Black Hat: Android, iPhone App Data Risks Overlooked

A survey of mobile app security for iPhone and Android reveals that information disclosure isn't always obvious.
At the Black Hat USA 2010 conference in Las Vegas on Wednesday, mobile security company Lookout revealed that smartphones present more of a risk of data leakage than most users realize.

CEO John Hering and CTO Kevin Mahaffey presented the "App Genome Project," a survey of how Android and iPhone apps handle security and sensitive data.

The issue for Lookout isn't so much that Android devices or the iPhone may have vulnerabilities. It's that developers fail to appreciate the risks presented by third-party code and device users fail to consider the implications of granting permission to an app to access their data.

In one particular case, a wallpaper app for Android devices that had been downloaded several million times was found to be sending user data -- phone number, subscriber identifier, and currently programmed voicemail phone number -- to a server in China.

This wasn't necessarily malicious -- the user agreed, perhaps without really thinking about it, to provide this information when the app was installed -- but it underscores the extent to which mobile devices present an information disclosure risk.

Approximately 29% of free Android applications and 33% of free iPhone applications have the ability to access user location data, according to Lookout.

Almost twice as many iPhone apps can access user contact data (14%) as compared to Android apps (8%).

And almost half (47%) of Android apps include third-party code -- typically related to ad serving and tracking -- as compared to iPhone apps (23%).

The risk of including third-party code was made clear last week when Citibank notified U.S. banking customers that its Citi Mobile app for the iPhone contained a programming flaw that left their bank account information stored insecurely.

The app was created using a combination of code from Citibank's developers and mobile banking software maker mFoundry. While the origin of the insecure code hasn't been disclosed, it's clear that integrating third-party code can be risky.

Even when mobile application code is developed by a single party, the full functionality of the app may not be apparent. Nick Lee's Handy Light app, for example, appeared to be an app that mimicked a flashlight by presenting a bright screen. But it also contained a hidden tethering feature, prompting Apple to remove the app from its iTunes Store.

Hering and Mahaffey stressed that developers need to follow good security practices.

"The lesson today is that developers don't always know what's inside their apps," said Mahaffey.

They reported finding an Android app that read parameterized session IDs from log files generated by other Android apps.

Exposing login credentials to unrelated apps in this way is not wise and Hering urged developers not to allow sensitive information to be written to log files.

Such attention to security might be less of an issue if it weren't for the "massive incentive to attack these devices," as Hering put it.

"Standardized APIs are making it easier and easier to actually create practical attacks," said Hering. "Instead of having to do something complex in a desktop-like environment, I know I can just call the contact API for example and have a very simple programmatic way to grab that information."