Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Most Top Free and Paid Mobile Apps Pose Threat to Enterprises: Report

Mobile app risk management solutions provider Appthority has analyzed 400 of the most popular free and paid applications for Android and iOS devices and presented the results in a report released on Monday.

Mobile app risk management solutions provider Appthority has analyzed 400 of the most popular free and paid applications for Android and iOS devices and presented the results in a report released on Monday.

The risky behaviors identified by the company are related to the type of data that’s collected, and where the data is going, not outright malware risks. According to Appthority’s App Reputation Report for the summer of 2014, most apps collect information on the user’s location, they access the address book and the calendar, they identify the user based on the device’s IMEI or UDID, and they’re capable of performing in-app purchases. The collected data can go to ad networks, social networks, third-party analytic frameworks, third-party crash reporting SDKs, and public cloud file storage providers.

According to the study, 99% of the most popular free Android and iOS apps exhibit at least one type of behavior that poses a security or privacy threat to organizations. When it comes to paid software, a lower percentage of apps have at least one of the top ten risky behaviors identified by Appthority, but the difference is small (78% for Android and 87% for iOS), with location tracking named the biggest disparity between free and paid applications.

Chart: Top PAID Apps with Risky Behaviors: iOS and Android

iOS has been considered by many to be a more secure mobile operating system compared to Android, especially when it comes to malware. In fact, according to F-Secure’s Q1 2014 Mobile Threat Report, more than 99 percent of new mobile threats discovered by the security firm in the first quarter of 2014 targeted Android users.

However, Appthority’s study, in which 100 apps of each category (iOS paid/free and Android paid/free) were tested, shows that 93% of free and paid iOS applications exhibit at least one risky behavior, whereas only 89% of Android apps pose such a threat to enterprises. 

By conducting static, dynamic, and behavioral analysis of the top free apps, Appthority determined that 82% of Android and 50% of iOS applications allow location tracking. When it comes to sharing data with ad networks, 71% of free Android apps do it, which represents a 13% increase compared to earlier this year.

In-app purchases can be problematic. In fact, the European Commission recently insisted that Apple and Google stop labeling applications that include this feature as “free apps.” Currently, 58% of the top free Android apps and 55% of the top free iOS apps enable in-app purchases.

Another challenge for enterprises is that the applications used by their employees come from a large number of developers. In the past, before the bring-your-own-device (BYOD) and bring-your-own-apps (BYOA) trends changed the landscape, organizations only had to deal with a handful of developers, which enabled easy whitelisting.

“As enterprises navigate how best to leverage the power of ‘mobile’ they have to confront the fact that user data and corporate data live side-by-side on mobile devices. Many mobile apps collect and share sensitive personal and corporate data without the user even being aware,” commented Domingo Guerra, president and co-founder of Appthority. “The first step toward mitigating this risk is to have full visibility into what risky behaviors are hidden in mobile apps, so that you can design acceptable use policies that protect your organization.”

Last summer, researchers from Bitdefender unveiled research that also found iOS apps to be just as invasive and curious about user data as Android apps are. It its study, BitDefender analyzed more than 522,000 apps and focused on the “intrusive behaviors” the app developer may have included in the product, such as tracking location, reading contact lists, and leaking your email address or device ID.

The complete 2014 App Reputation Report from Appthority is available for download in PDF format.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.