Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

iOS Apps Just as Intrusive as Android Apps: Research

iOS apps are just as invasive and curious about user data as Android apps are, BitDefender researchers found after analyzing more than half a million mobile apps.

iOS apps are just as invasive and curious about user data as Android apps are, BitDefender researchers found after analyzing more than half a million mobile apps.

BitDefender analyzed more than 522,000 apps over the past year and focused on the “intrusive behaviors” the app developer may have included in the product, such as tracking location, reading contact lists, and leaking your email address or device ID, said Catalin Cosi, chief security strategist at BitDefender. The team also looked at activities which may be considered unnecessary or negligent.

One of the biggest issues about mobile security is the fact that users are frequently unaware what their apps on their devices are doing. Whether that’s because they don’t read the permissions or because the apps themselves are being sneaky, the end result is the same: users, and the organizations they work for, are less secure.

iOS Apps as Invasive as Android AppsThe Android platform has always been considered more risky than Apple’s iOS. In fact, according to a report released in April by NQ Mobile, nearly 95 percent of all mobile malware discovered throughout 2012 targeted the Android operating system.

Despite fevered arguments that iOS is more secure than Android, or that Android offers developers more options than iOS, BitDefender found that both platforms are equally as invasive and curious when it comes to collecting user data, which was “contrary to popular media and consumer beliefs,” Cosi said.

Location tracking is a major concern for both Android and iOS, BitDefender found. About 45 percent of iOS apps have location tracking capabilities, even if they don’t explicitly do that, as opposed to only 35 percent of Android apps. However, a little over 1 percent of Android apps could track location in the background, even after it has been closed, and almost 10 percent of the analyzed Android apps may transfer the data to third-party servers. Advertiser networks are frequent recipients of such data.

While there are legitimate reasons for accessing location, sending that information over the Web to remote servers is frequently not unnecessary for some apps, Cosi said. For user, it may put their data at risk if the organization collecting the information ever experiences a data breach, he added.

Apps that are known to send your location over the Internet are doing other potential harmful things, such as spamming the notification bar and planting icons on the home screen, BitDefender said. Others apps that send location information also leak the phone number and the user’s e-mail address to ad vendors.

When it comes to the contact list, iOS apps are “much more interested” than Android apps in reading the list, Cosi said. Only a little under 8 percent of Android apps request user permission to access the list, compared to 19 percent of iOS apps that have the ability to snoop. Some of the iOS apps, such as 3D Badminton II and OLJ, reads and sends names and email addresses to remote servers, Cosi said.

Advertisement. Scroll to continue reading.

“iOS applications appear to be more focused on harvesting private data than the ones designed for Android,” Cosi wrote.

While all these behaviors can be legitimate functionality, there are significant threats to the user and the organization when these technologies are implemented improperly, Cosi said. Leaking unencrypted device IDs, or sending plain-text passwords during the authentication process is “highly dangerous” for a mobile device that frequently connects to public Wi-Fi access points.

Cosi acknowledged that permissions work differently on the two mobile platforms. Android apps state all the permissions needed at installation time and there is no way to change the settings afterwards. iOS permissions, on the other hand, are requested at run-time, as the specific resource is used. Users are able to allow or deny on a case-by-case basis, such as current location. This may make iOS a little bit more secure in practice. iOS developers are restricted by the developer agreement from collecting phone numbers, and if their apps are found to be collect that information anyway, the offending apps will be rejected from the AppStore.

“The Android ecosystem is much more permissive when it comes to data collection and application distribution,” Cosi said. The fact that it’s possible to distribute apps outside of Google Play “defeats potential screening” and leaves it up to the user whether or not to take the chance with an app.

The full report from Bitdefender is available here.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...