July 29, 2010

Update and Clarification of Analysis of Mobile Applications at Blackhat 2010

This week at Blackhat, we released the first findings from the App Genome Project.  Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.  Mobile applications on all platforms–iPhone, BlackBerry, Android, and Symbian–can potentially gather sensitive data from users and we think it’s important that both developers and users act responsibly.  The Android permission model, for example, takes steps to inform users of the capabilities of apps, including what personal data the app could be accessing, thus empowering users to evaluate the apps they download and make good decisions.

During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data.  The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection.  The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details).  While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior.  There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.

The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.  According to androlib, applications from “jackeey,wallpaper” are estimated to have been download 1-4 million times.

Category:   Uncategorized
July 27, 2010

Introducing the App Genome Project

Lookout_App_Genome_Project_Infographic_072610_smaller

Click to enlarge infographic

The App Genome Project

This week at the Black Hat Security Conference, Lookout will unveil the App Genome Project, which is the largest mobile application dataset ever created. In an ongoing effort to map and study mobile applications, the App Genome Project was created to identify security threats in the wild and provide insight into how applications are accessing personal data, as well as other phone resources. Lookout founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what mobile applications are doing and use that information to more quickly identify potential security threats.

Early Findings

Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms.  Stats include:

  • 29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone
  • Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)
  • 47% of free Android apps include third party code, while that number is 23% on iPhone*

* Examples of third party code includes code that enables mobile ads to be served and analytic tracking for developers.

New Security Vulnerabilities

Lookout will also be announcing new security vulnerabilities including Mobile Data Leakage,which occurs when developers inadvertently expose sensitive data in application logs in a way that makes it accessible to malicious applications. In one instance of this vulnerability, Android was releasing user location data into logs in a way that made it accessible to other applications. That vulnerability has been addressed by Google and is fixed in all versions of Android, v.2.2 and beyond.

This vulnerability and others point to the need for developers to be more aware of best practices for accessing, transmitting and storing users’ personal data. In addition, consumers need to be aware of the permissions that mobile applications request and how that personal data is being used in the application.

More detailed information on the App Genome project and more detail on vulnerabilities will be discussed in their two dedicated sessions at Black Hat this week. They will also be providing recommendations for OEM’s, carriers and developers on how to improve security across the mobile ecosystem.

Category:   Uncategorized
July 26, 2010

Citigroup Discloses Security Flaw in Mobile Banking App

Citigroup recently notified it’s U.S. customers that there was a security flaw in their iPhone mobile banking application that may have stored customer information including account numbers, bill payments and security access codes. The customer data was being saved in a hidden file on the users’ iPhone. If the user synced their iPhone with a PC, their banking information could have also been saved to that computer as well. Citigroup said it did not believe its customers’ personal information was accessed or used inappropriately and that this only affected iPhone users in the U.S. We commend Citigroup for staying on top of the problem, getting a fix out and appropriately notifying users. The Wall Street Journal first reported the news in an article today on Citigroup’s mobile banking iPhone app.

Citi_Mobile_for_iPhoneIf you are a Citibank customer and have used the iPhone app, you should:

  1. Upgrade to the new version of their iPhone software
  2. Change your banking password
  3. Double check your bank account for any unusual behavior

This is only the beginning of a trend we’ve started to see with developers inadvertently exposing sensitive data. Mobile apps can expose more information than people realize.

Today’s news is very timely, as Lookout security researchers get ready to discuss security flaws of mobile apps at the Black Hat conference this week. More news to come, so stay tuned. You can also read our rundown addressing common mobile banking security concerns.



Category:   Uncategorized
July 25, 2010

Lookout Speaking at Black Hat Conference

Our team is gearing up to speak at the annual Black Hat Technical Security Conference next week in Las Vegas. As a regular at this conference, the one big thing we’ve noticed is that new for this year, mobile is big. With over six dedicated talks on mobile security, this is more than any previous conference. We are excited to be giving two talks on mobile security here.

We’ve got new and interesting data to reveal that we haven’t yet announced, so stay tuned for more details.

These Aren’t the Permissions You’re Looking For

When: Wednesday, July 28 1:45 – 3:00 pm
Speakers: Anthony Lineberry, David Luke Richardson, Timothy Wyatt

App Attack: Surviving the Mobile Application Explosion

When: Wednesday, July 28 4:45 – 6:00 pm
Speakers: John Hering, Kevin Mahaffey

Hope to see you at the show!

Category:   Uncategorized
July 16, 2010

Lookout Super User Story: Sara Dellabella

Introducing the Lookout Super User Story of the Month

We have received an overwhelming number of stories from our users telling us how Lookout has protected their smartphone. To honor you, our best users, we have developed a new program for our blog to highlight one Lookout “Super User” a month. If you’ve got a great story to share with us, please email us at superusers-at-lookout.com. So without further ado, we are proud to present our first  “Lookout Super User of the Month,” Sara Dellabella.


