Risk
11/1/2012
11:38 AM
Connect Directly
RSS
E-Mail
50%
50%

Android Apps Fail Risk Assessment Check

Study finds 26% of Android apps available via official Google Play app store pose a potential risk to enterprise security.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
One-quarter of Android apps available via the official Google Play app store put users at risk by having permission to access sensitive, personal information, including emails and contact information. That finding comes from an analysis conducted by security firm Bit9 of 412,212 of the roughly 600,000 apps available via Google Play.

Overall, according to the related report released by Bit9, 72% of the apps studied have at least one potentially risky permission. The leading culprits in risky permissions are access to GPS data (42% of apps), phone calls or numbers (31%), contacts and email or other personal data (26%), and permissions that can lead to fraudulent phone charges (9%).

For the study, Bit9 researchers compared the specific permissions used by each app with the app type, users' ratings, and the number of times the app had been downloaded, as well as the reputation of the app publisher. The researchers then used this information to qualify, on a per-app basis, which permissions were questionable or suspicious. For example, numerous wallpaper applications -- as well as games and utilities -- include as one of their allowed permissions the ability to access a user's GPS location.

[ Read Windows 8 App Developer Says Process Stinks. ]

As that suggests, risk doesn't necessarily correlate with outright maliciousness. In the old days, of course, the chief concerns were "viruses and Trojans and apps that are out to do intentional harm, but in the BYOD and mobile space, there's a new concern, which is privacy," said Harry Sverdlove, CTO for Bit9, speaking by phone. By privacy, he's referring not just to consumer privacy, but also the privacy of corporate data, because 71% of businesses allow their employees to connect their personal smartphones to corporate networks, according to a survey of 139 "IT security decision makers" recently conducted by Bit9. Furthermore, 78% of surveyed information security personnel think smartphone vendors don't build in sufficient security controls to their devices, and 68% said their principle concern with smartphones is information security.

Even so, only 37% of businesses have deployed anti-malware software on employee-owned devices, and only 24% of businesses can see what's running on those devices via smartphone monitoring or management tools. In other words, in most businesses, "IT has no control," said Sverdlove. "You might as well just put your company's email and sensitive documents out on a coffee table in a cafe somewhere, and hope nobody's looking."

Sverdlove said the gold standard in curtailing excessive app permissions currently is Apple iOS 6, because it allows users to install apps, and then decide -- whenever the OS alerts the user that an app is making a request -- whether to grant that app access to such things as the device location, photos, contacts, or other potentially sensitive information.

"Google is making great strides, but in Android, that's not currently possible," said Sverdlove. Instead, if you install an Android app, you're agreeing to give it every permission that it asks for. One caveat is that some third-party utilities will curtail app access, but such utilities can only be run on rooted phones. "It's an all-or-nothing game, unless you root your Android phone, and that gets really messy," said Sverdlove.

Why do Android apps request so many permissions? One possibility is developer laziness: it's easier to request every permission that might be required, rather than to eliminate every permission that isn't required. Regardless of the cause, however, excessive permissions can have pernicious results because many apps don't operate alone.

"The majority of apps are free, and the way developers support themselves is they bundle in third-party advertising, and that's code that developers don't have access to, they're just bundling it in," said Sverdlove. But that gives the advertising code access to everything that the core app can access. "So you're letting your friend in the door, and your friend has all of the permissions that you have now," he said.

On a related note, California's attorney general this week announced a crackdown on mobile apps that lack conspicuous privacy policies that clearly state what personal information the app collects, as well as what will be done with that information. But might developers including third-party advertising code in their apps run afoul of California privacy laws, because the apps are hooking into advertiser-run tracking networks in ways that developers won't know?

"I do think there will be some questions raised, but more likely than not it will be from a legal standpoint, and third-party advertisers held culpable, because that's legal logistics: you go after the organization with the deep pockets," said Sverdlove.

A spokesman for the California attorney general's office wasn't immediately available to detail how the state plans to enforce the privacy law when it comes to developers bundling third-party advertiser code into their apps.

What can businesses do to better secure Android smartphones? The Bit9 report suggests that businesses educate employees about what app permission requests really mean, and tell them to stay away from third-party app markets -- where the majority of malicious Android apps lurk. They also should monitor the apps on employee-owned devices, to try to block known bad pieces of software. In addition, Bit9 recommends blocking rooted or jailbroken devices from access corporate networks, because rooting a device can disable built-in security protections. Finally, it recommends whole-device encryption for Android; enabling screen locking, which means a password is required to access a device; and using remote wiping, in the event that a device containing corporate data goes missing.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ry1414
50%
50%
ry1414,
User Rank: Apprentice
12/3/2012 | 4:35:19 PM
re: Android Apps Fail Risk Assessment Check
I'm not to surprised because Android apps being an open market makes it higher in risk. i like their apps but open market and the security apps have to come up some. This is probably why so many parents monitor their kids with Mobile spy or phone sheriff. Its like you have to.
PetPorter
50%
50%
PetPorter,
User Rank: Apprentice
11/1/2012 | 7:08:23 PM
re: Android Apps Fail Risk Assessment Check
For excessive permissions check I'm using Anti Spy Mobile Free and aSpotCat from Google Play. They are really usefull for app downloading aficionados and regular users that care for privacy!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.