Feeds

Lookout mulls flagging privacy-invading phone apps as adware

Free virus detector considers crackdown on freebies

Combat fraud and increase customer satisfaction

Lookout Mobile Security has taken steps towards classifying privacy-eroding phone apps as malign and ripe for removal from devices by its antivirus software.

Many free mobile applications generate revenue by using advertising networks and exchanges to show in-app ads, and in most cases everything is ethical and above board.

However Lookout researchers discovered some of these advertising suppliers quietly access personal information on the phones - including handset owners' email addresses, numbers and names.

"Many of these ad providers also use aggressive mobile ad delivery techniques that can confuse users, like changing bookmark settings or delivering ads outside the context of an individual app," Lookout explains.

19,000 of the 380,000 free apps (5 per cent) analysed by Lookout used questionable or aggressive tactics. On Google Play, apps in the personalisation category (for example, wallpaper apps) have the highest percentage of aggressive ad networks (at 17 per cent), closely followed by comics (13 per cent), arcade & action (10 per cent) and entertainment (8 per cent).

Lookout warns that privacy-invading apps are more prevalent than malware. The security firm has drawn up a list of guidelines on acceptable behaviour for mobile apps, as explained in this blog post.

The firm may later use these guidelines as a benchmark for deciding whether to flag up particular apps as a privacy or security risk to customers of its mobile security software. Lookout, which provides virus detection and elimination software for Apple iOS and Google Android phones, has yet to start classifying any mobile apps as adware.

The US-based biz is in discussion with advertising networks and app developers about the issue in order to thrash out a code of practice.

The draft guidelines cover best practices in the following areas: transparency and clarity of data collection; control over information collected; ad delivery and display behaviour; collection and retention of personal or device-specific data; and secure transport of sensitive data.

"This is a living document that will change as the industry evolves, but ad providers that do not follow the basic requirements could be flagged as adware," Lookout stated (our emphasis).

The company's researchers have drawn attention to an important issue, and their figures are a worthwhile contribution to the debate, but users looking to use its mobile security application as a way to ward off invasive apps will be disappointed, at least for now.

From desktop plagues to mobile menaces

The Ad Network Detector app from Lookout shows what types of ads can be displayed and what personal information is collected by a network. This functionality is there for information purposes only, and it doesn't provide automatic warnings.

Advertising-spewing adware was, of course, a big problem on desktop machines several years ago. Security firms, most notably Kaspersky Lab, successfully fought lawsuits against firms angered that their ad-slinging tech was classified as malign or unwanted. A similar reaction could happen in the mobile arena, hence Lookout's understandable caution.

Lookout said it wanted to equip mobile advertisers and developers with clear privacy and user-experience guidelines so as to "enable growth and innovation in mobile advertising, while protecting user privacy and increasing the trustworthiness of ads".

As well as talking to developers and ad networks, mobile security firms such as Lookout ought to get mobile carriers, regulators and privacy activists involved in tackling the issue. One privacy campaign group is already on board.

Jules Polonetsky, director and co-chair of the Future of Privacy Forum, commented: “For many years, desktop users were plagued with programs that triggered pop-ups, added unwanted toolbars, and changed [web browser] home pages. These guidelines make it clear, while mobile marketing business models and practices are still developing, some practices are out-of-bounds. That’s good news for both consumers and responsible businesses.”

Lookout Mobile Security provides free and paid-for security utilities for phones. The premium version includes a phishing and malicious website blocker, privacy adviser, backup manager, and remote wipe functionality missing from its freebie sibling, which focusses on provides warnings about mobile malware. Lookout boasts 20 million users, the vast majority of whom are assumed to be running freebie versions of its software.

We suspect that the mobile adware warning functionality - as and when it appears - will be sold as a premium service. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.