Here’s an interesting story that has recently emerged. It’s great to see some useful research into privacy issues and mobile phone applications. By “tainting” private data researchers were able to see exactly what happened to data once it left the confines of a user’s mobile phone. Unsurprisingly two thirds of the applications studied used private data suspiciously—be it the SIM card serial number, phone number or device ID.
When users install these apps they are informed that their personal information may be accessed, but I wonder how many realise the wealth of information an application can get hold off? Due to the personal nature of mobile phones, which most of us carry all day and every day, unscrupulous applications are capable of getting to some of our most private data. This data is far richer than most as it contains important contextual data such as user location, a real valuable commodity to advertisers wanting to target their wares.
My real concern is for the bad guys. The blanket permissions a user gives on installing an app can give carte blanche to malware and spyware providers to collect as much private data as they want, under the protective nicety of a simplistic warning from the operating system.
The obvious advice would be to warn users to be very careful which applications they download, but we can’t expect users to reverse engineer each application looking for security and privacy issues before they download it. A better solution would be for app store providers to “rinse” each application through an automatic code security test (such as the one provided by the folks at Veracode) to seek out problems before the software is published, thereby giving users a better degree of reassurance that apps they download are safer.
At least then we could believe an app store provider when they say they are trying to protect users.