Are your smartphone apps selling you out?

Just because you're paranoid doesn't mean your mobile apps aren't out to get you

The president of the US says he's not "allowed" to own an iPhone, which is why he's sticking with his BlackBerry, according to The Wall Street Journal.

It's a politically sensitive subject because the iPhone is the big American brand, and the president is a self-proclaimed fan of the late Apple founder and CEO Steve Jobs. He'd love to pander to buy-America voters. (Obama is also probably not "allowed" to have an Android phone.)

Of course, neither the president nor the Secret Service is willing to say exactly how security could be compromised with an iPhone. But one security risk is the unpredictable nature of both iPhone and Android apps.

Sure, there's a lot of flat-out malware flying around online, most of which looks like regular, legitimate apps but in fact are either malware or they compromise privacy or security in some way.

There are certain types of apps that users are wary about and may take precautions about downloading. But others don't seem to have anything to do with user data, so they seem safe.

The Federal Trade Commission announced this week that it reached a settlement with Goldenshores Technologies, which makes a free Android app called "Brightest Flashlight." The FTC said the app harvested data on users' locations and device IDs and sold it to advertisers without telling the users, and even when users rejected the app's terms of service. The settlement forced the company to improve its privacy policy, user communication and data handling.

The FTC said the app had been installed on "tens of millions" of phones.

The whole "Brightest Flashlight" fiasco shines light on an uncomfortable set of facts about smartphone apps. For starters, some apps that have no apparent need to harvest personal data or compromise privacy or security go ahead and do so anyway.

But even those that don't move user data can leave users vulnerable through sheer incompetence.

Silicon Valley computing giant Hewlett-Packard recently conducted a study about the security of business apps for the iPhone and concluded that many of them give themselves permission to access phone features and user data that make no sense, given the stated purposes of the apps.

HP found that more than 90% of the business apps it studied had privacy or security flaws.

Many of the flaws involved unencrypted data or insecure protocols. Some 20% of the apps send user data via unprotected HTTP. A similar percentage sent via HTTPS, but didn't do it right. And HP found other problems where an app could compromise user security and privacy not through malice, but through incompetence.

HP isn't the only organization looking at app security and finding a gigantic problem.

A new report from Trend Micro found that there are now 1 million "malware and high-risk apps" in the wild.

"High-risk apps" are defined in the report as those that "aggressively serve ads that lead to dubious sites," and represent one quarter of the total.

An information security company called Trustwave said this month that file-sharing apps for iPhones and iPads can compromise user security -- even simple picture-sharing apps or apps that enable users to exchange documents.

The problem is that some of these apps open up an insecure file server on the device, which theoretically makes the file vulnerable to copying or could enable malicious crackers to upload files of their own. Some apps don't even require user authentication. The problems tend to be worse when apps run on older versions of iOS.

Some of these reports come from companies that sell solutions to the smartphone apps' security and privacy problems, so their conclusions should be taken in that context. However, it's clear that the problem is real and widespread.

So what can users do about it? Do you have to become a security expert just to keep your personal data private?

The unfortunate answer is: Yes, kind of.

Education is the best defense. Certain types of smartphone security products, such as iPhone fingerprint readers or Android anti-malware apps, protect against some risk but not most of the problems associated with apps.

In general, we all need to be more selective about the apps we download and not assume that just because it's highly rated or popular that it's OK.

We also need to think about which data we want to keep private, and which data we don't. For example, if you're concerned about protecting your location data, there are a set of steps you can take to reduce the risk of that information getting out.

If, on the other hand, you carry financial data around on your phone, well, there's an entirely different set of actions you need to take.

The take-away here for all users is that the Apple App Store and the Google Play Store and the other Android stores are jam-packed with apps that can compromise your security and privacy without you ever knowing anything bad happened.

So be careful about what you download, don't be lulled by security features that can't protect you against bad apps, and take deliberate action to protect the private information you most want to safeguard.

This article, Are your smartphone apps selling you out?, was originally published at

Mike Elgan writes about technology and tech culture. Contact and learn more about Mike at You can also see more articles by Mike Elgan on

Read more about mobile apps in Computerworld's Mobile Apps Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityThe Wall Street Journalapplication securityAccess control and authenticationwall street journalprivacymobile appsBlackberryAppleFederal Trade Commission

More about AppleBlackBerryFederal Trade CommissionFTCGoogleHewlett-Packard AustraliaHPTopicTrend Micro AustraliaTrustwaveWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Elgan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts