Skip to main content
April 23, 2014

Shining a Flashlight on Mobile Application Permissions

The Federal Trade Commission (FTC) recently completed and announced the terms of asettlement with GoldenShore Technologies, a one-man development shop based out of Idaho and creator of the popular “Brightest Flashlight” application for Android. Back in December the FTC, in response to a number of complaints, began investigating the app, which was doing a lot more than turning on your phone’s LED camera flash. Prior to installation, the app requested permission to reach the internet, to access contacts, and even to track real-time geolocation via GPS or IP address. So why does a basic flashlight app need all those permissions? To sell the private data of its 50 to 100 million users to less-than-scrupulous third parties, of course. Consumers often don’t pay attention to the EULA, allowing developers to slip in all kinds of pernicious language. And lest you think this is just an Android problem, it occurs in Apple mobile applications as well. Because apps like this don’t behave in the way that traditional malware behaves they often get through both Android’s and Apple’s vetting processes. It becomes incredibly easy for developers to collect private information on a massive scale and then sell that data to a disreputable party. These types of privacy issues are only amplified in enterprises with weak or no MDM policies. Think about the types of data your employees could be unknowingly transmitting just by clicking “OK” to a set of permissions they didn’t read for some mobile app they thought was innocuous. Pretty scary, huh? But the FTC just doled out some punishment, right? Well, yes, but it amounts to a slap on the wrist with a wet noodle. GoldenShore Technologies is ordered to delete all existing geolocation and device-specific data the app has collected. Going forward, the app must make clear to consumers that the it is collecting their data and what will happen to it. There are a few other restrictions, but most importantly, there is no financial penalty. The developer won’t even have to remit the profits he made from selling user data. Without a significant monetary penalty it’s unlikely that this type of behavior will be curbed in any way. Developers will continue to profit from exposing consumer and enterprise data, to the detriment of us all. So the question is, what can enterprises do to mitigate the risks inherent in mobile applications? Our static and dynamic behavioral analysis can pick up on the types of things that Android and even Apple gatekeepers miss. Our dynamic testing simulates the way the end-user would deploy an app and then reports exactly what is happening: the internal mechanisms, network connections made, and the data that is compiled and sent out across those connections. Our partnerships with MDM and MAM vendors help enterprises use the information provided by our APIs to easily enforce BYOD policies by setting up rules that use risk ratings to allow or block apps from the mobile device. That way you can protect your enterprise from applications dangerous to your privacy, your network, and your information – because it’s unlikely that the GoldenShore Technology settlement will encourage widespread development of less risky mobile apps.

Ryan Scotka is a Principal Engineer on the MARS team at Veracode. He has responsibilities encompassing all aspects of mobile security. His other areas of interest include Graph Theory, Automata and Web Frameworks.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.