Smartphones

Lookout provides security and anti-virus for your Android phone

Smartphones are vulnerable, so it's time to consider using a security app. Michael Kassner examines Lookout Mobile Security for your Android device.

I was never an iPhone fan boy. Rather, I was an iPhone Kindle-app fan boy. Now, however, I'm an Android Kindle-app fan boy, because "Apple giveth and Apple taketh away."

Regarding the Kindle-app issue, I plead temporary insanity. Normally, I'd spend considerable time researching which phone, operating system, and apps best fit my needs. But, Apple's decision, along with the allure of a new phone and operating system, were too much. I caved, taking less than a day to decide.

Security is priority one

Two things:

  • After 35 years in IT, I have a well-developed "belt and suspenders" attitude toward device and data security -- whatever the operating system.
  • At the moment, I'm agnostic as to whether iOS or Android is natively more secure.

During my four plus years of iPhone use, I did not see a security app in the App Store. Otherwise, it would have been on my phone. Ironically, a few are finally showing up.

Now that I own a phone using Android, I'm checking out the Android Market. Lo and behold, there are all sorts of security apps. What's a person to do?

Which security app should you use?

I knew about Lookout before my conversion, from reading their Mobile Threat Reports. Remembering the report and the popularity of Lookout convinced me to visit the Lookout web site after my switch to Android. Interesting stuff, particularly this slide:

It points out something I had not given much thought to. Smartphones are touted as computers, just smaller. That may very well be. But, when it comes to security, they are different. For example, not too many people worry about their computer making international calls.

That insight, the 2011 Mobile Threat Report, and my knowledge of John Hering -- I wrote about his BlueSniper project -- were enough to persuade me to cough up the $30 for a year's subscription to Lookout Premium.

Lookout's innards

Lookout Mobile Security (free version) consists of:

  • Security: Checks installed software and data using real-time and scheduled scans
  • Backup: Backs up contact information
  • Missing Device: Has the ability to locate your phone remotely and activate an alarm, even if the phone is silenced
  • Management: Includes web-based management, which allows you to remotely control multiple phones via the Internet

The following slide shows what's different between the free and premium versions:

With Lookout on board, I'm once again a happy Kindle-app user. I did have a few questions that were not answered on the web site, so I contacted the company. Alicia diVittorio was kind enough to respond to my questions.

Kassner: The Premium version offers Locate, Scream, Remote Wipe, and Remote Lock via the web site.

I get what each does, but:

  1. Do these only work if the phone is on at the time the command is given, or will the command be queued and sent when the phone connects to a network?
  2. Can the commands be sent over both cell and Wi-Fi?
  3. What happens if the GPS is disabled?

diVittorio: I'll answer the questions in order:

  1. When a user selects Locate, Lookout will attempt to locate the missing device immediately. If the phone is turned off or not connected to a network, Lookout will wait until the phone is available and send a map of the location.
  2. Yes, Lookout uses both Wi-Fi and a user's carrier connection to locate a mobile device's position.
  3. If GPS is turned off, Lookout can turn it on remotely so a device can be located.

Kassner: Lookout has been awarded the Privacy Seal from TRUSTe. That says a lot. However, the following quote from the Lookout Privacy Policy is troubling:

"If you delete location data, it is anonymized on our production systems and there is no longer a link between your account and any saved location information. If you delete backup data, that data will become inaccessible through your account. If you delete your account, all information saved on your account becomes inaccessible.

The data that becomes inaccessible through your account may remain on our production servers for a period of time to enable you to recover your account or your data if you have accidentally deleted it. If you have accidentally deleted information from your account, you may contact support@mylookout.com as soon as possible to recover it. Aggregate and anonymous information incorporating or derived from your data may remain on our servers indefinitely."

Troubling indeed. I've written articles about the inability to totally anonymized user data. What is your definition of anonymized (Note: Answered by Kevin Mahaffey, CTO for Lookout)?

Mahaffey: When we use the term anonymous, we mean that the data is completely unidentifiable -- there is no way for anyone to tie the data to an individual user (e.g. nor user-specific identifiers attached to the data, PII or otherwise).

We pay extra-special attention to avoid situations where supposedly "anonymous" data can actually be trivially associated with a particular user (e.g. the infamous AoL search dataset). You could say we're paranoid.

Still some concern

I must confess, in my rush to install, I did not pay much attention to what control I gave Lookout. After reading the privacy policy, I wanted to find out how much permission we have to give the app.

The following slides show the asked-for permissions and the reasons why (provided by Lookout):

Final thoughts

I thought it was important to point out the relationship between permissions and features. Until I read their explanations, I was just guessing at why they needed so many.

I am still perplexed as to why my information is saved in any form when I delete it or terminate my account. Particularly, if I paid for the service.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

26 comments
n2iph
n2iph

Wondering if Lookout has expanded to include tablets yet or if it is in the works. Haven't read or seen anything on the web about it. Mike, did you put the question to them as you mentioned in your post on 8-20-11 and if so did they have an answer for you?

jminifie
jminifie

Thanks Michael for sharing this info with us. I recently bought my first smartphone and was concerned about all the talk of malware. I found my way to the Lookout website and decided to give the paid version a try as it seemed to have all the protective features I wanted. Now, based on some of the previous comments, I'm wondering if Lookout really scans for viruses. So far, my phone hasn't done anything funny.

ShaunComan
ShaunComan

I have used and tested Lookout and its Antivirus protection has been useless! I would recommend Bluepoint Security over it. Bluepoint serves strictly as antivirus but tested and works well. It can scan realtime and actually will find intrusions. Also recognizes windows based viruses, great and important!

n2iph
n2iph

Lookout will not install on tablets (at least not on my XOOM). Tablets need protection too. I have Lookout on my phone and its great. I'd like to have the same protection for my tablet but its presently not available...why???

tutor4pc
tutor4pc

Lookout (free) is my security app of choice. That is because I am paranoid about security. On the other hand, what problems exist besides phishing? I do not do any real work on my phone - it s first and foremost a phone. Please enlighten me as to what threats may endanger a plain user doing some applications that query data bases and navigate.

seanferd
seanferd

Even if Lookout turns out not to be the best solution in the long run, at least someone is innovating in this space. Competition will surely follow.

Kyle.Miller
Kyle.Miller

... is not possible programmatically in Android. The ability to do so was removed in Android 1.5. So that comment about being able to "remotely turn on GPS" is BS

Neon Samurai
Neon Samurai

" This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue. Once a vulnerability being used to root or jailbreak devices becomes public knowledge it may also be used by malicious attackers, like DroidDream. Until all mobile devices allow users to gain full control without resorting to exploits, this conflict of interest between control and safety is likely to continue. " I really like this part. They identify the conflict of interest then point out that it is altimately up to the device manufacturers to fix it; stop locking device owners out of there own personal property! An opt-in easter-egg to unlock the device would allow users to choose to remain under wing while enabling users who choose make more complete use of the hardware.

Michael Kassner
Michael Kassner

I have continued my research and it seems that there is an advantage to using a product like Lookout, even if it's just "peace of mind". I still have it on my phones.

Michael Kassner
Michael Kassner

Interested in learning what made you think that about Lookout. Did it miss some malware?

Michael Kassner
Michael Kassner

And maintain a data base, albeit anonymized about you after you remove your membership. I am working on a new article that will go into details about the permissions aspect. Just thought I would mention that I use Lookout as well.

authorwjf
authorwjf

Even if you wrote a driver an app could not install it dynamically without the phone being rooted. However...there are apps in the market that exploit a bug in the power widget that ships on Android phones. My understanding is that it has only been fixed in the most recent versions (2.3 and possibly 2.2). Up until that point, on some phones it was possible to turn on the GPS remotely via an intent to the power widget itself rather than accessing the location service. If you note the phrasing on Lookout's website the claim is they will enable the GPS remotely "if possible". Interesting!

Neon Samurai
Neon Samurai

I would think the ability to turn on/off would have to be disabled within hardware. If it's simply removed from the OS then someone with intent needs only to write there own driver call?

Michael Kassner
Michael Kassner

I thought the same. I turned it off and then proceeded to move my location several miles. Did not touch my phone. The website had my new location designated.

aiellenon
aiellenon

I have been using lookout since the very early beta, and have never had any issue with it, although it has never found anything either... I was a bit disappointed there was not a discount or year free when they launched the paid service, for beta users. I was a bit concerned after I decided to root my phone that there was not even a warning for any apps requiring or requesting root access, nor any warning that it detected the phone had been rooted.

Michael Kassner
Michael Kassner

I have an app called GPS Test (It cannot start GPS on its own). Tried test again. ..Made sure GPS was unchecked. ..Went to the website and started a locate. ..Minute later, the website located my phone correctly. ..GPS Test was green and showing several satellites it was receiving data from. ..Stopped the location process. ..GPS Test then determined GPS was now shut off.. It somehow is turning the GPS receiver on and off remotely.

aiellenon
aiellenon

I typed up a really nice response, but have no idea what I said... I'll just have to create something else... I installed the app, it found the vulnerability, was able to turn on my GPS, and lookout never once complained. But I do have to note, I have a 900KB redirecting hosts file and I am looking/hoping for the ability to add a PAC filter to Android. I do not understand why this is not an available option in the Operating System like it is in EVERY desktop and server OS. from what I understand Opera Mobile (not mini) supports a proxy (thus allowing a PAC filter), but this does not enable or require it for the OS. So all other connections still access the internet un-filtered. for more information on host files and PAC filters, including constantly updated files you can use on any desktop OS, go to http://www.securemecca.com (not directly affiliated with that site, but I do communicate directly with the "webmaster" on a weekly basis over the last 6-8 months and provide testing services)

authorwjf
authorwjf

You've hit the nail on the head.

AnsuGisalas
AnsuGisalas

Do we agree that a user can use an input device to manipulate the GUI? If so, then an app with the right permissions can also emulate user input in the GUI, say emulating a double-tap on a specific option in the GUI (GPS : On).

authorwjf
authorwjf

The way an OS protects / restricts access to its hardware has to do with operating in user vs kernel space. To say if its wired correctly it can also be called is not accurate. A way to think of it that makes it easier is to consider the entire Android OS as it is delivered by Google on a phone as one uber-application. The only parameters that can be added outside of what was delivered on your phone are the APKs, or apps. These don't run native on the OS but rather inside of the environment Google provided and thus can only exercise certain parts of the OS, just like WORD docs can only perform certain actions inside of MS WORD. Yes, people find ways to exploit holes in MS Office, and when they do, they are able to get some unintended behavior, but an app downloaded to a stock phone can no more call a driver directly than you can make a document for WORD call a driver on your Windows PC. In short, while I have no doubt that Lookout is turning on the GPS remotely, I am confident they don't accomplish this by calling the driver or poking the hardware address as APKs don't have a way to access kernel mode operations directly. The software must be exploiting a security flaw in one of the pre-compiled applications that shipped with the phone, such as the power widget I mentioned previously.

Michael Kassner
Michael Kassner

Except that having been around a good many years has taught me to never say no way.

AnsuGisalas
AnsuGisalas

...except by not instructing it to use them. Like neon said, if it's wired in correctly, then it can also be called. The GUI has a way to tell the OS to turn on the GPS (the check box in the GUI), so with enough permissions it's not conceivable that an OS could deny this power from everything else than the GUI. The GUI is not the OS.

Editor's Picks