Smart Phone Privacy?

The media is in a minor uproar over (the lack of) phone privacy:

http://www.zdnet.com/blog/google/apps-on-your-phone-putting-your-privacy-at-risk/2332?tag=nl.e550

The essence of the story is that (1) you don't really know or control what all those applications you are loading onto your "smart" phone really do, and (2) they do far more spying on your phone data than you realize.

If you think such hidden spyware in phone apps is uncommon, let me tell you about a presentation at last week's Black Hat conference in Las Vegas. Kevin Mahaffey and John Hering reported in their session "Application Attack: Surviving Explosive Growth in Phone Applications" on an automated methodology called "Genome" in which they have downloaded and analyzed just about all the world's free applications for both the iPhone and Android phones.

Among their many interesting results, they found an abundance of "wallpaper" applications, all from the same author, that sent back to a server in China your phone's sim serial #, your subscriber ID, your phone line # and your voice mail #. Whoops, so much for phone privacy and application security. This news is now getting general media coverage:

http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app.

These researchers also found that while it appeared that about 30% of smart phone applications "steal" your phone location information, in fact the bulk of that usage is by 3rd party adware software in those applications, which want to vend to you location targeted ads. So it's not necessarily as nefarious as it may seem, though just as with Google mail giving you targeted ads based on the content of your email, all kinds of interesting questions of appropriate bounds of privacy arise.

Before we run, scream and shout about the lack of smart phone privacy, let's acknowledge that there is nothing new here under the sun. The exact same issue presents itself on our PC's. We can and do download all kinds of apps, and they can (and do) gather and lift info.

One critical difference is that on our PC's, we don't have the same privilege management systems that at least give us the chance to know of and approve of the rights the app is requesting. So one could argue Android is superior to PC's in this regard. And on the iPhone, there is at least a minimal amount of vetting, again, an improvement vs. the PC.

A key difference here is that people have more sense of "privacy" related to a phone than to a PC. We've been inured to PC virus issues so we just assume that nothing's really safe or personal on a PC. Phone calls and phone specifics are viewed as private, so all the PC issues coming to roost on smart phones creates a media uproar.

What we need to understand and accept is that the "smart phone" device you have in your pocket (or are reading this blog post with) is not a phone! It's an extraordinarily powerful internet connected computer, with all the security issues such computers come with. All of them.

Downloading an application to a computer is a fundamentally dangerous proposition, just as wheeling in a large wooden horse into their city was a bit risky for the Greeks. The situation is worsened by the fact that the application arena for smart phones is a cottage industry. We are comfortable and reasonably safe when we load a PC application from a known business entity; when we load a wallpaper application written by "jackeey wallpaper", do we have any idea what we are really getting? Clearly not.

There is a business opportunity here, and that is to provide a technology/service that vets phone applications through internal code analysis (just as the Greeks should have first taken a look inside that wooden horse!). A "Good Housekeeping Seal of Approval", perhaps structured as a separate app store front or just as an informational service.

There is a corollary problem of how do I, as a "good guy" or "good company" publishing application software, protect my application from being trojanized and republished? If you've read any of my earlier blogs you'll find plenty of material on how to effectively deal with that.

So the next time you are about to casually download that nifty new game or whizzy app that makes your phone sing and dance...think about how much you really know about the software you will be unleashing on your "private" hand held computer, and the range of possible objectives of the person who wrote and published that software.

And beware Trojan's bearing application gifts.