App Genome Project eyes iPhone, Android security

Researchers at mobile security firm Lookout say many security issues with Android and iPhone apps result from innocent coding mistakes in third-party software.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
The Lookout App Genome Project is a real-time database of information about Android and iPhone apps and their security and privacy implications.
The Lookout App Genome Project is a real-time database of information about Android and iPhone apps and their security and privacy implications. Lookout

Mobile security firm Lookout has studied 300,000 Android and iPhone apps and fully analyzed nearly 100,000 that are free as part of a new App Genome project that's designed to help keep mobile users safe.

The real-time database can help Lookout detect problems before they hit a large number of Android and iPhone users and help educate developers to problems posed by platform issues or poor coding processes. The announcement comes on the cusp of the Black Hat security conference in Las Vegas.

Lookout's researchers have uncovered a number of issues with the software that millions of people rely on either in the operating systems used in the phones or in apps found on the Android and iPhone marketplaces.

For instance, the company said it found a new vulnerability called Mobile Data Leakage that occurs when developers inadvertently expose sensitive data in application logs in a way that makes that data accessible by other apps, said Lookout Chief Executive John Hering. In one instance, Android was exposing users' location information to other apps, and Lookout worked with Google to fix the issue, he said.

Lookout also discovered that an Android wallpaper app, called "Wallpaper, All Categories," was accessing personal identity and other sensitive information from phones and transmitting it to a server controlled by a Chinese developer, according to Hering.

He did not speculate on the motivation of the developer, but said many security issues arise because of developer oversight and are not necessarily malicious. For instance, Citibank said Monday that it had plugged a hole in its banking iPhone app that was inadvertently storing customer account data on the phone.

"We can find apps that leak information to logs and find if a malicious app is trying to read logs and slurp information from your phone," said Kevin Mahaffey, chief technology officer at Lookout.

In its analysis of free apps on the Android and iPhone marketplaces, Lookout found that fewer Android apps are able to access a person's contact list or retrieve location information compared with iPhone apps, while nearly twice as many iPhone apps can access contact data compared with Android.

Meanwhile, many apps contain third-party code that can interact with sensitive data in ways that mobile phone users and developers may not understand. This can happen when a developer cuts and pastes code designed for use for advertising or analytics, a situation that was found in 47 percent of free Android apps and only 23 percent of iPhone apps, Mahaffey said.

He could not say which of the two platforms--the "curated" iPhone model or the open Android model--had fewer malicious apps or was more secure.

"There is a big gray area," he said. "A number of apps that are leaking personal information onto some server may not be malicious but they certainly have an impact on your privacy."