Research showing mobile phone applications reveal a startling amount about their users is raising concerns among privacy advocates and Web security professionals. By downloading and using the apps, mobile phone users unwittingly disclose to companies behind the applications information about themselves they would not normally reveal willingly even to an employer or close friends. But that doesn’t mean government intervention is required, a tech scholar notes.
Researchers from Duke and Pennsylvania State universities and Intel, Inc. showed applications for Android smartphones collect GPS and other data to pass to the app developer, in a white paper written for the 2010 USENIX: The Advanced Computing Systems Professional and Technical Association.annual conference.
The computer scientists developed and used a tool called TaintDroid to detect and analyze how private information was used by 30 different Android-based applications. TaintDroid consists of an extension to the Android operating system along with some software modifications to the phone itself.
According to Will Enck, one author of the TaintDroid paper: “We built TaintDroid to watch how applications are using information. TaintDroid tracks information from when it is accessed to the point at which it leaves the phone. Just because sensitive information leaves the phone does not mean there is a privacy violation. However, knowing when that information leaves the phone is a necessary step in identifying problems.”
Confusing for Most
Dr. Susan Hinrichs, an instructor at the University of Illinois Information Trust Institute, recalls her experience with applications as a security researcher. “As you install apps, it gives you an itemized list of the features the app requires, [such as] network access or access to your GPS location. After the first couple apps, truthfully I wasn’t paying much attention to the list anymore. Someone who is not technically aware is just going to be confused by the list anyway.”
Hinrichs and John Bambenek, a security analyst with CIBER, Inc.,both say there is typically little or no testing done by the owners of the standard marketplaces for the mobile platforms, a fact of which consumers are probably unaware. “They’re not doing any vetting of the code per se,” Bambenek says. He notes apps often are allowed into the platform store based on developer reputation.
“The study demonstrated that applications do not always behave as we might expect,” said Enck. “When you install an application from the Android Market, you are shown a list of permissions indicating the information and resources that the application will have access to. However, that list does not describe how that information will be used.”
Bambenek says companies develop these apps with the intent to monetize them, “but some of this might [simply] be remnants of development code. Development, especially in the mobile world, is a tight loop and sloppy. No one’s really thinking about security. So some of these people may not even know they’re getting this information.”
Vulnerable to Malicious Developers
“Google is taking the stance,” says Hinrichs, “that the marketplace will quickly sort out the malicious developers through bad reviews, and this should certainly work for egregious errors. However, a very clever app-developer could develop a seemingly innocuous app that is a Trojan for information harvesting.”
Hinrichs continued: “Mixing mail apps and bank apps that will store sensitive account information” with free diversions will provide great opportunities to the clever, malicious developer who wants to harvest information about thousands or tens of thousands of phone users.”
Although vendors rely on user ratings to show other users the fitness of an app, that system may be vulnerable to manipulation. Apart from the initial difficulty of getting people to download and rate an unrated app, “people can doctor those all day long” says Bambenek. A developer with a little dishonest creativity could achieve very high ratings whether people actually use the application or not, he notes.
Enck advises: “Users should be vigilant when installing applications. Look carefully at the list of permissions and assume the worst. If you don’t understand why an application has a permission, you can email the developer for an explanation. Just like visiting a random Web site, it’s better to be safe than sorry.”
The market can be expected to provide solutions without government interference, Hinrich notes. “I’m not sure what the answer is. Probably suites of ‘security’ software will be developed for smart phones as they have been developed for home computers. These software suites could build on the technology in the USENIX paper to identify and stop unexpected or anomalous information flows,” he said.
Loren Heal ([email protected]) writes from Neoga, Illinois.
On the Internet:
“TaintDroid: An Information-Flow Tracking System for Real-Time Monitoring of Privacy on Smartphones,” Duke University, Pennsylvania State University, and Intel, Inc. White Paper: http://www.heartland.org/infotech-news.org/article/28588/TaintDroid_An_InformationFlow_Tracking_System_for_RealTime_Monitoring_of_Privacy_on_Smartphones.html