Secretly behind the scenes, data from mobile devices has become a goldmine. Google is investigating allegations from mobile security data company Lookout that dozens of Android applications adding up to millions of downloads scrape personal information like voicemail phone numbers, handset phone number, subscriber identification code, and phone SIM cards' serial numbers.
Lookout scanned nearly 300,000 free applications for Apple's iPhone and phones built around Google's Android software. The goal of the project -- to make people aware of what's actually happening in the background as the applications do their thing on the phone -- found that many secretly pull sensitive data off users' handsets and ship them off to third parties without notification. The company released the findings from the App Genome Project at the Black Hat USA 2010 conference in Las Vegas.
Aside from iPhone and Android, mobile applications on all platforms, including BlackBerry and Symbian, can potentially gather sensitive data. Up to four million consumers of Android phones have downloaded wallpaper apps that take personal data from the phone and transmit it to a Chinese-owned server. A pair of developers created more than 80 wallpaper apps, including "callmejack" and "IceskYsl@1sters!" that have accessed personal data. One application sent data to a Web site in Shenzhen, China.
Although not part of the research, the findings demonstrate the possibilities to target and serve up ads by analyzing millions of bits and bytes of information from data collected on handsets. Advertisers and marketers must become aware of what happens in applications, according to John Hering, founder and chief executive officer at Lookout. "Not all apps are malicious," he says.
Hering points to Google as creating "great" functionality that allows users to understand the permission behind the app before they download it -- and developers should take a cue from AdMob, which has done a good job of protecting user privacy.
Lookout also examined Apple apps. Hering says Apple doesn't notify you about what's happening in your application aside from location and push notification, so Apple makes a decision for you on your behalf that the application is safe. "We do see instances of third-party code being used -- typically advertising or analytics SDKs in iPhone, but much more in Android," he says. "Being able to serve more targeted advertising is a good thing for advertisers and consumers. Advertisers, just like developers, need to take security into consideration."
Hering says the findings should help the advertising industry drive questions that provide solution around privacy issues, and that every company and developer should do their part to keep users' data private and secure. At the end of the day, developers build technology for consumers and it's important to keep them safe, he says. Expect to see more companies collect mobile data.