Lookout Super User Story: Sara Dellabella

Sara_DellabellaPhoto sent from Sara’s Motorola Droid

Name: Sara Dellabella

Location: Cuba City, Wisconsin

Lookout User Since: January 2010

Device Type: Motorola Droid

Favorite Lookout Feature: Antivirus & Data Backup

What do you use your phone for? Everything! Videos, pictures and web browsing for both professional and personal use.

What are some other apps that you can’t live without?

Pandora, eBay

How Sara Found Lookout

Sara originally came across the Lookout application when she was browsing apps in the Android Market. She read through the reviews and saw that we had a Five-Star rating, so she decided to download Lookout and give it a try.

What Sara Loves About Lookout

Initially the data backup feature was what intrigued Sara about Lookout because she stores everything on her phone from to-do lists, photos and contacts, to passwords and banking information. The other feature that she liked was the Antivirus. Sara’s 8-year-old son, Dylan, loves to download and play games on her Motorola Droid. Because she’s not always sure what Dylan is downloading, it gives her peace of mind to know that Lookout scanning every application that he gets a hold of.

How Lookout Saved the Day

Previously Sara didn’t have Lookout running on her Droid and within a week of getting the new phone, her son Dylan had downloaded a bad game, crashing her phone and causing her to lose all of her data – pictures, contacts, passwords and more! Based on that experience she was quick to download Lookout onto her new phone.  So far, Lookout has quarantined six bad apps, saving her from the headache of getting a new phone or losing her valuable data.

Moral of the Story

“Always have Lookout on your phone, it is the best app I have seen in the Android Market.  It’s one simple thing to keep you protected!”

– Sara Dellabella


Do you have a story to share?

Big thanks to Sara for sharing her awesome story with us. Do you have a super story to share about Lookout? Has Lookout helped you find your lost phone in a trash can, catch a thief or protected you from downloading a bad app? If so, we would love to hear from you! Send your mobile memoir to superusers-at-lookout.com. If we select your story, you will receive an exclusive Lookout Super User t-shirt and get featured on our blog. Start sending those stories in!

Category:   Uncategorized
July 14, 2010

Lookout Mobile Security wins Best Android App Award

We are very excited and honored to be recognized as the Best Android Application award at the Gettie Awards ceremony last night. Gettie_AwardHosted by Getjar, the first ever Gettie Awards recognized the best in mobile applications across all platforms. Over 7,000 apps were nominated, and we feel very lucky to be in such great company of amazing mobile apps.

Every day users tell us how Lookout has saved their most important data, helped them feel safe as they download apps, and find their lost phone quickly. We never get tired of hearing these great user stories, and now with over 1 million users, protecting our users is more important to us than ever.

Thanks for supporting Lookout and keep the great feedback coming!

Gettie_awardsJHcrop

Lookout CEO, John Hering, making his acceptance speech after winning Best Android App.

Category:   Uncategorized
July 2, 2010

50 Arrested in Romania for Using Smartphone Spy Application

Today the Register released an article detailing how 50 people were arrested in Romania for using an application called FlexiSPY to spy, for political or economic purposes, on other Romanian citizens. While these kinds of spying tools are not new, smartphones give these tools a new platform to collect information that is much more personal than what they have been able to collect before. Personal location, calls, sms messages, even live conversations can all be tracked by this kind of “surveillance-ware” application. We have seen an increasing number of these applications in market and often our users don’t know how these applications were placed on their phones.

In order to install this kind of application, someone needs to have access to your phone. So in terms of preventative measures, keep an eye on your phone, use a password and install some protection to catch such applications if they do make it on to your phone.

Category:   Uncategorized
July 1, 2010

Celebrating 1 Million Lookout Users

It’s amazing to think that not long ago we had around 10,000 dedicated users testing Lookout and today I am proud to announce that Lookout is now over 1 million users strong and growing faster every day. This is a truly exciting time to be a mobile user. Devices are more powerful than ever, innovation of mobile applications is rapidly evolving, and we are on the dawn of 4G network proliferation – the dream of the internet everywhere is truly becoming a reality.

While this is an important milestone, we a’re even more excited to see how our users are protected by Lookout. Everyday we are blocking mobile malware, restoring lost data and finding lost and stolen phones.  In fact, just over the past 6 months, Lookout has:

  • Found more than 130,000 lost or stolen phones
  • Backed-up over 87 million photos
  • Backed-up over 300 million contacts
  • Saved users over 85,000 hours by restoring millions of contacts and photos to new or replacement phones

We’’re proud to have reached this achievement and we very much owe our success to to our users. It is you, our users, who have downloaded our application and provided us with ongoing feedback to improve our product and service.  Please keep all of the great feedback coming. We look forward to continuing to build the best products imaginable to keep you safe while using your mobile phone.

It is amazing to think how quickly the next million Lookout users will come and how excited we are preparing for the next hundred million. To all our amazing users: Thank you. We fight for you.

John Hering

Founder / CEO

Category:   Uncategorized