Security Experts:

iOS Apps Just as Intrusive as Android Apps: Research

iOS apps are just as invasive and curious about user data as Android apps are, BitDefender researchers found after analyzing more than half a million mobile apps.

BitDefender analyzed more than 522,000 apps over the past year and focused on the "intrusive behaviors" the app developer may have included in the product, such as tracking location, reading contact lists, and leaking your email address or device ID, said Catalin Cosi, chief security strategist at BitDefender. The team also looked at activities which may be considered unnecessary or negligent.

One of the biggest issues about mobile security is the fact that users are frequently unaware what their apps on their devices are doing. Whether that's because they don't read the permissions or because the apps themselves are being sneaky, the end result is the same: users, and the organizations they work for, are less secure.

iOS Apps as Invasive as Android AppsThe Android platform has always been considered more risky than Apple’s iOS. In fact, according to a report released in April by NQ Mobile, nearly 95 percent of all mobile malware discovered throughout 2012 targeted the Android operating system.

Despite fevered arguments that iOS is more secure than Android, or that Android offers developers more options than iOS, BitDefender found that both platforms are equally as invasive and curious when it comes to collecting user data, which was "contrary to popular media and consumer beliefs," Cosi said.

Location tracking is a major concern for both Android and iOS, BitDefender found. About 45 percent of iOS apps have location tracking capabilities, even if they don't explicitly do that, as opposed to only 35 percent of Android apps. However, a little over 1 percent of Android apps could track location in the background, even after it has been closed, and almost 10 percent of the analyzed Android apps may transfer the data to third-party servers. Advertiser networks are frequent recipients of such data.

While there are legitimate reasons for accessing location, sending that information over the Web to remote servers is frequently not unnecessary for some apps, Cosi said. For user, it may put their data at risk if the organization collecting the information ever experiences a data breach, he added.

Apps that are known to send your location over the Internet are doing other potential harmful things, such as spamming the notification bar and planting icons on the home screen, BitDefender said. Others apps that send location information also leak the phone number and the user’s e-mail address to ad vendors.

When it comes to the contact list, iOS apps are "much more interested" than Android apps in reading the list, Cosi said. Only a little under 8 percent of Android apps request user permission to access the list, compared to 19 percent of iOS apps that have the ability to snoop. Some of the iOS apps, such as 3D Badminton II and OLJ, reads and sends names and email addresses to remote servers, Cosi said.

"iOS applications appear to be more focused on harvesting private data than the ones designed for Android," Cosi wrote.

While all these behaviors can be legitimate functionality, there are significant threats to the user and the organization when these technologies are implemented improperly, Cosi said. Leaking unencrypted device IDs, or sending plain-text passwords during the authentication process is "highly dangerous" for a mobile device that frequently connects to public Wi-Fi access points.

Cosi acknowledged that permissions work differently on the two mobile platforms. Android apps state all the permissions needed at installation time and there is no way to change the settings afterwards. iOS permissions, on the other hand, are requested at run-time, as the specific resource is used. Users are able to allow or deny on a case-by-case basis, such as current location. This may make iOS a little bit more secure in practice. iOS developers are restricted by the developer agreement from collecting phone numbers, and if their apps are found to be collect that information anyway, the offending apps will be rejected from the AppStore.

"The Android ecosystem is much more permissive when it comes to data collection and application distribution," Cosi said. The fact that it's possible to distribute apps outside of Google Play "defeats potential screening" and leaves it up to the user whether or not to take the chance with an app.

The full report from Bitdefender is available here.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.