What Your iPhone or Android Is Telling ID Thieves

smart phone identity theftWith the rapid emergence of  web-based financial technology like online banking and trading, the security of user personal information has become a top concern for both consumers and financial institutions. Computers, however, are quickly becoming the second place option for surfing the web, while the use of smartphones is exploding. Unfortunately, with this shift comes a similar one in ID theft and the ability for identity thieves and hackers to see your private data via your phone.

The Door to Smart Phone Identity Theft: Apps

The idea that a smartphone with internet access could be hacked may not seem too far-fetched, but the method by which it happens could surprise you.

One of the major features these phone have to offer–which makes owning them so appealing in the first place–is also what makes your private information more accessible: Applications.

That’s not to say all of your apps are currently putting you at risk for identity theft, but the ease in which smartphone users hit the “download” button without fully investigating exactly what it is they’re putting onto their phones should be cause for alarm.

Applications, whether it’s the Chase mobile banking app or Zombieville USA, have the potential to communicate data you’d never want to share, including personal financial data.

How Applications Make iPhone ID Theft Possible

App developers decide what types of information these programs store and how, with the ability to encrypt personal data beyond what the phone itself does. One of the major problems with applications available today is that many store sensitive information without encrypting it at all.

viaForensics, a digital forensics and security firm, recently reviewed the security behind 100 of the most popular apps to find out how well they protect users’ data.

Alarmingly, in 5 of these apps the service’s appWatchdog found transmitted personal information like age or gender, 76 percent of apps stored usernames on the devices without encryption, while 10 percent actually stored unencrypted passwords, including Netflix and LinkedIn. See the full appWatchdog findings here.

Fortunately, among the most secure were bank apps, but keep in mind that owning just one unsecured application can compromise all the data available through your mobile device–and that applies to tablet PC’s as well.

Tips for Smartphone ID Theft Protection

When it comes to the world of identity theft and hacking, it’s pretty much impossible to be immune from attack–that’s just the trade-off we make for the convenience. Despite this truth, there are several steps you can take to protect yourself, or at least catch instances of fraud before too much time elapses to reverse the effects.

  • Use Different Usernames and Passwords: Many people use the same username and password for a variety of online accounts, usually just out of laziness. Think about it, though: If a hacker gets a hold of your Facebook login information, and it’s the same as your bank and credit card account, well, you see the problem. Set unique login information for all of your accounts and profiles to easily prevent this problem.
  • Monitor Your Credit: Keeping an eye on your credit activity and report is incredibly important. Not only will you be aware of how your daily actions affect your financial health, but you will be alerted of suspicious or fraudulent activity right away.

See All 3 of Your Credit Scores for Free

  • Stick to Paid Apps: There are fewer incidences of private data shared with third parties when it comes to paid apps. After all, free apps have to make money somehow, and it’s often with your personal information.

Identity theft though mobile devices isn’t occurring at the same rate it does through computers, but the thousands of new apps every day are making it much easier.

Anyone can create an app available for download through the iTunes app store or Google’s android market, which usually don’t go through a thorough review. That means it’s up to you to remain cautious about what you download and investigate the safety and credibility of an app before you add it onto your phone.

  • J. Scott Anderson

    Mr. Bond, your mixing of environments between Android and the iPhone is very misleading. Take the following statement in your closing:

    “Anyone can create an app available for download through the iTunes app store or Google’s android market, which usually don’t go through a thorough review.”

    The problem with this is that iPhone applications – the ones that go through the iTunes Store – are all reviewed. In fact, it is a common complaint of the Open Source advocates that they cannot upload anything they so desire for others to download. That privilege/weakness is a trait of the Google site for Android applications (the Android Market).

    And, if you are worried that even legitimate applications might be gathering more of your personal information that you want them to, you should clearly warn your readers to completely avoid any and all Android powered systems. Google gives Android to hardware makers for free. They do this because they make their money by selling…wait for it…YOU. That’s right. Google is an advertising company. They may their money by selling all the personal, private information they can gather about their users to sell to their customers, people that buy advertising.

    In an Android world, even if every application was vetted they way that Apple does iOS device applications, you would still be sharing private, personal information with strangers because the very operating system (Android and thus Google) is collecting it, for the sole purpose of selling it.

    Google is not a charity – nor should they be. There is nothing wrong with that nor is there anything wrong with someone using Android. They just need to know and approve of the fact that they are the product being sold – that is their privacy being sold. If they are okay with that, then there is no problem.

    Hopefully, Mr. Bond, you will revisit your article with an eye clearing up the information you attempted to provide. It is an important issue and I am glad that you have an interest in it.

    • caseyb

      It’s Ms. Bond, thank you.

      I appreciate your comment, though please note that I stated these apps don’t go through a thorough review. Google has flat-out said they do not review each app made available for Android, while Apple claims they do.

      However, the fact is that it’s impossible for Apple to fully review each and every application in the app store and ensure no questionable information-gathering is taking place, otherwise, instances such those below, as reported by Forbes, would not occur:

      “In September of last year iPhone users told French blog Mac4Ever that a traffic-monitoring application called MogoRoad surreptitiously grabbed their phone numbers and called the user to try and persuade them to upgrade the free software to a paid version. Just two months later, iPhone users filed a class-action lawsuit against game developer Storm8, whose software was collecting their phone numbers.” You can read more here: http://www.forbes.com/2010/03/03/blackberry-iphone-android-technology-security10-privacy.html

      Additionally, the above-mentioned appWatchdog study found both Android and iPhone apps to be guilty of storing sensitive personal information, including passwords, in plain text.

      Just because a store has a security guard doesn’t mean it can’t be robbed. Applications, regardless of platform, have the capability of storing and making available private data.

      My intention in this article is to make readers aware of this fact and practice caution when downloading apps, not tell them what mobile device they should be using or explain Google/Apple’s business model.

  • J. Scott Anderson

    Ms. Bond,

    First, grabbing allowed information, such as a phone number, is not bad nor does it violate any policies. What happened in France is the misuse of allowed data. That is very different. When I go to a store and they ask me for my e-mail, phone, and zip (information that used together to identity exactly who I am – and is done by marketing companies all the time). This is not illegal. However, if they start spamming me with marketing phone calls, that is a problem, if not illegal.

    Yes, storing private information in plain text is a problem. But it is not the problem you are making it out to be. First, the thief has to acquire your phone – steal it from you. Then they have to have the interest, knowledge, tools, and motivation to actually go digging through your phone for your information. All while making sure that you do not issue a remote Wipe command before they can do that.

    If your intention is to make your readers aware of private data issues, then you may want to consider being more clear and away from statements that insert FUD like “Apple claims” to review apps. I am in the security business and I use both operating systems. The facts are, there has been no app-related malware on the iOS devices. While on the Android OS, there are many documented to date and more active right now. It is a common practice to hijack an Android application, modify its code with malware, insert in place of the non-modified app on any of the Android app stores (even Google’s). Then unsuspecting people download bad apps that have knowledgable motivated people that want the information stolen for misuse. Make your readers aware of the real and current threat. Not the FUD of a bogey man in the bushes.