company to trust in this scenario, it’s the company that has the most to lose.

For now, both iPhone and Android users should take a common-sense approach to app security: if it seems fishy, don’t trust it. That goes for awkward, non-working or low-cost apps. You know: apps that seem like they barely function correctly or not at all. Delete those. They might not work, or only barely work, because their true purpose is to do something else.

Android users: Pay attention to the question an app asks you, and decide for yourself if you think you want to give an app that kind of access. Try to use programs from companies you know of and trust.

If you still have doubts, consider putting off doing your banking or other sensitive activities from your mobile device unless you have to. A little bit of patience and prevention can be the best medicine for avoiding identity theft.