ispyPhone ... Is your smartphone watching you? Graphic: Liam Phillips Australian security experts, consumer advocates and privacy campaigners have sounded the alarm over the hundreds of thousands of free smartphone applications that spy on their users. Lookout, (https://www.mylookout.com/) a smartphone security firm based in San Francisco, scanned nearly 300,000 free applications for Apple's iPhone and phones built around Google's Android software. It found that many of them secretly pull sensitive data off users' phones and ship them off to third parties without notification. That's a major concern that has been bubbling up in privacy and security circles. Apple fans display the iPhone 4 in June, 2010 in New York. Photo: AFP The data can include full details about users' contacts, their pictures, text messages and internet and search histories. The third parties can include advertisers and companies that analyse data on users. The information is used by companies to target ads and learn more about their users. The danger, though, is that the data can become vulnerable to hacking and used in identity theft if the third party isn't careful about securing the information. Lookout found that nearly a quarter of the iPhone apps and almost half the Android apps contained software code that contained those capabilities. The code had been written by the third parties and inserted into the applications by the developers, usually for a specific purpose, such as allowing the applications to run ads. But the code winds up forcing the application to collect more data on users than even the developers may realise, Lookout executives said. "We found that, not only users, but developers as well, don't know what's happening in their apps, even in their own apps, which is fascinating," said John Hering, chief executive of Lookout. Part of the problem is that smartphones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations. And, while Android phones offer robust warnings when applications are first installed, many people breeze through the warnings for the gratification of using the apps quickly. Australian online users' lobby group Electronic Frontiers Australia spokesman Colin Jacobs said the issue of applications spying on their users "was something that everybody needs to be aware of". Jacobs said that many did not think of their phone as a computer. "Mobiles contain as much personal information as people’s everyday computers do," he said. "Ironically, Apple's model of a very locked down app store which has caused a lot of controversy may provide more protection to users because each application is so carefully reviewed, but it has its downsides as well." Intelligent Business Research Services analyst Joe Sweeney said that many users had installed firewalls on their PCs, but weren't doing so on their mobiles. In many cases this is because they can't. Apple, for example, doesn't offer a firewall product on its iPhone. "If the numbers in this report are correct, then obviously this is an issue," Sweeney said. "We may need to see firewall-type software on phones." However, he said that education of users had to come first. "There are other ways of addressing this issue that doesn't require a firewall." Sweeney said network providers, such as Telstra and Optus, could help out. Apple could as well, he said. Choice spokesman Christopher Zinn questioned whether some of the apps using the code broke Australian privacy laws. "One would ask whether it is a possible breach of some of our privacy laws," Zinn said. He said that, although Apple and some of the apps might stipulate in their contracts that they collect data and send it to third parties, "How many of us actually read the contracts and the small print that come with them? "We know that people don't read them. You just press OK," he said. "We know that, especially with Apple contracts - they're so long - nobody reads them; you probably need a law degree to understand them." Zinn said that if something as significant as some of the data that was revealed in the report was being sent to a third party, it "shouldn’t be in small print". It should be something that a user has to consent to and be in "big print", Zinn said. Apple and Google did not respond to requests from the Associated Press for comment on Lookout's research. - with AP http://news.cnet.com/8301-27080_3-20009362-245.html Citigroup Inc. said its free U.S. mobile-banking application for Apple Inc.'s iPhone contained a security flaw and advised its customers to upgrade to a newer version that corrects the problem. In an incident that highlights the growing security challenges around wireless apps, Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users' iPhones. The information may also have been saved to a user's computer if it had been synched with an iPhone. The issue affected the approximately 117,600 customers who had registered the iPhone app with Citi since its launch in March 2009, a person familiar with the matter said. The bank doesn't