Mobile operating system wars: Android vs. iOS
by Catalin Cosoi - Chief Security Strategist, Bitdefender - Tuesday, 16 July 2013.
About 14.58% of the Android applications may leak your Device ID and 5.73% of the total number of apps may leak your e-mail. Again, iOS applications appear to be more focused on harvesting private data than those designed for Android. Following the security incidents in 2012, when the Blue Toad advertising agency leaked one million UDIDs, Apple decided to deprecate the UDID API.

Android applications that leak the e-mail address:
  • Logo Quiz Car Choices (v. 1.8.2.9) – car.logo.quiz.game.free – between 100,000 and 500,000 installations
  • Blowing sexy girl’s skirt (v. 1.6.0) – yong.app.blowskirt – between 100,000 and 500,000 installations.
Some Android applications that leak the device ID:
  • Football Games - Soccer Juggle (v. 1.4.2) – com.madelephantstudios.BallTapp – between 100,000 and 500,000 installations
  • Logo Quiz NFL NHL MLB NBA MLS (v. 1.0.2.8) – com.fesdra.logoquiz.ussport – between 100,000 and 500,000 installations.
iOS applications that leak the device ID:
  • Ringtone Maker (v. 1.7)- sends device id to "adfonic.net"
  • Paradise Island: Exotic (v. 1.3.14) - sends device id to third-party websites (to "offer.17bullets.com", "islandexotic.17bullets.com", "ma.mkhoj.com", "1.trace.multiclick.ru", "a.jumptap.com", "soma.smaato.com").
4. Leaks your phone number

Phone numbers are the link between a user’s physical identity and virtual persona. It allows an aggregating party to correlate information about the user’s behavior in applications (what content they are interested in, what applications they have installed and so on, and possibly link this information to an existing person, represented by a name and surname. 8.82% of the applications analyzed by Clueful for Android might leak the device’s phone number to third-party advertisers. Applications integrating the AirPush and (in some circumstances) LeadBolt frameworks allow the developer to collect, encrypt and send the device’s phone number. In some countries, carriers block this behavior to safeguard the user’s data.

Android applications that try to leak phone numbers:
  • Football Games - Soccer Juggle (v. 1.4.2) – com.madelephantstudios.BallTapp – between 100,000 and 500,000 installations
  • Button Football (Soccer) (v. 1.10.3) – com.sicecommentr.buttonfootball – between 1,000,000 and 5,000,000 installations.
One major difference in Android is that it lets consumers choose where they install their applications from. Not only can users install applications from third-party markets, but they can also download APK files directly from the developer’s website so they won’t be able to enjoy the security mechanism implemented by Google in the Play Store (Google Bouncer). In the absence of supervision from Google, these applications could collect much more data than they actually need to function properly.

While accessing location services can be used legitimately by applications, sending location information over the web is not necessary for some apps and may pose risks for users in case of a data breach with the information harvesting company. This is a typical case of grey-area use, when something obviously unnecessary for the application’s functionality gets retrieved just to complement the amount of user data aggregated already.

About 10% of the analyzed Android applications are may be doing this with or without the user’s prior information, depending on the way the advertising SDK is configured and the way it is set up at the initial boot. Others applications that send location information also leak the phone number and the user’s e-mail address to ad vendors.

While tracking location, reading contacts or interacting with social media sites can be part of functionality, significant threats come from improper implementations of technologies, such as protocols for sending data from the user’s device to the cloud. For instance, leaking unencrypted device IDs or sending plain-text passwords during the authentication process is highly dangerous for a mobile device that is often connected to public, potentially monitored Wi-Fi access points.

Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //