IT departments and people who use smartphones both for business and pleasure should pay attention to the security implications of downloading applications from online stores.
Internetnews.com reports on a couple of sessions at the Black Hat conference this week in Las Vegas that dealt with these issues. The story describes the App Genome Project, which analyzed almost 300,000 free Android and iPhone applications to see if user information could be accessed. The results were a bit disconcerting: 14 percent of the iPhone apps and 8 percent of the Android apps did, indeed, let personal information about the user escape.
Even more troubling is the finding that 47 percent of Android apps and 23 percent of iPhone apps use third-party code that may be interacting-and doing heaven knows what-with user information.
The implications of this are significant. The story doesn't say so, but third-party code may be more likely to actively seek user data for nefarious purposes. In any case, enterprises certainly need to be aware of this stealth component of software that could be trying to steal passwords or otherwise seeking to compromise servers, databases and other repositories.
The problems are real. Citigroup this week reported a flaw in its U.S. Citi Mobile iPhone app, according to The Wall Street Journal. The report says that about 117,600 people may have be affected since March, 2009. The wayward code in the application can create a hidden file on the handset that saves data such as access codes, bill payments and account information. The surreptitiously saved info can also be downloaded into a computer if it is synched with the iPhone. The story says Citigroup claims that no customer information was believed to have been lost. It is hard to see how the company can categorically say that, however. The flaw is alleviated when the application is updated, the story says.
Tech Republic offers a good overview of the security vulnerabilities inherent in smartphone apps and app stores. The overview paragraph sums it up:
...All the pieces are in place: immense traffic to the app-store web sites, a great software delivery system, and no simple way to tell if an application is malicious or not. On top of that, with the number of applications being written and submitted every day, how is it possible to check every line of code? Cybercriminals have to be smiling.
The piece offers Apple's and Android's overall positions on keeping applications safe, though the statements are general and a bit vague. The writer suggests paying attention to negative news, maintaining a sense of healthy skepticism and visiting websites that test applications-and includes a link to Smart Device Central.
The bottom line is extremely clear: Smartphone apps and the online stores that carry them, are havens for serious vulnerabilities. This danger is particularly acute in an open source environment, where the provenance of the software is unclear.