Last week, we had given previews of some of our findings from an analysis of 10,000 Android apps to a few reporters including Tim Wilson at DarkReading, Rob Westervelt at SearchSecurity, and Sean Kerner at InternetNews.com. Since then, we've been glad to see a high level of interest in our findings from other reporters as well! We'll be releasing our full set of findings at the BlackHat security conference on August 4 in Las Vegas, but until then, following is a preview of some of the findings that we thought would be of interest to the community:
* 842 of the 10,000 apps that we analyzed from Google's Android marketplace were leaking private information. The apps were authored by developers that transmitted IMEI numbers to remote servers, which may not have a high level of security. While users can give an Android application permission to read their IMEI number, and can also give an application access to the Internet, users may be surprised when such permissions are used in combination together to send the IMEI number to a remote server on the Internet. The security curve blog post referencing our study discussed some of the key issues here.
* 11 out of the 10,000 apps that we analyzed sent potentially unwanted SMS messages. These apps were authored by developers who sent potentially spammy messages back to the user's phone itself that would, for instance, encourage them to share the application with others. While the Android OS does have a "coarse-grained" permissions model where users can approve or deny an application the right to use SMS, once they approve, an application could send one SMS or one hundred SMSes without giving the user any further "finer-grained" control.
* We prototyped a mobile drive-by attack for Android. While drive-bys on desktop PCs on the web are very common, mobile drive-by attacks are fairly new.
We look forward to sharing more information about our findings in the coming weeks, including a full report in the form of a white paper at the time of our BlackHat talk on Aug 4.