Privacy on mobile devices is rapidly disappearing as mobile applications (apps) increasingly request more and more permissions, even if their feature set does not seem to require it, according to a pair of recent research reports.
Mobile applications are essential to the whole mobile device experience, and they are getting smarter, more robust, and yes, more privacy-intrusive, security firm Bit9 found in its latest survey of Android mobile apps on Google Play. Researchers crawled the Google Play marketplace and analyzed 412,212 Android apps, and flagged more than a quarter of them as being “high-risk” to users because of excessive permissions, Bit9 said in its report released Thursday.
Bit9 collected detailed information for each app, including publisher, popularity, user rating, category, number of downloads, requested permissions, and price. Based on the reputation score calculated using these values, apps were categorized as “questionable” or “suspicious” if they requested access to personal information on the mobile device such as GPS data, phone call logs, and phone numbers. Apps were classified as green, for highly trusted, yellow, for less trusted, or red, for suspicious or potentially unsafe, Bit9 said in the report.
“A significant percentage of Google Play Store apps have access to potentially sensitive and confidential information,” said Harry Sverdlove, chief technology officer for Waltham, Massachusett-based Bit9.
Of the apps analyzed in Bit9’s report, more than 290,000 accessed at least one high-risk permission, 86,000 accessed five or more, and 8,000 apps accessed 10 or more permissions. The researchers defined the risk level according to the degree the app intruded on privacy and the feature set.
For example, a “seemingly basic app” such as a wallpaper requesting access to the device’s GPS raised red flags, Sverdlove said.
Of the apps identified as questionable or suspicious in the report, 42 percent accessed GPS location data, 31 percent wanted access to phone calls and phone numbers, and 26 percent wanted personal data such as contacts and email. There was a small segment, about 9 percent, of apps that requested permissions which if granted would wind up costing the user money.
Angry Birds is a popular game from Rovio Mobile. Bit9 identified 115 variant apps containing the words “Angry” and “Birds,” with only four published by Rovio. Many of the others, including “Angry Birds Wallpaper,” requested fine-grained GPS location services that were not essential to the apps’ functionality, the researchers wrote in the report.
Bit9 was careful to note the apps aren’t in malware territory exactly, but they had access to resources or personal information that was “uncommon or considered high-risk for most users.” Considering Google Play has about 700,000 official apps (about 600,000 at the time Bit9 conducted its research), the report’s findings encompasses a significant portion of available apps.
The Bit9 findings concur with recent research from Juniper Networks’ Mobile Threat Center which examined the level of permissions requested by apps. While there have been recent cases of specific apps being called out for collecting “irrelevant information” from users, “less is known about the state of privacy across the entire application ecosystem,” Dan Hoffman, chief mobile security evangelist at Juniper Networks, wrote in a blog post on Wednesday.
Not only did a “significant number” of apps “contain permissions and capabilities that could expose sensitive data or access device functionality that they might not need,” they also had permission to access the Internet, which meant the exposed data could easily be transmitted to external servers, Hoffman said. Juniper also found that free applications were 401 percent more likely to track user location and 314 percent more likely to access user address books than the paid versions.
Of the apps analyzed, Juniper found that 24 percent of free apps have permission to track user location, compared to only 6 percent of paid apps. While 6.7 percent of free apps could access address books, only 2 percent of paid apps could do so. About 5.5 percent of free apps have permission to access the device camera, but only 2 percent of paid apps had this access. The discrepancy goes on for apps with permission to clandestinely initiate calls in the background (6.39 percent for free, 1.88 percent for paid) and silently send text messages (2.64 percent free, 1.45 percent paid), Hoffman said.
There is a “common industry assumption” that free apps collect a lot of user data in order to serve ads, but the actual numbers don’t bear out that assumption, Hoffman said. The percentage of apps with the top five ad networks (AdMob, AirPush, Millennial Media, AdWhirl, Leadbolt) was about 9 percent, which is “much less” than the 24 percent of apps tracking location, Juniper found.
The ability to clandestinely initiate outgoing calls, send SMS messages and use a device camera are worrisome, as they can be used to spy on users without their knowing they are being monitored. The ability to send SMS messages can also result in a hefty bill if the apps are sending premium text messages.
Bit9’s research identified games as one of the categories in which apps were asking for unnecessary permissions, and Juniper concurred, calling out “cards and casino games” in particular. Nearly 94 percent of free cards and casino games that have permission to make outbound calls, 84 percent of free apps that have permission to use the camera, and 84 percent that can send text messages, do not explain why they need these capabilities.
Another sub-category of games that Juniper was concerned about questionable practices was racing games. Both paid (99 percent) and free apps (94 percent) requested permission to send text messages but did not explain why they needed the capability. Another 94 percent of free racing game apps could initiate outgoing calls and 50 percent had access to the camera, again with no justification for why the permissions were necessary.
The racing games sub-category “contained the highest number of applications that the MTC would consider to be newly discovered malware,” Hoffman said.
While users still have to say “yes” and grant the application permission to access and collect the data in order to get it to run, users are not aware of exactly how much data is being slurped or why it is being requested in the first place.
The industry needs to adopt some changes. Permissions need to be correlated to actual app functionality so users know exactly what is happening under the hood. The permissions also need to take into context how the app is using it, as a spying app making background calls to eavesdrop on conversations is using the capability in a very different way than an app that allows you to call the local branch of a bank. Simply saying an app has the permission to track location, read contacts or silently perform an outgoing call doesn’t provide the necessary context of why this functionality is necessary for a specific app, Hoffman said.
“Helping people understand what is actually occurring on their device and with their data has considerably more value than a list of permissions,” Hoffman said.
Bit9 conducted a parallel survey of 139 IT security decision makers collectively responsible for more than 400,000 employees and found that despite being aware of the risks, most organizations are still following a mobile policy “largely driven by convenience,” the report found. Despite the fact that 71 percent of the surveyed decision-makers said their organizations allowed employees to access company networks with personal devices, only 24 percent had deployed any kind of app monitoring or control.
“Many of these employers have little—or no—insight into what apps are running on their employees’ devices, with no way to identify potentially malicious apps or activity,” Bit9 said.
Considering that the average smartphone user has 65 apps installed on their device, and Bit9 research showing that 25 percent of its sample size “are at least suspicious or questionable,” means about 16 apps in each employee’s personal app inventory potentially has some level of suspicious activity, Bit9 wrote in the report.
Considering that over 80 percent of the survey respondents that allow personal devices also allow employees to access company email or to the company calendar, and the number of apps requesting access to such data, suggest that organizations should be doing more to have visibility over what is running on employee devices.
“This does not suggest that mobile devices are currently ground zero for intellectual property theft, but they could be very shortly,” the researchers wrote.
The full report from Bit9 can be found here in PDF format.
Related: Free 14 Day Trial – Eliminate Mobile Device Risks with Mobilisafe From Rapid7
