On January 7, Apple announced that customers have downloaded over 40 billion apps, with nearly 20 billion in 2012 alone. The App Store has over 500 million active accounts and had a record-breaking December with over two billion downloads during the month. Apple’s developer community has created over 775,000 apps for iPhone, iPad and iPod touch. The Android app market is no slouch, either. At the end of October, there were about 700,000 apps for Android, and surely that number has increased in the past two months. More than 25 billion downloads of these apps had been recorded by the end of September 2012.
Of those 65 billion downloads, I will take credit for about 20 of them. That’s right, in the three years that I have had my smart phone, I’ve downloaded at most 20 applications. Call me overly cautious (or even paranoid), but I have an inherent distrust of applications that could easily be running roughshod over my phone without my knowledge or permission.
As app happy consumers, we love the thought that “there’s an app for that,” no matter what “that” is. “That” could be losing weight, getting directions, creating silly photos, reading the news, buying coffee—or 775,000 other things. But the cynic in me asks: how can we possibly know what these applications really do behind the scene, and what they do in terms of supporting privacy and data security?
I’m sure that many mobile apps are created by professional developers who follow industry best practices for application development and data security, but I’m willing to bet the vast majority of apps are put out into the marketplace by less conscientious developers who are hoping to strike it rich by creating the next Angry Birds. In fact, I was in utter amazement the other day when I saw this Living Social deal:
For a mere $99 investment, you can learn how to create apps and release them to the public quickly. As of this writing, 109 people already plan to take this course. How much time do you think these people are going to spend learning the proper way to secure data and keep it private on mobile devices? Not much, I’m sure.
Andrew Hoog is the Chief Investigative Officer of the security consulting firm viaForensics. His company uses forensics to study how well mobile apps secure the data on the devices. Hoog told me that in the course of performing investigations for clients, viaForensics often finds enormous amounts of sensitive data on smart phones that would place consumers or businesses at risk. He says the data typically gets on the devices through poorly designed apps, and the only people who benefit from it being there are “the bad guys.”
“Many of the apps written for iOS and Android are written by novices with no prior development experience,” Hoog told me. “Even applications written by big companies sometimes have security issues. As more and more applications come onto the market, things are not heading in a direction that’s going to be good for the user,” he concluded.
Mobile platforms have special security issues that aren’t found on other platforms. Thus, if a developer tries to treat a smart phone like, say, a PC platform or a web browser, he’ll overlook important things. For example, mobile devices have a special kind of memory to preserve the life of the device. As a result, smart phones hold on to information as long as they possibly can because the memory has a limited read/write capability. If a developer designs an application that writes information to the phone, either intentionally or as a by-product of some action, the information is almost always recoverable. “A developer has to have a different way of thinking about where data gets written, and how to get rid of it and completely clear it out,” says Hoog.
Insecure data is just one problem with poorly written applications. In some cases, applications may intentionally harvest data from the smart phone without the device owner’s knowledge or permission. For example, the security firm Appthority has discovered mobile applications that willfully collect all of the contact names and data on the phone, or that take note of the geolocation of the device, even if it’s not necessary to support the application. More malicious mobile apps place a rootkit on the device to make it susceptible to takeover, such as for a botnet.
It’s impossible to know what an application will do by reading the brief description and reviews in an app store. The license agreement doesn’t always state what data the app collects, and for what purpose. Even apps from reputable sources may have security shortcomings. viaForensics has identified numerous apps from “brand name companies” that fail the test of properly securing data.
Call me cynical. Call me paranoid. Call me a digital dinosaur. I’m not app happy about loading up my smart phone with applications that might be doing more harm than good.