Risk
5/1/2012
11:26 AM
50%
50%

Android Apps Slurp Excessive Data

Nearly half of leading Android apps access more types of data than they require, finds a new security study.

10 Ways To Get More From Your Android Device
10 Ways To Get More From Your Android Device
(click image for larger view and for slideshow)
More than one-third of Android apps request "excessive permissions," giving them access to more data than they require.

That finding comes from a study conducted by South Korean antivirus vendor AhnLab, which scanned 178 "best rated" Android applications using its cloud-based Android security scanning service.

All told, of the apps scanned, AhnLab found that 43% requested excessive device information, 39% requested unusual levels of location information, 33% requested excessive access to personal information, and 8% wanted excessive information about service plans.

[ Google's StreetView put data collection above people's security. See Google Wardriving: How Engineering Trumped Privacy. ]

According to HoWoong Lee, director of the AhnLab Security E-Response Center, mobile applications that access excessive amounts of data are a concern because they may have access to banking data and personal emails, or be able to retrieve information that would allow attackers to clone smartphones or sign up mobile subscribers for premium services. Some apps, meanwhile, not only access but also store this sensitive information, oftentimes in unencrypted form. Furthermore, users may not notice any malware that targets sensitive stored information running in the background, surreptitiously siphoning away stored data.

But having legitimate applications access more data than they require would appear to be quite common. That goes not just for legitimate Android apps, as well as malware, but also for iOS apps.

Many social networking applications, including Path and Hipster, were called out earlier this year over revelations that they sent unencrypted copies of iOS users' address books back to their servers. While the developers behind Path defended the practice as a way of helping them connect users who already knew each other, the resulting outcry led the app developer to make the address book sharing "opt in."

Apple likewise weighed in, saying that slurping people's contact information without their permissions would be against its development guidelines. Apple apparently hadn't been testing iOS apps for such behavior as part of its App Store review process.

Not long after, Twitter, Yelp, and Foursquare also came clean, saying that they likewise transmitted users' contact information whenever people selected features with labels such as "find friends." But such information was often stored in unencrypted format, again creating an information security risk.

Apps running on Android or iOS that request, store, or share excessive amounts of information add to already pervasive business concerns over the security of mobile handsets. So, what can be done to address the problem?

One solution for businesses is application whitelisting, which means ensuring that any Android device that wants to connect to the corporate network runs only approved apps. While the practice is controversial, many security experts see it as the best solution for keeping malware and untrusted apps--such as those requesting excessive data access rights--off of Android handsets.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?