I was never an iPhone fan boy. Rather, I was an iPhone Kindle-app fan boy. Now, however, I’m an Android Kindle-app fan boy, because “Apple giveth and Apple taketh away.”

Regarding the Kindle-app issue, I plead temporary insanity. Normally, I’d spend considerable time researching which phone, operating system, and apps best fit my needs. But, Apple’s decision, along with the allure of a new phone and operating system, were too much. I caved, taking less than a day to decide.

Security is priority one

Two things:

  • After 35 years in IT, I have a well-developed “belt and suspenders” attitude toward device and data security — whatever the operating system.
  • At the moment, I’m agnostic as to whether iOS or Android is natively more secure.

During my four plus years of iPhone use, I did not see a security app in the App Store. Otherwise, it would have been on my phone. Ironically, a few are finally showing up.

Now that I own a phone using Android, I’m checking out the Android Market. Lo and behold, there are all sorts of security apps. What’s a person to do?

Which security app should you use?

I knew about Lookout before my conversion, from reading their Mobile Threat Reports. Remembering the report and the popularity of Lookout convinced me to visit the Lookout web site after my switch to Android. Interesting stuff, particularly this slide:

It points out something I had not given much thought to. Smartphones are touted as computers, just smaller. That may very well be. But, when it comes to security, they are different. For example, not too many people worry about their computer making international calls.

That insight, the 2011 Mobile Threat Report, and my knowledge of John Hering — I wrote about his BlueSniper project — were enough to persuade me to cough up the $30 for a year’s subscription to Lookout Premium.

Lookout’s innards

Lookout Mobile Security (free version) consists of:

  • Security: Checks installed software and data using real-time and scheduled scans
  • Backup: Backs up contact information
  • Missing Device: Has the ability to locate your phone remotely and activate an alarm, even if the phone is silenced
  • Management: Includes web-based management, which allows you to remotely control multiple phones via the Internet

The following slide shows what’s different between the free and premium versions:

With Lookout on board, I’m once again a happy Kindle-app user. I did have a few questions that were not answered on the web site, so I contacted the company. Alicia diVittorio was kind enough to respond to my questions.

Kassner: The Premium version offers Locate, Scream, Remote Wipe, and Remote Lock via the web site.

I get what each does, but:

  1. Do these only work if the phone is on at the time the command is given, or will the command be queued and sent when the phone connects to a network?
  2. Can the commands be sent over both cell and Wi-Fi?
  3. What happens if the GPS is disabled?

diVittorio: I’ll answer the questions in order:

  1. When a user selects Locate, Lookout will attempt to locate the missing device immediately. If the phone is turned off or not connected to a network, Lookout will wait until the phone is available and send a map of the location.
  2. Yes, Lookout uses both Wi-Fi and a user’s carrier connection to locate a mobile device’s position.
  3. If GPS is turned off, Lookout can turn it on remotely so a device can be located.

Kassner: Lookout has been awarded the Privacy Seal from TRUSTe. That says a lot. However, the following quote from the Lookout Privacy Policy is troubling:

“If you delete location data, it is anonymized on our production systems and there is no longer a link between your account and any saved location information. If you delete backup data, that data will become inaccessible through your account. If you delete your account, all information saved on your account becomes inaccessible.

The data that becomes inaccessible through your account may remain on our production servers for a period of time to enable you to recover your account or your data if you have accidentally deleted it. If you have accidentally deleted information from your account, you may contact support@mylookout.com as soon as possible to recover it. Aggregate and anonymous information incorporating or derived from your data may remain on our servers indefinitely.”

Troubling indeed. I’ve written articles about the inability to totally anonymized user data. What is your definition of anonymized (Note: Answered by Kevin Mahaffey, CTO for Lookout)?

Mahaffey: When we use the term anonymous, we mean that the data is completely unidentifiable — there is no way for anyone to tie the data to an individual user (e.g. nor user-specific identifiers attached to the data, PII or otherwise).

We pay extra-special attention to avoid situations where supposedly “anonymous” data can actually be trivially associated with a particular user (e.g. the infamous AoL search dataset). You could say we’re paranoid.

Still some concern

I must confess, in my rush to install, I did not pay much attention to what control I gave Lookout. After reading the privacy policy, I wanted to find out how much permission we have to give the app.

The following slides show the asked-for permissions and the reasons why (provided by Lookout):

Final thoughts

I thought it was important to point out the relationship between permissions and features. Until I read their explanations, I was just guessing at why they needed so many.

I am still perplexed as to why my information is saved in any form when I delete it or terminate my account. Particularly, if I paid for the service.