Introducing the App Genome Project
July 27
The App Genome Project
This week at the Black Hat Security Conference, Lookout will unveil the App Genome Project, which is the largest mobile application dataset ever created. In an ongoing effort to map and study mobile applications, the App Genome Project was created to identify security threats in the wild and provide insight into how applications are accessing personal data, as well as other phone resources. Lookout founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what mobile applications are doing and use that information to more quickly identify potential security threats.
Early Findings
Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include:
- 29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone
- Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)
- 47% of free Android apps include third party code, while that number is 23% on iPhone*
* Examples of third party code includes code that enables mobile ads to be served and analytic tracking for developers.
New Security Vulnerabilities
Lookout will also be announcing new security vulnerabilities including Mobile Data Leakage,which occurs when developers inadvertently expose sensitive data in application logs in a way that makes it accessible to malicious applications. In one instance of this vulnerability, Android was releasing user location data into logs in a way that made it accessible to other applications. That vulnerability has been addressed by Google and is fixed in all versions of Android, v.2.2 and beyond.
This vulnerability and others point to the need for developers to be more aware of best practices for accessing, transmitting and storing users’ personal data. In addition, consumers need to be aware of the permissions that mobile applications request and how that personal data is being used in the application.
More detailed information on the App Genome project and more detail on vulnerabilities will be discussed in their two dedicated sessions at Black Hat this week. They will also be providing recommendations for OEM’s, carriers and developers on how to improve security across the mobile ecosystem.
TheReviewer 27 Jul 10
crazy how apps make or break the Apple OS and Apple treats their developers like crap
The App Genome Project 28 Jul 10
[...] The App Genome Project is collaboration with Lookout and is featured on their blog here. [...]
Just How (In)secure are Smartphones? 28 Jul 10
[...] provides interesting context for the App Genome Project, a new study from Lookout, which makes security software for Android, BlackBerry, and Windows [...]
Project Scary: Apps Stealing Personal Info « art + ed + mobi + pop 28 Jul 10
[...] (and frequently disgruntled) iPhone user considering switching to an Android, this news about the App Genome project chilled my bones. It reminds us of how we add a little vulnerability to our lives with every new [...]
App Genome Project a Gold Mine for Testers | Mobile App Testing 28 Jul 10
[...] is how we learned about The App Genome Project. Set to be unveiled by mobile security firm Lookout at this week’s Black Hat Security [...]
So how much do all those mobile apps care about your security? Some not so much. 28 Jul 10
[...] In a post yesterday Lookout provided some early findings Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include: [...]
Mobile App Stats From The App Genome Project [Infographic] - techtime's posterous 28 Jul 10
[...] insight into how applications are accessing personal data, as well as other phone resources.Source:http://blog.mylookout.com/2010/07/introducing-the-app-genome-project/ Posted less than a minute ago document.observe('dom:loaded', function() { [...]
Entertainment » So how much do all those mobile apps care about your security? Some not so much. 28 Jul 10
[...] In a post yesterday Lookout provided some early findings Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include: [...]
'Veel gratis applicaties sturen gevoelige data door' 29 Jul 10
[...] [...]
RB 29 Jul 10
This is technically impossible on an iPhone… The way iOS is built prevents this.
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded | Da Gadget 29 Jul 10
[...] Yahoo! News | Lookout Blog | Email this | Comments Engadget Bookmark [...]
Argumente für eine strikte Eingangskontrolle: Android-App sammelt private Daten von über einer Million Android-Nutzern | ifun.de/iPhone :: Alles zum iPhone 29 Jul 10
[...] Update: Im Firmen-Blog berichtet Lookout von den Forschungsergebnissen im Rahmen des App Genome Project. [...]
App Genome Project Uncovers Wallpaper App That Steals Your Data | AndroidGuys 29 Jul 10
[...] Lookout have been looking at hundreds of thousands of Android and iPhone apps as part of their new App Genome project. This new initiative was created explicitly to keep mobile users safe from malicious apps. Have [...]
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded | Technology News and Information for Geeks 29 Jul 10
[...] Yahoo! News | Lookout Blog | Email this | Comments Leave a comment Related PostsNo Related Post [...]
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded · Gadgets 29 Jul 10
[...] Yahoo! News | Lookout Blog | Email this | Comments Related Posts:LG’s Application Store launches in [...]
John 29 Jul 10
I’m very interested to know how secure Blackberry apps are. Our company uses these devices because they’re supposed to be ‘safe’, but how sure can you be when users are allowed to install 3rd party apps??
Mobile Apps Could Be Exposing Your Personal Data | Da Gadget 29 Jul 10
[...] Dubbed the App Genome Project, it looked at a large cross-section of mobile apps and found that an unsettling number of them were accessing your personal information, and sometimes without alerting you. According to Lookout, 33-percent of iPhone and 29-percent of [...]
Telefoonkostenomlaag » Blog Archive » Veel gratis iPhone- & Androidapplicaties sturen gevoelige data door’ 29 Jul 10
[...] blijkt uit onderzoek van Lookout waarover verschillende Amerikaanse media [...]
Mobile Apps Could Be Exposing Your Personal Data | Tech News Daily 29 Jul 10
[...] Dubbed the App Genome Project, it looked at a large cross-section of mobile apps and found that an unsettling number of them were accessing your personal information, and sometimes without alerting you. According to Lookout, 33-percent of iPhone and 29-percent of [...]
Be careful with apps on iPhone and Android - Digiex 29 Jul 10
[...] (8%) 47% of free Android apps include third party code, while that number is 23% on iPhone Introducing the App Genome Project | The Official Lookout Blog Gorge Attached Thumbnails [...]
Kwart gratis apps iPhone slaat data gebruikers op | iPhone4 - De Leuke Dingen 29 Jul 10
[...] hier, hier, hier is meer te vinden over het onderzoek van Lookout. (advertentie) Anders neem je toch gewoon [...]
Android et iOS : des applications gratuites un peu trop curieuses | News Jeux video – SFA 29 Jul 10
[...] mène actuellement une étude baptisée App Genome Project qui a pour objectif de cartographier et analyser 300 000 applications mobiles fonctionnant sous [...]
Ben 29 Jul 10
So out of all those apps, how many of those sends your personal information to china?
Feroz Yacoob 29 Jul 10
I hope Lookout will incorporate this vital information into there existing app available on Android.
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded | iPhone 4 Review news 29 Jul 10
[...] Yahoo! News | Lookout Blog | Email [...]
(News report) era is the era of smart phones lack of privacy?? | blacklink-tech 29 Jul 10
[...] http://blog.mylookout.com/2010/07/ in … enome-project / [...]
Alarmante: Aplicación Wallpaper te roba datos | emóvilPRO | Anuncios 29 Jul 10
[...] ha estado hurgando cientos de miles de aplicaciones para Android e iPhone como parte de su proyecto App Genome. El propósito es mantener a los usuarios de teléfonos móviles a salvo de aplicaciones [...]
aNONyMoosE 29 Jul 10
WebOS isn’t included in this… what does that mean?
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded | Holy ! Macaroni 29 Jul 10
[...] Yahoo! News | Lookout Blog | Email this | Comments Share Tech How to Turn Your Android [...]
Lookout’s App Genome Project warns about sketchy apps you may have already downloaded · Gadgets 29 Jul 10
[...] Yahoo! News | Lookout Blog | Email this | Comments Related Posts:Lookout’s App Genome Project warns [...]
Android Spyware: Millions Downloaded Thievish Wallpaper App | ECtimes.com 29 Jul 10
[...] disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 [...]
Android Spyware: Millions Downloaded Thievish Wallpaper App 29 Jul 10
[...] disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 [...]
Ar privatumas vis dar įmanomas? « praeivio dienoraštis 29 Jul 10
[...] Vegase vykstančioje Black Hat konferencijoje. Kurioje nelabai garsi Lookout firma perskaitė savo pranešimą apie programų kurias galima parsisiųsti į Android ir iPhone išmaniuosius telefonus patikimumą. [...]
the hive » Android Spyware: Millions Downloaded Thievish Wallpaper App 29 Jul 10
[...] disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 [...]
