Mobile app risk management solutions provider Appthority has analyzed 400 of the most popular free and paid applications for Android and iOS devices and presented the results in a report released on Monday.
The risky behaviors identified by the company are related to the type of data that’s collected, and where the data is going, not outright malware risks. According to Appthority’s App Reputation Report for the summer of 2014, most apps collect information on the user’s location, they access the address book and the calendar, they identify the user based on the device’s IMEI or UDID, and they’re capable of performing in-app purchases. The collected data can go to ad networks, social networks, third-party analytic frameworks, third-party crash reporting SDKs, and public cloud file storage providers.
According to the study, 99% of the most popular free Android and iOS apps exhibit at least one type of behavior that poses a security or privacy threat to organizations. When it comes to paid software, a lower percentage of apps have at least one of the top ten risky behaviors identified by Appthority, but the difference is small (78% for Android and 87% for iOS), with location tracking named the biggest disparity between free and paid applications.
iOS has been considered by many to be a more secure mobile operating system compared to Android, especially when it comes to malware. In fact, according to F-Secure’s Q1 2014 Mobile Threat Report, more than 99 percent of new mobile threats discovered by the security firm in the first quarter of 2014 targeted Android users.
However, Appthority’s study, in which 100 apps of each category (iOS paid/free and Android paid/free) were tested, shows that 93% of free and paid iOS applications exhibit at least one risky behavior, whereas only 89% of Android apps pose such a threat to enterprises.
By conducting static, dynamic, and behavioral analysis of the top free apps, Appthority determined that 82% of Android and 50% of iOS applications allow location tracking. When it comes to sharing data with ad networks, 71% of free Android apps do it, which represents a 13% increase compared to earlier this year.
In-app purchases can be problematic. In fact, the European Commission recently insisted that Apple and Google stop labeling applications that include this feature as “free apps.” Currently, 58% of the top free Android apps and 55% of the top free iOS apps enable in-app purchases.
Another challenge for enterprises is that the applications used by their employees come from a large number of developers. In the past, before the bring-your-own-device (BYOD) and bring-your-own-apps (BYOA) trends changed the landscape, organizations only had to deal with a handful of developers, which enabled easy whitelisting.
“As enterprises navigate how best to leverage the power of ‘mobile’ they have to confront the fact that user data and corporate data live side-by-side on mobile devices. Many mobile apps collect and share sensitive personal and corporate data without the user even being aware,” commented Domingo Guerra, president and co-founder of Appthority. “The first step toward mitigating this risk is to have full visibility into what risky behaviors are hidden in mobile apps, so that you can design acceptable use policies that protect your organization.”
Last summer, researchers from Bitdefender unveiled research that also found iOS apps to be just as invasive and curious about user data as Android apps are. It its study, BitDefender analyzed more than 522,000 apps and focused on the “intrusive behaviors” the app developer may have included in the product, such as tracking location, reading contact lists, and leaking your email address or device ID.
The complete 2014 App Reputation Report from Appthority is available for download in PDF format.