Risk
5/1/2012
11:26 AM
50%
50%

Android Apps Slurp Excessive Data

Nearly half of leading Android apps access more types of data than they require, finds a new security study.

10 Ways To Get More From Your Android Device
10 Ways To Get More From Your Android Device
(click image for larger view and for slideshow)
More than one-third of Android apps request "excessive permissions," giving them access to more data than they require.

That finding comes from a study conducted by South Korean antivirus vendor AhnLab, which scanned 178 "best rated" Android applications using its cloud-based Android security scanning service.

All told, of the apps scanned, AhnLab found that 43% requested excessive device information, 39% requested unusual levels of location information, 33% requested excessive access to personal information, and 8% wanted excessive information about service plans.

[ Google's StreetView put data collection above people's security. See Google Wardriving: How Engineering Trumped Privacy. ]

According to HoWoong Lee, director of the AhnLab Security E-Response Center, mobile applications that access excessive amounts of data are a concern because they may have access to banking data and personal emails, or be able to retrieve information that would allow attackers to clone smartphones or sign up mobile subscribers for premium services. Some apps, meanwhile, not only access but also store this sensitive information, oftentimes in unencrypted form. Furthermore, users may not notice any malware that targets sensitive stored information running in the background, surreptitiously siphoning away stored data.

But having legitimate applications access more data than they require would appear to be quite common. That goes not just for legitimate Android apps, as well as malware, but also for iOS apps.

Many social networking applications, including Path and Hipster, were called out earlier this year over revelations that they sent unencrypted copies of iOS users' address books back to their servers. While the developers behind Path defended the practice as a way of helping them connect users who already knew each other, the resulting outcry led the app developer to make the address book sharing "opt in."

Apple likewise weighed in, saying that slurping people's contact information without their permissions would be against its development guidelines. Apple apparently hadn't been testing iOS apps for such behavior as part of its App Store review process.

Not long after, Twitter, Yelp, and Foursquare also came clean, saying that they likewise transmitted users' contact information whenever people selected features with labels such as "find friends." But such information was often stored in unencrypted format, again creating an information security risk.

Apps running on Android or iOS that request, store, or share excessive amounts of information add to already pervasive business concerns over the security of mobile handsets. So, what can be done to address the problem?

One solution for businesses is application whitelisting, which means ensuring that any Android device that wants to connect to the corporate network runs only approved apps. While the practice is controversial, many security experts see it as the best solution for keeping malware and untrusted apps--such as those requesting excessive data access rights--off of Android handsets.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!