The downside to mobile apps

Users often ignore software authorization, giving access to personal information.

Chris Mattison uses his iPhone for more than just talk and text. He’s a fan of its applications and has downloaded more than 60 games, music, social media and fitness applications.

The Norcross man knows he’s giving away some information in exchange for the downloaded app, but said he doesn’t typically review the permissions.

“For the most part, I don’t think any of the apps are very intrusive,” he said in an e-mail via his iPhone. “But I could very much be wrong.”

Mattison and millions of other unwitting smartphone users could be inviting a security risk, experts say.

Smartphones are becoming the norm among mobile phone users, allowing Americans to download all manner of handy, entertaining or useful applications with them, many of them free.

But application creators get something in return — access. And that could make mobile phone users who breeze through those pesky permissions or ignore application ratings vulnerable to scammers, experts say.

“Sometimes it is easy to tell what is good and what is bad — particularly permissions that access personal information and charge you money,” said Kevin Mahaffey, co-founder and chief technology officer of free mobile security application provider Mylookout.com. “But if it’s a poker game that needs to access all kinds of information, that is obviously sketchy. But a lot of times bad guys are extremely clever.”

To be clear, many mobile security folks say the risk is still somewhat low compared to threats on one’s at-home computer, solely because the bad guys of the smartphone world haven’t figured out a way to make enough money to be worth their while. As Internet security firm Symantec found in a recently released report: “Currently the mobile technology landscape provides some malicious monetization opportunities, but none at the revenue scale achievable in Windows.”

But with smartphone users expected to jump from 90.1 million users this year to nearly 149 million by 2015, according to data from eMarketer, it could one day be bigger business for hackers.

“They haven’t quite cracked the revenue nut yet. But in my opinion, as the bad guys are more successful in making money, we’ll see attacks accelerate,” Mahaffey said.

For the non-smartphone users out there, here’s how it works. Using an Android phone or Apple’s iPhone, users can download software to their phone that allows them to use such things as calorie counters, music players, mobile banking and so on. And each application comes with its own set of requests for information that the user must grant.

The most common permissions include allowing the application to prevent the phone from sleeping, reading who users call and which states they’re from, or allowing access to the phone’s Internet connection, a favorite among advertisers, experts interviewed for this story said.

But some of the stranger permissions include allowing one’s phone to make phone calls or send text messages, which has been used by scammers as a way to rack up expensive charges. Other off-putting requests include permission to capture pictures or video, something that depending on the application, could be reasonable or bizarre, said application developer Stephen Fluin, chief strategy and innovation officer at Mentormate, an application developer. (Because for some applications, it’s unclear whether granting permission to use “hardware controls” means taking photos through the application, or whether the application can operate the camera independent of the user.)

“It is possible it is doing nothing. It’s also possible when you launch the app it takes pictures,” Fluin said. “But I don’t see a value in picture taking — I don’t see a way to derive revenue from that.”

Mobile security experts said there are a couple of things users can do to protect themselves. Patrick Cousins, an application developer and blogger, said the most important thing is to vet the applications, read the reviews and check out user comments, he said.

“It’s all about context. It’s OK to give Internet access to some applications if you can see a valid use for it,” Cousins said. “If I download a game of checkers and it wants access to all my contacts, that wouldn’t make a whole lot of sense in context. It doesn’t need to read contacts for me to play checkers.”

Mahaffey adds that mobile phone users should set pass codes on their phone and allow the phone to update applications which can correct “bugs” in the system.

Jennifer Chen, also of Norcross, said she typically reads the reviews and permissions before downloading anything to her phone for one simple reason: “I don’t trust most things unless I research them first ... call me old.”