believe any personal data was exposed by the flaw. "We have no reason to believe that our customers' personal information has been accessed or used inappropriately by anyone," Citi said. Apple acknowledged the issue and encouraged users to download the updated app. Mobile banking is a popular and fast-growing activity on smartphones, as cellphones become more sophisticated and consumers use them to organize their lives. The Citi Mobile app, currently the 11th most-popular offering in the finance category of Apple's App Store, allows customers to check balances, transfer funds and pay bills. An estimated 18 million adults, or 7% of the adult population, are "active users" of mobile banking, meaning they use it at least once every three months—a small but growing fraction of the 196 million adults, or 84% of the population, who use any kind of banking services, said Red Gillen, a mobile- banking analyst at Celent, a financial-services research firm. Citibank, with an estimated 800,000 mobile customers, ranks No. 5 in mobile banking, Celent said, behind Bank of America Corp. at No. 1 with an estimated 5 million users. In between are J.P. Morgan Chase & Co. at No. 2 with 2 million, United Services Automobile Association at No. 3 with 1.5 million, and Wells Fargo & Co. with 1.4 million, according to Celent estimates. Citigroup advised customers to upgrade to a new mobile-banking app for the iPhone to fix a security problem. Experts worry that security isn't keeping up with the app boom. Among their concerns is the prospect of "leakage" any time a wireless app logs confidential data. The risk of flaws like Citi's, says John Hering, CEO of mobile security provider Lookout, is that a hacker could devise a malicious app to retrieve sensitive information stored on an iPhone. Citi said its mobile-banking app is the only application authorized to access the hidden data. The upgraded application, released July 19, doesn't store the information and deletes any account data that may have been saved to a user's iPhone or computer. Citi said the problem was discovered in a routine security review. The bank told customers of the problem in a letter dated July 20. Other Citi mobile apps such as the app for credit-card customers weren't affected, Citi said in a statement. Citi developed the application with mobile financial-services provider mFoundry. Drew Sievers, CEO of mFoundry, a private company based in Larkspur, Calif., said his company custom-wrote the mobile-banking part of the application and handed it over to Citibank, which then combined it with custom code of its own. Citi is responsible for distributing and managing the app, Mr. Sievers said. MFoundry, which provides mobile-banking software to 150 banks and credit unions besides Citi, said none of its other customers were affected by the problem. Citi said it performed security tests before and after releasing the application, but failed to detect the problem. The bank said it is looking into why it didn't find the vulnerability earlier. Mr. Hering, the CEO of Lookout, said his company is discovering more apps that could inadvertently expose or leak personal data, such as location information and phone numbers. "Most consumers and app developers don't know what is happening in their apps, because it is moving so fast," Mr. Hering said. "Apps are proliferating so quickly. We will see more and more of this." —Ben Worthen and Randall Smith contributed to this article. The App Genome Project has already scanned nearly 300,000 free applications, and fully mapped nearly 100,000 applications available in both Android Market and the App Store. Early findings show differences in the sensitive data that is typically accessed by Android and iPhone applications and a proliferation of third party code in applications across both platforms. For example, results found that Android applications are generally less likely than iPhone apps to be capable of accessing a person’s contact list or retrieving their location, with 29% of free applications for Android having the ability to access a user’s location, compared to 33% of free applications on iPhone. Of course, this isn’t a huge difference, but again, this is early data. Additionally, Lookout says that nearly twice as many free applications have the capability to access people’s contact data on iPhone (14%) as compared to Android (8%). The App Genome Project also found that a large proportion of applications contain third-party code, which is used generally for advertising or analytics. The project found that 47% of free Android apps included third-party code, while that number is just 23% on iPhone. Lookout’s web-based, cloud-connected application indentifies and block threats on a consumer’s phone. Users simply download the software to a device, and it will act as a virus protector much like security software downloaded to a computer. Lookout, which just raised $11 million from Accel, Khosla and others, says the growth in smartphone adoption, mobile app downloads