The App Genome Project
Lookout unveiled the App Genome Project, which is the largest mobile application dataset ever created. In an ongoing effort to map and study mobile applications, the App Genome Project was created to identify security threats in the wild and provide insight into how applications are accessing personal data, as well as other phone resources. Lookout founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what mobile applications are doing and use that information to more quickly identify potential security threats.
Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include:
- 29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone
- Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)
- 47% of free Android apps include third party code, while that number is 23% on iPhone*
* Examples of third party code includes code that enables mobile ads to be served and analytic tracking for developers.
New Security Vulnerabilities
Lookout will also be announcing new security vulnerabilities including Mobile Data Leakage, which occurs when developers inadvertently expose sensitive data in application logs in a way that makes it accessible to malicious applications. In one instance of this vulnerability, Android was releasing user location data into logs in a way that made it accessible to other applications. That vulnerability has been addressed by Google and is fixed in all versions of Android, v.2.2 and beyond. This vulnerability and others point to the need for developers to be more aware of best practices for accessing, transmitting and storing users’ personal data. In addition, consumers need to be aware of the permissions that mobile applications request and how that personal data is being used in the application.