Our smartphones have become a tool that most of us admit we could not live without. After only a few taps on our screen, we can monitor our inbox, our bank account, our social media networks and now, even our homes.
What we often don’t realize, however, is the amount of personal information our phones actually store and how easily accessible we make this data, not only for ourselves, but for others, too. A recent Android study proves many of us are likely not careful enough.
A group of researchers at Snoopwall—a technology solution that detects and blocks spyware and malware on a variety of platforms—found that the most widely used flashlight apps are furtively stealing personal information stored on users’ mobile devices.
According to the company’s Threat Assessment Report, the top 10 searched flashlight apps in the Google Play Store all perform functions that surpass the basic needs of what flashlight apps should be executing.
These seemingly harmless apps, which have accumulated half a billion downloads, have put the privacy and security of users at risk simply by requesting overzealous permissions that users unknowingly adhere to, including permission to:
- Modify or delete the contents of your USB storage
- Change system display settings
- Precise location (GPS and network-based)
- Write Home settings and shortcuts
- View all network connections
For Ken Westin, a security researcher at Tripwire, this is all too familiar: “There is little vetting of applications before they are deployed. When you install an Android app, it shows you what it has permissions to access, but most people ignore it and just click next to get the app installed. There are a lot of free apps that have permissions on devices they shouldn’t, even ‘security’ applications.”
Some users might have felt safe downloading the apps because they installed them using Google Play and not a third-party site but as Tripwire CTO Dwayne Melancon explains, that doesn’t make an app any more secure.
“Android is pretty ‘Wild Wild West’ because the apps are not well curated,” said Melancon. “People often misunderstand the warning not to download apps from unknown or trusted sources. They’ll say, ‘I got it off the Play store—I trust that source’ without realizing the unknown and untrusted author of the app is the actual source.”
For the short term, users are encouraged to uninstall any of the malicious flashlight apps listed here. If your app is able to modify your phone’s storage and/or write settings, it is recommended that you reset your phone. A factory reset and/or complete wipe might be necessary.
Going forward, users are recommended to follow a number of best practices that optimize both their privacy and security on their mobile devices, such as:
- Disabling GPS, except when traveling or in the event of an emergency
- Disabling Near Field Communications (or iBeacon for Apple devices) permanently
- Disabling Bluetooth, except when making a hands-free call while driving
- Covering the microphone and/or webcam with tape when neither is in use
Most importantly, however, users need to begin looking at the permissions their apps request of them more closely. We should all be using common sense to ask whether a particular app needs access to the information it wants. If it doesn’t, we’re better off doing some research online and looking for safer alternatives, like this privacy flashlight developed by Snoopwall.
Common sense goes a long way in protecting ourselves online and on our phones, and it’s up to us to accept that responsibility.
- How to Build Up Your Secure Development
- Are You Threatening Me? A Tutorial on Threat Modeling
- The Ever Expanding Trust Boundary: To Infinity and Beyond
- Threat Mitigation and the 20 Critical Security Controls
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock