Download Free
Learn MoreIntroducing the App Genome Project
The App Genome Project
This week at the Black Hat Security Conference, Lookout will unveil the App Genome Project, which is the largest mobile application dataset ever created. In an ongoing effort to map and study mobile applications, the App Genome Project was created to identify security threats in the wild and provide insight into how applications are accessing personal data, as well as other phone resources. Lookout founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what mobile applications are doing and use that information to more quickly identify potential security threats.
Early Findings
Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include:
- 29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone
- Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)
- 47% of free Android apps include third party code, while that number is 23% on iPhone*
* Examples of third party code includes code that enables mobile ads to be served and analytic tracking for developers.
New Security Vulnerabilities
Lookout will also be announcing new security vulnerabilities including Mobile Data Leakage,which occurs when developers inadvertently expose sensitive data in application logs in a way that makes it accessible to malicious applications. In one instance of this vulnerability, Android was releasing user location data into logs in a way that made it accessible to other applications. That vulnerability has been addressed by Google and is fixed in all versions of Android, v.2.2 and beyond.
This vulnerability and others point to the need for developers to be more aware of best practices for accessing, transmitting and storing users’ personal data. In addition, consumers need to be aware of the permissions that mobile applications request and how that personal data is being used in the application.
More detailed information on the App Genome project and more detail on vulnerabilities will be discussed in their two dedicated sessions at Black Hat this week. They will also be providing recommendations for OEM’s, carriers and developers on how to improve security across the mobile ecosystem.
© 2012 Lookout, Inc. All rights reserved. Patents pending.
crazy how apps make or break the Apple OS and Apple treats their developers like crap
[...] The App Genome Project is collaboration with Lookout and is featured on their blog here. [...]
[...] provides interesting context for the App Genome Project, a new study from Lookout, which makes security software for Android, BlackBerry, and Windows [...]
[...] (and frequently disgruntled) iPhone user considering switching to an Android, this news about the App Genome project chilled my bones. It reminds us of how we add a little vulnerability to our lives with every new [...]
[...] is how we learned about The App Genome Project. Set to be unveiled by mobile security firm Lookout at this week’s Black Hat Security [...]
[...] In a post yesterday Lookout provided some early findings Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include: [...]
[...] insight into how applications are accessing personal data, as well as other phone resources.Source:http://blog.mylookout.com/2010/07/introducing-the-app-genome-project/ Posted less than a minute ago document.observe('dom:loaded', function() { [...]
[...] In a post yesterday Lookout provided some early findings Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms. Stats include: [...]
[...] [...]
This is technically impossible on an iPhone… The way iOS is built prevents this.
[...] Yahoo! News | Lookout Blog | Email this | Comments Engadget Bookmark [...]
[...] Update: Im Firmen-Blog berichtet Lookout von den Forschungsergebnissen im Rahmen des App Genome Project. [...]
[...] Lookout have been looking at hundreds of thousands of Android and iPhone apps as part of their new App Genome project. This new initiative was created explicitly to keep mobile users safe from malicious apps. Have [...]
[...] Yahoo! News | Lookout Blog | Email this | Comments Leave a comment Related PostsNo Related Post [...]
[...] Yahoo! News | Lookout Blog | Email this | Comments Related Posts:LG’s Application Store launches in [...]
I’m very interested to know how secure Blackberry apps are. Our company uses these devices because they’re supposed to be ‘safe’, but how sure can you be when users are allowed to install 3rd party apps??
[...] Dubbed the App Genome Project, it looked at a large cross-section of mobile apps and found that an unsettling number of them were accessing your personal information, and sometimes without alerting you. According to Lookout, 33-percent of iPhone and 29-percent of [...]
[...] blijkt uit onderzoek van Lookout waarover verschillende Amerikaanse media [...]
[...] Dubbed the App Genome Project, it looked at a large cross-section of mobile apps and found that an unsettling number of them were accessing your personal information, and sometimes without alerting you. According to Lookout, 33-percent of iPhone and 29-percent of [...]
[...] (8%) 47% of free Android apps include third party code, while that number is 23% on iPhone Introducing the App Genome Project | The Official Lookout Blog Gorge Attached Thumbnails [...]
[...] hier, hier, hier is meer te vinden over het onderzoek van Lookout. (advertentie) Anders neem je toch gewoon [...]
[...] mène actuellement une étude baptisée App Genome Project qui a pour objectif de cartographier et analyser 300 000 applications mobiles fonctionnant sous [...]
So out of all those apps, how many of those sends your personal information to china?
I hope Lookout will incorporate this vital information into there existing app available on Android.
[...] Yahoo! News | Lookout Blog | Email [...]
[...] http://blog.mylookout.com/2010/07/ in … enome-project / [...]
[...] ha estado hurgando cientos de miles de aplicaciones para Android e iPhone como parte de su proyecto App Genome. El propósito es mantener a los usuarios de teléfonos móviles a salvo de aplicaciones [...]
WebOS isn’t included in this… what does that mean?
[...] Yahoo! News | Lookout Blog | Email this | Comments Share Tech How to Turn Your Android [...]
[...] Yahoo! News | Lookout Blog | Email this | Comments Related Posts:Lookout’s App Genome Project warns [...]
[...] disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 [...]
[...] disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 [...]
[...] Vegase vykstančioje Black Hat konferencijoje. Kurioje nelabai garsi Lookout firma perskaitė savo pranešimą apie programų kurias galima parsisiųsti į Android ir iPhone išmaniuosius telefonus patikimumą. [...]
[...] disclose that the information would be sent to a third-party. Lookout found the app as part of its App Genome Project, an ambitious project to track the behavior of 300,000 [...]
WebOS is not included because it’s too minor.
They only include iOS to sugar coat Android’s Jackeey Wallpaper app that send user’s personal information to China.
[...] security firm Lookout analyzed some 300,000 applications for the iPhone and Android and discovered a relatively small — though not negligible — [...]
[...] ‘Lookout‘ heeft onlangs een onderzoek afgerond over iPhone applicaties. Het onderzoeksbureau deed onderzoek naar het ongevraagd versturen van gevoelige data door iPhone applicaties. De resultaten zijn schokkend, want het lijkt erop dat ongeveer de helft van de gratis applicaties ongevraagd gevoelige data verstuurd naar derde partijen. [...]
“Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)”
How do you determine that an iPhone “has the capability to access user’s contact data”? Unlike Android, there is no explicit permission bit that is set that the user is warned about–any iPhone app can access the Address Book Database without requiring a specific permission bit to be set. So, in theory 100% of all iPhone apps can access the user’s contact data.
So how do you determine this 14% number? In other words, what additional criteria are you using to say if an iPhone app may verses won’t access the data? Are you somehow scanning the code to find instructions which invoke the Address Book Database UI? Or are you using some other criteria?
I also find the metrics for Android a little sketchy. Just because you ask for a permission bit doesn’t mean you’re using the full capabilities flagged by that permission bit, right? I mean, isn’t this the equivalent of saying that because knives kill people, and half the country owns a knife, half the country could be murderers?
[...] discovery is part of the company’s recently announced App Genome Project that aims to “map and study mobile applications.” The company posted some early [...]
[...] there is quite a bit of information coming out of Las Vegas that relates to the iPhone. Lookout revealed some results from its App Genome project, which analyzed about 300,000 apps that are available for [...]
@William
We use similar, but slightly different techniques to analyze Android and iPhone applications due to their different respective application frameworks. We presented our full methodology at the Blackhat security conference (the full slides will be public soon), but I’ll give a brief summary.
On Android, we used a combination of permissions and static analysis (using custom-built tools that examine Android executables) to determine what capabilities each application has. On iPhone, we determined application capabilities by analyzing the Mach-O load commands and symbol tables in application binaries. We specifically looked at which APIs each application references, what classes/methods/instance-variables each application implements, and which frameworks each application references.
It’s important to remember that the data that we’re releasing shows the aggregate usage of particular sensitive capabilities. Simply because an application accesses sensitive capabilities, doesn’t mean it’s bad. Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.
Hope this helps clarify.
-Kevin
So that number (47% of Android apps include 3rd-party code, vs 23% iPhone apps) doesn’t tell us anything since those libs could just as well be compression libraries, crypto, image analysis, whatever.
Do you have a more detailed break-down in the BH talk?
[...] een onderzoek van Lookout blijkt dat gratis applicaties vaak gevoelige gegevens van gebruikers doorsturen. Het bedrijf [...]
[...] there is quite a bit of information coming out of Las Vegas that relates to the iPhone. Lookout revealed some results from its App Genome project, which analyzed about 300,000 apps that are available for [...]
[...] Read more on their blog http://blog.mylookout.com/2010/07/introducing-the-app-genome-project/ [...]
So nice I just became the fan of your site and noted on my bookmarks, thanks.
[...] on our recent research and feedback from our users, we know that Android permissions can sometimes be confusing. Often it [...]
[...] Yahoo! News | Lookout Blog | Email [...]
[...] Genome Project that Android applications are more secure than iPhone apps are because they’re less likely to be capable of accessing a user’s contact list or retrieving their location. It also found [...]
[...] Genome Project that Android applications are more secure than iPhone apps are because they’re less likely to be capable of accessing a user’s contact list or retrieving their location. It also found [...]
[...] Genome Project that Android applications are more secure than iPhone apps are because they’re less likely to be capable of accessing a user’s contact list or retrieving their location. It also found [...]
[...] Genome Project that Android applications are more secure than iPhone apps are because they’re less likely to be capable of accessing a user’s contact list or retrieving their location. It also found [...]
[...] mobile apps across different device platforms and app markets. The App Genome Project is an ongoing effort to provide visibility into mobile market dynamics, gain insight into how mobile apps access [...]
[...] Black Hat conference in Las Vegas, Nev., security research firm Lookout revealed that it analyzed more than 300,000 free applications available on both the iPhone App Store and Android [...]
[...] Genome Project, The blog.mylookout.com [...]
[...] Blogbeitrag Lookout (Quelle) [...]
Genau das habe ich auch gehört. Die Apps, die eigentlich das Arbeiten und Surfen erleichtern sollen, haben scheinbar die Seuche am Hals, denn zahlreiche Apps spionieren den Nutzer aus und übertragen nicht nur Daten zum Surfverhalten sondern öffnen eröffnen auch andere Möglichkeiten für Hacker.
[...] risk here is something mentioned previously, mobile applications. In an article on Lookout, Introducing the App Genome Project, the founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what [...]