Mobile apps on Android-powered smartphones and Apple's iPhone can disclose more personal data than most users realize, security vendor Lookout revealed Wednesday at the Black Hat USA 2010 conference in Las Vegas. Rather than being malicious, users often give the apps permission to access data when they are installed.

Lookout CEO John Hering and CTO Kevin Mahaffey told a session titled App Attack: Surviving the Mobile Application Explosion that a popular Android wallpaper app from Jackeey Wallpaper sent users' data, including phone numbers and SIM card numbers, to a server in Shenzhen, China. The wallpapers included My Little Pony and Star Wars.

Free apps can be risky, they said, with about 29 percent of free Android apps and 33 percent of those for the iPhone able to determine a user's location. Apple's iOS does, however, require apps to alert users when location information is accessed. iPhone users can also use the settings to block apps from accessing personal data.

In addition, Hering and Mahaffey said, about eight percent of Android apps and 14 percent of iPhone apps can access user contacts. And 47 percent of Android apps and 23 percent of iPhone apps have third-party code, usually for mobile ads and analytics, but sometimes for other purposes.

They urged app developers to be aware of security practices, especially when third-party code is added. Mahaffey noted, "The lesson today is that developers don't always know what's inside their apps."

Hering added, "Standardized APIs are making it easier and easier to actually create practical attacks. Instead of having to do something complex in a desktop-like environment, I know I can just call the contact API, for example, and have a very simple programmatic way to grab that information."