Lookout CEO John Hering and CTO Kevin Mahaffey told a session titled App Attack: Surviving the Mobile Application Explosion that a popular Android wallpaper app from Jackeey Wallpaper sent users' data, including phone numbers and SIM card numbers, to a server in Shenzhen, China. The wallpapers included My Little Pony and Star Wars.

Free apps can be risky, they said, with about 29 percent of free Android apps and 33 percent of those for the iPhone able to determine a user's location. Apple's iOS does, however, require apps to alert users when location information is accessed. iPhone users can also use the settings to block apps from accessing personal data.

In addition, Hering and Mahaffey said, about eight percent of Android apps and 14 percent of iPhone apps can access user contacts. And 47 percent of Android apps and 23 percent of iPhone apps have third-party code, usually for mobile ads and analytics, but sometimes for other purposes.

They urged app developers to be aware of security practices, especially when third-party code is added. Mahaffey noted, "The lesson today is that developers don't always know what's inside their apps."

Hering added, "Standardized APIs are making it easier and easier to actually create practical attacks. Instead of having to do something complex in a desktop-like environment, I know I can just call the contact API, for example, and have a very simple programmatic way to grab that information."

The gallery lets Apple fans find extensions that add new features to the browser, such as toolbars that display live web feeds and sophisticated programs that filter web content. Safari 5.0.1 users can download and install extensions from the gallery or directly from a developer's web site.

"The Safari Extensions Gallery puts Safari right up there with Chrome or Firefox with its ability to add functionality to the browser," said Michael Gartenberg, a partner at Altimeter Group. "It looks like they've got a good collection of extensions already up in the gallery. What's interesting is that once again there is a Bing extension built in. Other than the extensions, this is a minor release."

Microsoft, Amazon and Twitter Agree ...

Apple is getting kudos from some of its heavy-hitting technology colleagues (and competitors), including Microsoft, Twitter and Amazon.com. Gianna Puerini, vice president of worldwide design and community at Amazon, pointed to how the browser helps its customers build wish lists.

"With Safari 5, we were able to quickly build the Add to Amazon Wish List extension that lets customers add items from any web site to their Amazon wish list with the click of a button," Puerini said.

Jeff Henshaw, general manager of Microsoft's Bing User Experience, said the software giant is excited about working closely with Apple to bring "visually compelling Bing experiences to Safari."

"The Bing Extension for Safari brings Bing search intelligence to everyday browsing with Safari," Henshaw said. "When a user selects text in Safari,...

Lookout Inc., a mobile-phone security firm, scanned nearly 300,000 free applications for Apple Inc.'s iPhone and phones built around Google Inc.'s Android software. It found that many of them secretly pull sensitive data off users' phones and ship them off to third parties without notification.

That's a major concern that has been bubbling up in privacy and security circles.

The data can include full details about users' contacts, their pictures, text messages and Internet and search histories. The third parties can include advertisers and companies that analyze data on users.

The information is used by companies to target ads and learn more about their users. The danger, though, is that the data become vulnerable to hacking and use in identity theft if the third party isn't careful about securing the information.

Lookout reported its findings this week in conjunction with the Black Hat computer security conference in Las Vegas.

Lookout found that nearly a quarter of the iPhone apps and almost half the Android apps contained software code that contained those capabilities.

The code had been written by the third parties and inserted into the applications by the developers, usually for a specific purpose, such as allowing the applications to run ads. But the code winds up forcing the application to collect more data on users than even the developers may realize, Lookout executives said.

"We found that not only users, but developers as well, don't know what's happening in their apps, even in their own apps, which is fascinating," said John Hering, CEO of the San Francisco-based Lookout.

Part of the problem is smart phones don't alert users to all the different types of data the applications running on them are collecting. IPhones only alert users when applications want to use their locations.

And...