Ben 29 Jul 10
WebOS is not included because it’s too minor.
They only include iOS to sugar coat Android’s Jackeey Wallpaper app that send user’s personal information to China.
Free mobile apps can cost users their privacy | Greatson Media Blog 29 Jul 10
[...] security firm Lookout analyzed some 300,000 applications for the iPhone and Android and discovered a relatively small — though not negligible — [...]
‘Veel iPhone applicaties sturen gevoelige data door’ - iPhone 4 - Lees iPhoned.nl 29 Jul 10
[...] ‘Lookout‘ heeft onlangs een onderzoek afgerond over iPhone applicaties. Het onderzoeksbureau deed onderzoek naar het ongevraagd versturen van gevoelige data door iPhone applicaties. De resultaten zijn schokkend, want het lijkt erop dat ongeveer de helft van de gratis applicaties ongevraagd gevoelige data verstuurd naar derde partijen. [...]
William Woody 29 Jul 10
“Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)”
How do you determine that an iPhone “has the capability to access user’s contact data”? Unlike Android, there is no explicit permission bit that is set that the user is warned about–any iPhone app can access the Address Book Database without requiring a specific permission bit to be set. So, in theory 100% of all iPhone apps can access the user’s contact data.
So how do you determine this 14% number? In other words, what additional criteria are you using to say if an iPhone app may verses won’t access the data? Are you somehow scanning the code to find instructions which invoke the Address Book Database UI? Or are you using some other criteria?
I also find the metrics for Android a little sketchy. Just because you ask for a permission bit doesn’t mean you’re using the full capabilities flagged by that permission bit, right? I mean, isn’t this the equivalent of saying that because knives kill people, and half the country owns a knife, half the country could be murderers?
Rogue Android Apps Secretly Grab User Data (PC World)PhoneSpot.Org | PhoneSpot.Org 29 Jul 10
[...] discovery is part of the company’s recently announced App Genome Project that aims to “map and study mobile applications.” The company posted some early [...]
The Black Sheep: Free iPhone Apps Snoop Contacts | iCodeBlog 29 Jul 10
[...] there is quite a bit of information coming out of Las Vegas that relates to the iPhone. Lookout revealed some results from its App Genome project, which analyzed about 300,000 apps that are available for [...]
kevin 29 Jul 10
@William
We use similar, but slightly different techniques to analyze Android and iPhone applications due to their different respective application frameworks. We presented our full methodology at the Blackhat security conference (the full slides will be public soon), but I’ll give a brief summary.
On Android, we used a combination of permissions and static analysis (using custom-built tools that examine Android executables) to determine what capabilities each application has. On iPhone, we determined application capabilities by analyzing the Mach-O load commands and symbol tables in application binaries. We specifically looked at which APIs each application references, what classes/methods/instance-variables each application implements, and which frameworks each application references.
It’s important to remember that the data that we’re releasing shows the aggregate usage of particular sensitive capabilities. Simply because an application accesses sensitive capabilities, doesn’t mean it’s bad. Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.
Hope this helps clarify.
-Kevin
uli 29 Jul 10
So that number (47% of Android apps include 3rd-party code, vs 23% iPhone apps) doesn’t tell us anything since those libs could just as well be compression libraries, crypto, image analysis, whatever.
Do you have a more detailed break-down in the BH talk?
http://www.winenbel.nl » Blog Archive » Onderzoek: ‘Bijna kwart van iPhone-apps stuurt info door’ 29 Jul 10
[...] een onderzoek van Lookout blijkt dat gratis applicaties vaak gevoelige gegevens van gebruikers doorsturen. Het bedrijf [...]
iOS4 Jailbreak » The Black Sheep: Free iPhone Apps Snoop Contacts 30 Jul 10
[...] there is quite a bit of information coming out of Las Vegas that relates to the iPhone. Lookout revealed some results from its App Genome project, which analyzed about 300,000 apps that are available for [...]
Mobile Loose Ends 30/07/10 | Business Mobile 30 Jul 10
[...] Read more on their blog http://blog.mylookout.com/2010/07/introducing-the-app-genome-project/ [...]