11:38 AM
Connect Directly

Android Apps Fail Risk Assessment Check

Study finds 26% of Android apps available via official Google Play app store pose a potential risk to enterprise security.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
One-quarter of Android apps available via the official Google Play app store put users at risk by having permission to access sensitive, personal information, including emails and contact information. That finding comes from an analysis conducted by security firm Bit9 of 412,212 of the roughly 600,000 apps available via Google Play.

Overall, according to the related report released by Bit9, 72% of the apps studied have at least one potentially risky permission. The leading culprits in risky permissions are access to GPS data (42% of apps), phone calls or numbers (31%), contacts and email or other personal data (26%), and permissions that can lead to fraudulent phone charges (9%).

For the study, Bit9 researchers compared the specific permissions used by each app with the app type, users' ratings, and the number of times the app had been downloaded, as well as the reputation of the app publisher. The researchers then used this information to qualify, on a per-app basis, which permissions were questionable or suspicious. For example, numerous wallpaper applications -- as well as games and utilities -- include as one of their allowed permissions the ability to access a user's GPS location.

[ Read Windows 8 App Developer Says Process Stinks. ]

As that suggests, risk doesn't necessarily correlate with outright maliciousness. In the old days, of course, the chief concerns were "viruses and Trojans and apps that are out to do intentional harm, but in the BYOD and mobile space, there's a new concern, which is privacy," said Harry Sverdlove, CTO for Bit9, speaking by phone. By privacy, he's referring not just to consumer privacy, but also the privacy of corporate data, because 71% of businesses allow their employees to connect their personal smartphones to corporate networks, according to a survey of 139 "IT security decision makers" recently conducted by Bit9. Furthermore, 78% of surveyed information security personnel think smartphone vendors don't build in sufficient security controls to their devices, and 68% said their principle concern with smartphones is information security.

Even so, only 37% of businesses have deployed anti-malware software on employee-owned devices, and only 24% of businesses can see what's running on those devices via smartphone monitoring or management tools. In other words, in most businesses, "IT has no control," said Sverdlove. "You might as well just put your company's email and sensitive documents out on a coffee table in a cafe somewhere, and hope nobody's looking."

Sverdlove said the gold standard in curtailing excessive app permissions currently is Apple iOS 6, because it allows users to install apps, and then decide -- whenever the OS alerts the user that an app is making a request -- whether to grant that app access to such things as the device location, photos, contacts, or other potentially sensitive information.

"Google is making great strides, but in Android, that's not currently possible," said Sverdlove. Instead, if you install an Android app, you're agreeing to give it every permission that it asks for. One caveat is that some third-party utilities will curtail app access, but such utilities can only be run on rooted phones. "It's an all-or-nothing game, unless you root your Android phone, and that gets really messy," said Sverdlove.

Why do Android apps request so many permissions? One possibility is developer laziness: it's easier to request every permission that might be required, rather than to eliminate every permission that isn't required. Regardless of the cause, however, excessive permissions can have pernicious results because many apps don't operate alone.

"The majority of apps are free, and the way developers support themselves is they bundle in third-party advertising, and that's code that developers don't have access to, they're just bundling it in," said Sverdlove. But that gives the advertising code access to everything that the core app can access. "So you're letting your friend in the door, and your friend has all of the permissions that you have now," he said.

On a related note, California's attorney general this week announced a crackdown on mobile apps that lack conspicuous privacy policies that clearly state what personal information the app collects, as well as what will be done with that information. But might developers including third-party advertising code in their apps run afoul of California privacy laws, because the apps are hooking into advertiser-run tracking networks in ways that developers won't know?

"I do think there will be some questions raised, but more likely than not it will be from a legal standpoint, and third-party advertisers held culpable, because that's legal logistics: you go after the organization with the deep pockets," said Sverdlove.

A spokesman for the California attorney general's office wasn't immediately available to detail how the state plans to enforce the privacy law when it comes to developers bundling third-party advertiser code into their apps.

What can businesses do to better secure Android smartphones? The Bit9 report suggests that businesses educate employees about what app permission requests really mean, and tell them to stay away from third-party app markets -- where the majority of malicious Android apps lurk. They also should monitor the apps on employee-owned devices, to try to block known bad pieces of software. In addition, Bit9 recommends blocking rooted or jailbroken devices from access corporate networks, because rooting a device can disable built-in security protections. Finally, it recommends whole-device encryption for Android; enabling screen locking, which means a password is required to access a device; and using remote wiping, in the event that a device containing corporate data goes missing.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/3/2012 | 4:35:19 PM
re: Android Apps Fail Risk Assessment Check
I'm not to surprised because Android apps being an open market makes it higher in risk. i like their apps but open market and the security apps have to come up some. This is probably why so many parents monitor their kids with Mobile spy or phone sheriff. Its like you have to.
User Rank: Apprentice
11/1/2012 | 7:08:23 PM
re: Android Apps Fail Risk Assessment Check
For excessive permissions check I'm using Anti Spy Mobile Free and aSpotCat from Google Play. They are really usefull for app downloading aficionados and regular users that care for privacy!
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.