CybersecurityNew cybersecurity threat: smartphone apps that do more than what they say they do

Like on PCs, the danger of trojan apps grows // Source: pc1news.com

Citigroup’s revelation that its iPhone banking app came with a security glitch may have been bad news for the bank’s customers, but it was good news for a group whose mission is to educate consumers and developers about the vulnerabilities in smartphone apps.

Citigroup informed its customers that its iPhone app was saving customer account information in hidden files on users’ smartphones and computers and told them to upgrade to a new version of the app that deletes any information that might have been saved to iPhones or PCs.

Monica Alleven writes in Wireless Week that this week, executives at mobile security firm Lookout are at the Black Hat conference in Las Vegas to share what they found — a similar vulnerability that affects Android. Lookout’s chief technology officer and one of its founders, Kevin Mahaffey, says Citigroup did a good job of being proactive and catching the iPhone app glitch before it wreaked havoc.

Apple reviews its applications before accepting them into its App Store, but even that is not foolproof when it comes to detecting erroneous or malicious components within apps, which might end up collecting or storing information that has nothing to do with the intended usage case of the app. Mahaffey refers to an example of a 15-year-old developer who was able to put a tethering app inside a flashlight app unbeknownst to Apple or AT&T, which charges more for tethering.

“If there’s anything we’ve learned is vulnerabilities happen,” he says. “It’s great that Citibank was ahead of the problem. Finding out from them and using it as a learning experience is a success.”

Alleven notes that Lookout has started what it calls its App Genome Project, whereby it has scanned 300,000 free apps and did a deep analysis on 100,000 of them to gain insight into what apps are doing once they are on devices and to understand if “bad things are happening in the wild,” Mahaffey says. The company is developing automated tools to make the process easier.

The project has found that apps on Android are generally less likely than applications on iPhone to be capable of accessing a person’s contact list or retrieving their location, with 29 percent of free applications on Android having the ability to access a user’s location, compared with 33 percent of free applications on iPhone. Additionally, nearly twice as many free applications have the capability to access people’s contact data on iPhone (14 percent) as compared to Android (8 percent).

The App Genome Project also found that a large proportion of applications contain third-party code with the capability to interact with sensitive data in a way that may not be apparent to users or developers. The third-party code is generally for advertising or analytics. The project found that 47 percent of free Android apps included this third-party code, while that number is just 23 percent on iPhone. Lookout says third-party code is difficult to globally update and creates potential for a cross platform vulnerability.

Mahaffey says the Genome Project is separate from what Lookout offers in terms of products, which include an app that an end-user can download and use it to determine whether an app is a “good” app or one subject to security vulnerabilities that shouldn’t be used. The company has not released an iPhone version of the product yet but is expected to do so.

Lookout was founded by in 2007 by John Hering, James Burgess and Mahaffey. The San Francisco-based company has about thirty employees and recently announced it has more than one million registered users for its smartphone security app.