Risk
5/1/2012
11:26 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Android Apps Slurp Excessive Data

Nearly half of leading Android apps access more types of data than they require, finds a new security study.

10 Ways To Get More From Your Android Device
10 Ways To Get More From Your Android Device
(click image for larger view and for slideshow)
More than one-third of Android apps request "excessive permissions," giving them access to more data than they require.

That finding comes from a study conducted by South Korean antivirus vendor AhnLab, which scanned 178 "best rated" Android applications using its cloud-based Android security scanning service.

All told, of the apps scanned, AhnLab found that 43% requested excessive device information, 39% requested unusual levels of location information, 33% requested excessive access to personal information, and 8% wanted excessive information about service plans.

[ Google's StreetView put data collection above people's security. See Google Wardriving: How Engineering Trumped Privacy. ]

According to HoWoong Lee, director of the AhnLab Security E-Response Center, mobile applications that access excessive amounts of data are a concern because they may have access to banking data and personal emails, or be able to retrieve information that would allow attackers to clone smartphones or sign up mobile subscribers for premium services. Some apps, meanwhile, not only access but also store this sensitive information, oftentimes in unencrypted form. Furthermore, users may not notice any malware that targets sensitive stored information running in the background, surreptitiously siphoning away stored data.

But having legitimate applications access more data than they require would appear to be quite common. That goes not just for legitimate Android apps, as well as malware, but also for iOS apps.

Many social networking applications, including Path and Hipster, were called out earlier this year over revelations that they sent unencrypted copies of iOS users' address books back to their servers. While the developers behind Path defended the practice as a way of helping them connect users who already knew each other, the resulting outcry led the app developer to make the address book sharing "opt in."

Apple likewise weighed in, saying that slurping people's contact information without their permissions would be against its development guidelines. Apple apparently hadn't been testing iOS apps for such behavior as part of its App Store review process.

Not long after, Twitter, Yelp, and Foursquare also came clean, saying that they likewise transmitted users' contact information whenever people selected features with labels such as "find friends." But such information was often stored in unencrypted format, again creating an information security risk.

Apps running on Android or iOS that request, store, or share excessive amounts of information add to already pervasive business concerns over the security of mobile handsets. So, what can be done to address the problem?

One solution for businesses is application whitelisting, which means ensuring that any Android device that wants to connect to the corporate network runs only approved apps. While the practice is controversial, many security experts see it as the best solution for keeping malware and untrusted apps--such as those requesting excessive data access rights--off of Android handsets.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web