Apps on your phone could be stealing your data

How many apps do you have? On an average, on any given smartphone or tablet you will be sure to find at least six to seven apps, and it wouldn’t be a surprise if you were to find even more than twenty apps. Whether it’s a smartphone you are using or a tablet, your experience would be quite limiting without the presence of apps. You have apps as diverse and varied as you could possibly think. Whether it’s the information you are seeking or simply looking to kill some time, there is an app that will help you do just that.

But it’s not all hunky-dory as there is a price you pay. For every app you download, you allow it access to your private information – right from your address book to messages, calendar, photo gallery and much more. Much of your data from your device, thanks to these apps, is being saved on servers belonging either to the app developer, advertisers, app stores and quite likely, data harvesters or even hackers. An innocent-looking app that promises you one good joke a day may actually be a tool to just gather data. Simply put, your privacy and security is at stake. Since we use our smartphone for more than just communicating – from social networking and e-commerce to even banking, the device holds sensitive data, which the miscreants can use to cause irrevocable damage.2012 Cisco Connected World Technology Report highlighted the increasing prominence of apps

2012 Cisco Connected World Technology Report highlighted the increasing prominence of apps


Elaborating on the threats that users face, David Hall, Regional Consumer Product Marketing Manager, Asia Pacific, Norton by Symantec, says, “Smartphone and tablet sales are set to soar, and more users than ever will have their virtual lives and sensitive data with them at all times. Threats arising out of apps would become a serious concern, as a user’s rising dependence on the functionality of personal or professional apps would leave them vulnerable to a myriad range of online threats. Lack of proper protection against such threats is equivalent to serving crucial data like contacts, confidential mails, passwords and other personal information on a platter and letting the cyber vultures feast on them. With more and more features being added to applications to enhance the functionality of the apps, one of Norton’s predictions for 2013 is the rise in mobile adware, commonly also called ‘madware’.”

He states further, “Madware disrupts the user experience and can potentially expose location details, contact information, and device identifiers to cybercriminals. Madware—which sneaks onto a user device when they download an app—often sends pop-up alerts to the notification bar, adds icons, changes browser settings, and gathers personal information.Because location and device information can be legitimately collected by advertising networks—as it helps them target users with appropriate advertising—we expect increased use in madware as more companies seek to drive revenue growth through mobile ads. This includes a more aggressive and potentially malicious approach towards the monetization of 'free' mobile apps.”

The big data
Every app that you download requires access to certain data to function, and the permission for the same will be sought. Unfortunately, when we grant apps the permission to access our data by agreeing to the end-user agreement, none of us takes the pain to go through what information the app is accessing. Hence, many of the apps get away with access to information that they do not require to function. On the other hand, there are also several apps that clandestinely access information without seeking prior permission from the user.

Over the years, several instances have come forth about apps accessing user information without their permission. Apart from your contact book, apps can also access/send messages, location, initiate calls, use camera and even transfer keystrokes information back to the developers. One incident that caused quite a furore was when it was discovered that a private social networking app, Path, was not only accessing users' contact book information, but was also sending the same to Path’s servers. While the Android version of the app had the option wherein users could opt-in for the same, no such permission was sought from iOS users. For a social networking app wanting to access the said data wasn’t uncalled for, what backfired was that it did so without seeking permission from the users. The users were aghast to know that the content of their phonebook was accessed and stored without their consent. This was seen as a heinous breach of privacy and a security threat. The latest app to come under scanner is WhatsApp, which is amongst the top five instant messaging app. Canadian and Dutch data protection authorities recently rebuked the app as they discovered that the app forced the users to part with their entire address book instead of limiting only to the users of the app, and thus violates privacy laws.      

