I've always been extremely wary of smartphone apps, regarding all of them, without exception, as potential threats to security and privacy. Far too many of them ask for permission to access and/or modify your location information, device settings, etc., when all you want them to do is one or two simple tasks. I routinely reject upgrades when I discover them asking for more rights than the app already has, and I'm in the process of deleting most of the pre-loaded apps that came with my phone (a Samsung Galaxy Note II Android phablet).
My suspicions have been confirmed by two recent articles in the Telegraph. In the first, published last week, we learn that "Four in five top Android and iOS apps 'have been hacked'."
78 percent of the top 100 paid Android and iOS apps have been hacked, with 100 per cent of the top paid Android apps and 56 per cent of the top 100 paid iOS apps found to be compromised.
. . .
Hackers also continue to target free apps, with 73 per cent of free Android apps and 53 per cent of free iOS apps found to be hacked in 2013.
. . .
The widespread use of 'cracked' apps represents a real danger for both individuals and companies, given the explosion of smartphone and tablet use in the workplace and home, according to Arxan.
Cracked mobile apps create the potential for massive revenue loss, unauthorised access to critical data, intellectual property theft, fraud, altered user experience and brand damage.
. . .
Mobile financial apps were found to be particularly at-risk, because users trust them with essential data such as bank account numbers and passwords. Arxan discovered that 53 percent of the Android financial apps it reviewed had been cracked while 23 percent of the iOS financial apps were hacked variants.
There's more at the link.
To add to my discomfort, today another article claimed that an Android botnet is secretly forwarding SMS to China and North Korea.
The software, which is being called MisoSMS, infects Android devices by pretending to be a settings app called “Google Vx”. Once it is in place it then asks for administrative rights and, if granted, steals the contents of SMS and sends them to a third party.
In a post on its blog, security firm FireEye ... claims that many of the email addresses which receive the SMS are being accessed from mainland China and Korea. The company has worked with law enforcement agencies to get the email accounts shut down and says there is no evidence yet of new accounts springing-up in their place.
Again, more at the link.
Oddly, if one looks for so-called 'app killer' or 'task killer' software, one often encounters advice not to use it. I presume that on the surface, this is because one might shut down an app that's important to the functioning of one's smartphone: but I can't help wondering whether such messages aren't also propagated by app developers, who want to continue harvesting information from users without interruption. Personally, I'm going to be killing and deleting every app I don't use on a regular basis - and even the latter will be scanned with a jaundiced eye if they ask for permissions they don't need. For example, why would a book-reading app want the right to send back to its servers information about my physical location? It's none of the app's business!
Would any computer security experts among my readers like to comment on the advisability (or otherwise) of shutting down and deleting any app one isn't using regularly, or that appears overly intrusive in asking for access to information? Also, why (do you think) doesn't Google give Android users the right to refuse specific permissions to an app, rather than have to accept or reject all its requests in one fell swoop? The former seems like a worthwhile security upgrade to me.
Peter
