Android & iOS Apps Pose a Threat to User Privacy


Have you ever tried to revoke access of your Android applications to your Gmail account? If you have succeeded, let us know how you did it.

A cryptographer and security specialist Bruce Schneier said, “You cannot trust any company that makes any claims of the security of their products. Not one cloud provider, not one software provider, not one hardware manufacturer.” As paranoid as it sounds, the more news get revealed, the more it sounds close to the truth.

apps permissionsWhen you install new applications on your smartphone or tablet, do you ever wonder why a seemingly harmless application needs access to your contacts, text messages, location and Gmail account? It seems as though application developers choose to have access to all your private data just because they can, not because an application needs it to function. The worst part is that revoking that access token is a mission impossible.

The unpredictable nature of applications for both iPhone and Android devices poses a security risk you may not have suspected. Leaving the obvious malware aside, legitimate applications can turn out to be compromising your privacy and security in one way or another.

Certain kinds of applications urge users to be cautious about them; however, there are tons of legitimate software available on the market which seem safe.

Take a look at the Brightest Flashlight case. The Federal Trade Commission reached a settlement with Goldenshores Technologies last week. It turns out that the Brightest Flashlight application aggregated user data concerning user locations, device IDs and other private information, and sold it to advertisers without the users’ prior consent. The application harvested user data even when users rejected the application’s terms of service. The FTC forced the company to revamp its privacy policy, data handling and user communication. The Federal Trade Commission stated that the application had been installed on tens of millions of smartphones.

The disgraceful case shed some light on an inconvenient state of things in smartphone applications industry. Clearly, some applications claim access to personal data when they have no apparent need to do so, which can potentially lead to compromising user privacy and security. There is no apparent regulation or regulatory organ on the Internet that would control applications from harvesting personal information.

Hewlett-Packard revealed the details of its recent survey about security of some business applications for iPhone. The conclusion was very disturbing: many of these applications grant themselves access to phone features, IDs, user data that are absolutely unnecessary for applications to function normally. Hewlett-Packard discovered that more than 90% of business applications it reviewed had flaws or serious breaches in security and privacy areas.

Unencrypted data and insecure protocols were some of the widespread security holes while unprotected HTTP was used in more than 20% of the applications. Another 20% used https in the wrong manner compromising privacy and security. Hewlett-Packard also found a large percentage of applications that could potentially compromise user privacy and security through sheer incompetence. Apparently Hewlett-Packard is not the only organization that finds a major problem with applications’ security. Trend Micro published a report claiming there are over 1 million high risk and malware applications for Android devices on the Internet. One quarter of that million is represented by high-risk applications; the report defines them as applications that “aggressively serve ads that lead to dubious sites.”

Trustwave, an information security company, says that file sharing applications for iPhones and iPads can seriously compromise user privacy and security. Filesharing applications open insecure fileserver on the devices, which gives malicious intruders a chance to copy the files, or even upload a malicious file of their own. Amazingly, but some applications won’t even need user authentication. On older versions of iOS, the problem is even more serious.

What does it all mean for the end user? It means that the next time you download and install a new application, consider if it’s worth the risk. Educate yourself about privacy and security online. We recommend a selective approach to installing the applications. The fact that the application is on Google Play or iTunes does not mean that Google or Apple can guarantee its safety. Tech and Internet giants are eager to embrace the profits, but reluctant to face the responsibility the power and omnipotence impose on them.

Numerous complaints and reports of blatant privacy violations by leading tech and mobile apps vendors urged the US lawmakers to introduce a new bill that would oblige developers disclose what kind of data they harvest and how they treat it. The Application Privacy, Protection And Security Act would enable the FTC to impose certain privacy rules on mobile applications developers. How the rest of the world is going to handle the problem, is yet to be seen. Currently, each user has to think for himself.