Outsmarting Your Spying Smartphone
MICHEL MARTIN, HOST:
I'm Michel Martin and this is TELL ME MORE from NPR News. Coming up, move over guitar man. We are going to take a look at a new trend in traditional Mexican music where the tuba is taking center stage. That conversation is coming up.
But first, we want to tell you about an issue with all those apps for smartphones that you might not have heard about. And if you got one or bought one for yourself this holiday season, you are not alone.
One group called Flurry Analytics that measures how many apps get activated at any given time says that some 6.8 million Android and IOS devices were activated on Christmas day. That's an almost 140 percent increase over the number activated the prior year on the same day.
Now, of course, these phones are loaded with all types of new software for business and pleasure. But some security experts say there could be a danger, that they say these smartphones are collecting and transmitting private information about users, sometimes to third parties.
We wanted to talk more about this and what you can do to protect yourself, so we've called John Verdi. He is the senior counsel of the Electronic Privacy Information Center. He's here with us in our Washington, D.C. studio.
Welcome back. Thanks for joining us once again.
JOHN VERDI: It's a pleasure to be here.
MARTIN: Is there a distinction or do security experts like yourself draw a distinction between the apps that have been generated for iPhones and those that have been generated for Android phones?
VERDI: Well, there are definitely distinctions between apps for the two products. Apple exercises a great deal of control and oversight over which apps make it into the iPhone store. Google exercises virtually no oversight at all over the apps that make it into the Android market. So there's a real difference there and it has real implications for consumers.
MARTIN: People are saying that there's a real concern about malware. What is that and what is the concern?
VERDI: Well, malware, broadly speaking, is software that performs harmful functions, either on a PC or on a mobile device, without the user's knowledge or contrary to the user's understanding.
The basic idea with malware is that it often comes attached to pieces of software that purport to do one thing, like provide you with a news feed or a stock ticker or a flashlight on your phone. But it actually does something else entirely, like send phantom text messages to vote for American Idol or to pay sites and you end up getting a huge bill on your cell phone at the end of the month and you don't know why. Well, it turns out that you installed a piece of malware.
MARTIN: How would you know?
VERDI: Well, unfortunately, a lot of consumers find out when they get the bill and they get stuck with hundreds or thousands of dollars worth of charges that they never incurred.
MARTIN: So the advantage of the Android, which is produced by Google, is that it's open sourced, so pretty much anybody can provide anything for this device and so you have all these different choices. The bad news is it's not vetted by anybody. You're kind of putting yourself at the mercy of the goodwill of the community, as it were?
VERDI: That's absolutely true. A lot of what you're relying on in the Android application market is you're relying on your relationship with the application developer and that isn't necessarily a problem if the application developer is Microsoft or if the application developer is another well-known software company that you know and trust and have a great relationship with.
The question becomes, when you download an application from an unknown developer. The iPhone store has a much higher likelihood that that unknown developer has been held to some degree of security accountability, whereas the Android market - there's no accountability at all.
MARTIN: What are you most concerned about with these apps that have not been vetted by anybody?
VERDI: The biggest risk is that a user would download malware that enables the software company that wrote the app to totally take control of the user's phone. And we've seen examples of this. We've seen examples where malware will take advantage of certain security holes in either the Android app system or the iPhone app system and it will allow the malware and that software company to control the user's phone, to make the phone vibrate, to make the phone send text messages to pay numbers, to make the phone make calls, to transmit locational information to parties that you don't know and have no relationship with. Those are the real risks.
MARTIN: We're talking with John Verdi. He's the senior counsel of the Electronic Privacy Information Center and we're talking about the downside of all those apps for all those smartphones that so many people got for holiday gifts or bought for themselves.
But Android users aren't the only ones with something to think about. Last year, it was reported - it was discovered that iPhone, which is produced by Apple, tracked its owners' movements and stored that information on the device. And I remember that there was a really rich debate about this. I mean there are some people who had the perspective of that's fine, because if somebody were to steal the phone or steal me, you know, I'd like there to be some record of my movements. Other people were very alarmed by this. They thought that this was a gross intrusion into people's sort of personal, you know, privacy.
Can I just ask your opinion about that?
VERDI: Sure. I think there's two really critical points to make about that. First, the key privacy risk presented by that scenario was the lack of notice and control to users. Users were not notified of this sort of locational collection and they had no control over whether the locational collection occurred or not. And that's a massive privacy risk for folks.
MARTIN: The user knows best what's best for them. And if they're not notified of the data collection and they have no control over it, it's a massive problem.
Has that been fixed? Has that problem been addressed or the issue been addressed?
It has been addressed and Apple has fixed that issue. They responded fairly quickly.
And so, finally, for people who have bought an Android device and love the idea of playing with all these apps but are concerned after hearing this conversation, what should they do?
VERDI: Well, I mean I think that the Android device is - and I own one and really enjoy it - I think the Android device has really placed the burden on the users, to make sure that they're comfortable with the, number one, the developer who is giving them the app or selling them the app, right? If individuals have a relationship with a software developer or with the company, go ahead and download the app, that's fine.
The second thing that I need to really highlight is that Android requires that every app that is downloaded or installed be very clear with users about exactly what permissions it's asking for. If that path wants to use locational data, if that app wants to have access to XMS messages, text messages, if that app wants access to your contacts on your phone, it has to say so. And if you download an app that is a game and all of a sudden you see that it wants locational data and access to your contacts and your Web history in everything else, that's a huge red flag.
And I do want to mention - I mean, you know, it isn't just Android users who need to be aware of this. There have been malware attacks in the iPhone Store that have gotten through Apple's vetting process. So all cell phone users who are using these smartphones need to be aware and take care.
MARTIN: John Verdi is the senior counsel of the Electronic Privacy Information Center. He was kind enough to join us here in our studios in Washington, D.C. John Verdi, thanks for joining us once again. And Happy New Year to you.
VERDI: Thanks for having me. Happy New Year, Michel.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.