Mobile phones changed the way we work and live. They are now not just our phones, but also our calendars, email clients, contact databases, browsers, cameras, shopping lists and much more. Mobiles also took over the functions of even more traditional tools, like our flashlight. I cannot remember the last time I used my AA-battery-powered flashlight, and to be honest I have no idea where it is. But why would I need it when I can use my mobile as a flashlight and it is always with me?
Flashlight apps are very simple, and there are dozens of them to choose from on Google Play. Using one is not complicated: just turn it on and there is light. Fancy ones can blink as well or the light can be adjusted and maybe some can turn off automatically to protect the battery, but that’s all that’s required from a flashlight application.
I was interested to see how secure flashlight apps are. So we used App-Ray to scan the top 8 most popular free flashlight apps on Google Play. I did not have high hopes, but even so, it was a shocking experience.
No free lunch
It is always difficult with free apps. How can developers make a profit or a living with free apps? Who pays for lunch? Well, in most cases we – the users – pay, although often in an indirect fashion. Of course, there are real free apps that are created for fun instead of profit, but not in the flashlight apps universe!
All of the inspected flashlight apps included ad libraries, 50% of them actually contained multiple ones. This is something not advertised with the apps, but we should not be surprised as developers are not charity organizations.
Most people would be OK with this, but unfortunately, the analyzed flashlight apps do contain other surprises. Let’s see how deep the rabbit hole goes!
Location, location, location
Location is important for real estate, but it is equally important when tracking users. Would you expect that your flashlight app tracks your physical location? No, you would not. Still, 2 out of 8 apps do track your movements, by accessing your coarse location, WiFi-state, and GPS-location when enabled.
I do not really see any valid functionality of a flashlight that would actually require the physical location of its users, other than selling personal information to improve the efficiency of in-app advertisements. Whatever the justification, though, it is definitely a major breach of personal privacy.
People are actually afraid that their mobile phones can be used to spy on them. Telco operators can listen to what they say, track them and hand over that data to 3rd parties. Well, here’s even more bad news: a simple flashlight app can do that, too!
One scanned app surprisingly had the option to record audio from the microphone of the mobile device. Why? You might ask, I don’t know. Well, actually I have some ideas: You just install a simple app to use your phone as a flashlight, and the developers can listen to what you and others are saying near your phone. Nice hidden gem, right?
To make the matter worse, this problem app is not some random malware app installed on some random devices, but rather it’s an app that has been installed – according to Google Play – on between 10 and 50 million devices. A modern form of mass surveillance!
Unfortunately, that’s not the end of it. 3 out of 8 apps wrote to the SD card, which is again something unexpected. Also, 3 out of 8 apps include in-app payment functionality, which could trick users into spending real-life money. Buy some extra light? Hard to imagine…
Last, but not least, let’s talk about simple errors in the apps that could be exploited by 3rd parties.
As we have seen earlier many of the flashlight apps leak personal information about the user. But to make the situation even worse 3 out of 8 flashlight apps do not implement encrypted communication effectively. This means that they not only leak your data, but they do not even bother to protect the communication channels through which they transmit it. So malicious 3rd parties can eavesdrop and steal your data as well. Good job!
A less severe problem, but still a serious one: half of the apps had potential SQL injection vulnerabilities, which is a significant risk in web applications, but recently also on mobile devices. This despite the fact that there are simple ways to avoid these weaknesses.
Not counting in-app advertisements (which is something all inspected apps had), 6 out of 8 apps seriously breached users’ privacy and contained other serious security flaws. These 6 apps have been installed on 400-500 MILLION devices according to Google Play.
So, almost half a billion devices have serious privacy and security issues just because their users installed one or another of the most popular flashlight applications.
My advice is to be very cautious about what app you are installing on your device. Just because an app has a high installation number does not automatically mean that is safe or secure to use!
Make sure you check what permissions your apps are requesting and do refuse to grant permissions to suspicious apps or if there seems to be no good reason for the request.
Interested in more details on Android application security checking? Go to app-ray.co for more information!