and increased consumer awareness of mobile security threats have helped make the offering a popular and necessary option for users. For now Lookout, which is on more than 400 mobile networks in 170 countries and recently topped one million users, is only available for BlackBerry, Android and Windows Mobile devices. Lookout has over 80% of its users on Android and BlackBerry with the remaining users on Windows Mobile. And 70% of users are in the US. https://www.mylookout.com/features Lookout is a mobile security company dedicated to making the mobile experience safe for everyone. Today, with users across 400 mobile networks in 170 countries, Lookout is a world leader in smartphone protection. Lookout (formerly Flexilis) was founded in 2007 by John Hering, James Burgess and Kevin Mahaffey, three mobile security researchers who met at the University of Southern California. The trio's early security research led them to conclude that threats to mobile users are growing rapidly and that, in order to protect users, a new approach to security would be required. Intent on raising awareness, the team attracted national attention. when they demonstrated how easy it would be to expose private data on the cell phones of celebrities at the 2005 Academy Awards. Based on their research, the three founders formed a new kind of company focused on smartphone protection. Your smartphone is a vital part of your daily life — at work, at play, wherever you go. You rely on it for so much — email, texting, social networking, cool apps, banking, shopping and much more. Your phone holds a lot of personal information, connects to various mobile networks and can even do financial transactions. As the use of your phone increases, so does your vulnerability. That's why it's important to protect your phone from threats of any kind, including mobile viruses, Trojans, worms, attempts to steal your private data and the loss or theft of the phone itself. Every month, Lookout blocks thousands of malicious applications, finds countless lost phones and restores important information that our users thought they'd never see again. Lookout gives you peace of mind. So you never have to worry when you download an application that it will infect your phone with malware, crash the OS or drain the battery. If you lose your phone you can find it quickly and easily, no matter where it is. And it's good to know that the most important data on your phone is securely backed up and easily accessible. Lookout products are uniquely designed from the ground up to provide advanced protection for smartphones while allowing them to remain lightweight and efficient. Our cross-platform, cloud-connected applications immediately identify and block threats before they can compromise your phone. Lookout products are available on the Android, Windows Mobile and BlackBerry platforms. Click here for more information about Lookout products. The mobile device has become the most personal computer. Over one billion mobile devices will ship this year alone, five times as many as PCs. Mobile devices contain personal information, access sensitive networks, and are now utilized for financial transactions. Mobile applications and full featured web browsing are commonplace, driving more advanced mobile technology, and now more advanced threats. Lookout keeps your device and data safe and secure from the threats facing mobile devices in a constantly evolving mobile world. Lookout combines enterprise grade security with end user simplicity, protecting your device and data from a variety of threats facing mobile devices including: loss, theft, viruses, malware, and hackers. Lookout is designed to be cross platform—the core architecture enables the software to run seamlessly on major mobile operating systems and is unified by a centralized server application which enables over the air management and control with the click of a mouse. Whether you are a mobile professional with multiple phones, a family of five, a small business, or enterprise with thousands of heterogeneous devices, Lookout enables you to secure and manage your mobile devices with ease.http://www.smh.com.au/digital-life/mobiles/your-smartphone-is-watching-you-20100729-10wle.html
Your smartphone is watching you
BEN GRUBB
July 29, 2010
Experts: Android, iPhone security different but matched
Citi Discloses Security Flaw in Its iPhone App
By SPENCER E. ANTE
![[CITIAPP]](http://si.wsj.net/public/resources/images/MK-BE833_CITIAP_D_20100726181938.jpg)
Zuma Press
Who is Lookout?
The Lookout Story
The Evolving Mobile Threat
Protecting Your Mobile Experience
Protect your phone.
Mobile security made simple
Cross platform and over the air
Sunday 1 August 2010
July 1, 2010 4:00 AM PDT
Lookout, a company that offers security data backup services for smartphones, is announcing the results of its App Genome Project, a continued effort to map and study mobile applications to identify security threats in the wild, and determine how apps are using users’ personal data.
Posts
