The mobile application landscape is exploding. Currently, the average smartphone user has 22 apps installed and by 2012 some estimate that 50 billion apps will be downloaded each year, according to mobile security company Lookout, citing statistics from Nielsen and Chetan Sharma Consulting. This growing landscape has many questioning the privacy and security risks of mobile apps.
“We are starting to see greater interest from malicious parties in the mobile platform and one of the biggest [threat] vectors is mobile apps,” said John Hering, CEO of Lookout.
A number of apps have been discovered to either purposely or accidentally harvest user data. Most recently, Citigroup discovered its iPhone mobile banking application, unbeknownst to users, saved confidential account information in a hidden file on their devices.
“In a world where mobile app development is exploding so quickly, even apps you think you can trust may be leaking sensitive information,” Hering said.
According to Lookout data, 14 percent of free apps for Apple's iPhone have the ability to access a user's contact data as can eight percent of free apps for Google's Android. Additionally, 33 percent of free iPhone apps can access a user's location, while 29 percent on Android can.
While all apps that access contact data or location are not necessarily malicious, some enterprises might not want this information broadcast, Hering said.
For enterprises and developers, awareness of the problem is important, says Hering. Developers have a responsibility to ensure their app is providing the appropriate level of privacy and security. Enterprises need to educate end-users to pay attention to app ratings and what apps have access to. A simple game probably does not need to access a user's phone book, for example.
Meanwhile, not everyone believes mobile apps pose a significant threat right now.“The jury is out in terms of how bad this could be for enterprises,” said Andrew Jaquith Forrester senior analyst. “At the moment, I don't perceive a lot of risk. The kinds of things [rogue apps] can do include rooting through your address book and looking through your music collection. This is, frankly, not that big of a deal. We are going to have to see some demonstration of real harm before enterprises will really have to get worked up about this.”
According to Jaquith, any organization supporting the iPhone should follow a few best practices, such as requiring email session encryption, wiping devices if they are lost or stolen, protecting devices with a passcode lock, and auto locking devices after periods of inactivity.