ispyPhone ... Is your smartphone watching you? Graphic: Liam Phillips
Australian security experts, consumer advocates and privacy campaigners have sounded the alarm over the hundreds of thousands of free smartphone applications that spy on their users.
Lookout, a smartphone security firm based in San Francisco, scanned nearly 300,000 free applications for Apple's iPhone and phones built around Google's Android software. It found that many of them secretly pull sensitive data off users' phones and ship them off to third parties without notification.
That's a major concern that has been bubbling up in privacy and security circles.
The data can include full details about users' contacts, their pictures, text messages and internet and search histories. The third parties can include advertisers and companies that analyse data on users.
The information is used by companies to target ads and learn more about their users. The danger, though, is that the data can become vulnerable to hacking and used in identity theft if the third party isn't careful about securing the information.
Lookout found that nearly a quarter of the iPhone apps and almost half the Android apps contained software code that contained those capabilities.
The code had been written by the third parties and inserted into the applications by the developers, usually for a specific purpose, such as allowing the applications to run ads. But the code winds up forcing the application to collect more data on users than even the developers may realise, Lookout executives said.
"We found that, not only users, but developers as well, don't know what's happening in their apps, even in their own apps, which is fascinating," said John Hering, chief executive of Lookout.
Part of the problem is that smartphones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations.
And, while Android phones offer robust warnings when applications are first installed, many people breeze through the warnings for the gratification of using the apps quickly.
Australian online users' lobby group Electronic Frontiers Australia spokesman Colin Jacobs said the issue of applications spying on their users "was something that everybody needs to be aware of".
Jacobs said that many did not think of their phone as a computer.
"Mobiles contain as much personal information as people’s everyday computers do," he said.
"Ironically, Apple's model of a very locked down app store which has caused a lot of controversy may provide more protection to users because each application is so carefully reviewed, but it has its downsides as well."
Intelligent Business Research Services analyst Joe Sweeney said that many users had installed firewalls on their PCs, but weren't doing so on their mobiles.
In many cases this is because they can't. Apple, for example, doesn't offer a firewall product on its iPhone.
"If the numbers in this report are correct, then obviously this is an issue," Sweeney said.
"We may need to see firewall-type software on phones."
However, he said that education of users had to come first.
"There are other ways of addressing this issue that doesn't require a firewall."
Sweeney said network providers, such as Telstra and Optus, could help out. Apple could as well, he said.
Choice spokesman Christopher Zinn questioned whether some of the apps using the code broke Australian privacy laws.
"One would ask whether it is a possible breach of some of our privacy laws," Zinn said.
He said that, although Apple and some of the apps might stipulate in their contracts that they collect data and send it to third parties, "How many of us actually read the contracts and the small print that come with them?
"We know that people don't read them. You just press OK," he said.
"We know that, especially with Apple contracts - they're so long - nobody reads them; you probably need a law degree to understand them."
Zinn said that if something as significant as some of the data that was revealed in the report was being sent to a third party, it "shouldn’t be in small print".
It should be something that a user has to consent to and be in "big print", Zinn said.
Apple and Google did not respond to requests from the Associated Press for comment on Lookout's research.
Click here to view articles source