There is app for everything

There is an app for everything (Image Credit: Getty Images)


However, Siddhartha Banerjee, who started with developing apps for the Apple platform, and more recently for the Windows 8 platform, presents an interesting viewpoint. He points out to the fact that collecting user data is common practice, and what we need to focus on instead is what is being done with the data. He says, “More than whether there is a security threat, for me the more relevant question is whether collecting data is ethical or not. In my opinion as long as it doesn’t violate the users privacy then it’s fine. If you look then in today's world almost everybody is collecting data, right from Facebook to any kind of website, someway or the other people are collecting data. And to be very honest, it’s not that the user doesn’t know about it. When as a developer we upload an app on say the Apple platform or the Windows platform, there is a standard End User License Agreement which a developer needs to tick mark to go with their app. Most of the times what happens is that the users don’t actually read all those terms and conditions where it’s stated what kind of information will the app be accessing. And when the users give their consent without reading those, it means that the user is giving the permission to the app to collect the data.”


He explains that many a times apps collect certain information as they need it to provide better features. He says, “There are certain apps, like even our app collects certain analytic data, it is third party analytic site and we embed the code for it inside our app. It is purely from the technical point of view. For instance, because we collect certain data, we will know say that your favorite coffee shop is ten minutes away. Or you follow certain people on Twitter because you are like minded, so we will provide recommendation of people to follow. So those to me are enhancing user experience. However, having said that if there is a wallpaper app asking for contact information, now unless the app is designed in such a way that after collecting the contact details, it will on their birthday automatically send a postcard or a greeting card on your behalf, then it is a different story. But the app should mention the same in their description. However, unnecessarily collecting data is absolutely unethical.”

Are OSes to be blamed?
In the battle of supremacy amongst OSes, what provides them edge is the presence of apps. Amidst growing concerns over privacy and security amongst the users, the platforms came under fire to get their act together. Android happens to be the most popular OS around the world, but unfortunately, it is also the most vulnerable. A study conducted by Juniper Networks Mobile Threat Center (MTC) analysed over 1.7 million apps on the Google Play Store from March 2011 to September 2012 and found that free apps in particular were more likely to track location and access user's address book. In fact, there are several other reports and studies that have been conducted and present the same damning information. Another report, like the Mobile Threat Report Q1 2012 by security firm F-Secure, revealed that malware targeting Android users have quadrupled. In fact, according to a latest report from Trend Micro, the volume of malicious and high-risk Android apps will hit one million in 2013.

Android is the most abused platform

Android is the most abused platform


Speaking about the threats on the Android platform, Sharda Tickoo, PMM, Trend Micro, says, “We have been in this space gathering information about mobile malware for the long time and have actually identified widespread presence of malware on Android. Android is most abused of these app stores and perhaps the reason is that because it’s a very open platform that makes it more vulnerable than others. Anyone can pay a small amount and create a developer login and upload an app. We found that it has many types of malware like data feeders that send specific information about the users to the cyber criminals.We now have a dedicated team of security researchers who crawl through all the apps and check for vulnerabilities. We also do a sandboxing of these apps, run them in our data center and check their behavior like does it really need contact details, will it root device, etc. and provide reputation points to apps based on these checks. The test are also carried out each time the app is updated. We feel that the threat to Android will continue to grow and there is going to be a race between an Android attacker and a security provider like us in the coming year.”

Getting an app published on the platform is relatively easy, and so it’s hardly surprising that Android platform touts the most number of apps. After having received flak over presence of malicious apps on the platform, Google did get into action and waddled out over thousands of apps that posed a threat. It relies on "Bouncer", a server level security tool to check apps already present in the Play store. This is a departure from the industry approach, as other platforms have in place systems to check the apps before they are published on the respective platform. Google’s approach means that there are chances that when a malicious app gets published in the Play store, it may be downloaded by thousands,before it gets detected and suspended by Bouncer. In fact, this seems to be the case, as was showcased by two researchers from computer security company Trustwave.

The researchers first added a harmless app on the Play store and then went on upgrading it with malicious content. And what they discovered was that it was a while before the app was detected and suspended by Bouncer. How far could they go? Their app could gleam address book information, steal text messages, steal photos, steal call records and even DDoS attempt. Surprisingly, the app went undetected. It was only when the researchers uploaded a version that continuously sent the data without pausing, that the app got suspended. This incident clearly exposed the blind spot in the system, which Google needs to address.

Apple is considered to be one of the safest platforms

Apple is considered to be one of the safest platforms


Compared to Google, other platforms like Apple, BlackBerry and even Windows have a more hands-on approach and have in place stringent measures before allowing apps to be published on their platform. Microsoft with Windows 8 and BlackBerry with BB10, while on one hand have launched a slew of initiatives to woo developers to their platform, they also have in place strict selection criteria. An app has to undergo a series of test, which will ensure that the app isn’t compromising on users' privacy or security and at same time is optimising the features of the OS. They are taking pains to review every app, send feedback to the developer in case something is amiss and the app is allowed to be published only after it meets the standards.

This clearly reflects that the platforms are taking it upon themselves to ensure that the users have a safe experience on their platform. Explaining their approach, Annie Mathew, Head of Alliances, Research In Motion (RIM), India, says, “These things will matter, because it’s not about quantity, it’s a serious game now. The whole hoopla surrounding apps will settle down and to a good place I hope. Apps are here to stay as they do make the phone smart. However, security will become a big thing as malware has become so rampant and most of the people aren’t even aware that their information is being used. BlackBerry’s focus has not been on quantity, we may not have so many apps, but the ones that we do have are safe, secure, useful and reliable.” With BB10, BlackBerry introduced the Built-for-BlackBerry certification, which will look at all aspects like security, battery usage etc. and even what APIs are being used. If the apps clear the test, then they get the Built-for-BlackBerry stamp, which developers can use to market their apps.   

BlackBerry with BB10 has announced the built-for-BlackBerry certificate

BlackBerry with BB10 has announced the Built-for-BlackBerry certificate


While the OSes are doing their bit to ensure that their platforms are safe, Siddhartha believes that it won’t really affect consumer's choice when choosing an OS. But he does hope that we will see more meaningful apps. He says, “People in India are not willing to pay for an app, so thats the reason you will find let’s say five different versions of Angry Birds. If the developer is not ethically right, then to some extent they can take advantage of the system, so the certification process is extremely important. And while there is an increasing awareness amongst the people about the apparent threats, it won’t cause them to change the platform. What will happen is that they will stop downloading apps meaninglessly. They will be looking for authenticated apps, and with Google wallet opening up, I see that there is a lot of potential, because once you have paid for an app, hopefully it won’t be bad. On the other hand while the platforms are changing their norms, having certain checks, the developers also need to understand why and what they are developing apps for and not just go about developing apps for any platform.”

Should you stop downloading apps?
There is no denying the fact that you need apps. However, before launching on a downloading spree, you will save yourself a great deal of trouble if you take a moment to analyse the permissions that the app is requesting, whether they are actually necessary for the app to function and most importantly, whether you are comfortable sharing those. David has a word of advice for the consumers, he says, “Before you download an app, consider what you know about who created it and what it does. The app stores may include information about the company that developed the app, if the developer provides it. If the developer doesn’t provide contact information – like a website or an email address – the app may be less than trustworthy. If you’re using an Android operating system, you will have an opportunity to read the 'permissions' just before you install an app. It’s useful information that tells you what information the app will access on your device. If any of your already downloaded applications, all of a sudden start to act strangely, then one should be on high alert (realise phone calls and messages are made without your knowledge).”

Online tools like Lookout provide valuable information about apps

Online tools like Lookout provide valuable information about apps


Additionally, you can make use of online tools that are available, which will check the apps and highlight any areas of concern. It’s a good idea to have a robust security software installed on your device. Today, leading security suites like Norton, McAfee, Trend Micro, Kaspersky, Lookout, amongst others provide protection against malicious apps. While Google Play Store now lists the permissions the app is seeking, understanding what the implications of it is something that is lacking. At such times you can scan the app using any of the security suites mentioned above and it will provide you with an explanation of how your data can be used. It will also flag the ones that are potentially threatening. Besides security, you will also be able to view other crucial details like the battery consumed, memory hogged etc. Additionally, you can go through reviews of the apps online to see what people are talking about its performance and actual features. All said and done, the safety of your device – and most importantly, your privacy – is something that is in your own hand.


So think twice before downloading an app.


Cover image: Getty Images

Published Date: Jan 31, 2013 09:45 AM | Updated Date: Jan 31, 2013 09:45 AM