Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Apps Fail Risk Assessment Check

Study finds 26% of Android apps available via official Google Play app store pose a potential risk to enterprise security.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
One-quarter of Android apps available via the official Google Play app store put users at risk by having permission to access sensitive, personal information, including emails and contact information. That finding comes from an analysis conducted by security firm Bit9 of 412,212 of the roughly 600,000 apps available via Google Play.

Overall, according to the related report released by Bit9, 72% of the apps studied have at least one potentially risky permission. The leading culprits in risky permissions are access to GPS data (42% of apps), phone calls or numbers (31%), contacts and email or other personal data (26%), and permissions that can lead to fraudulent phone charges (9%).

For the study, Bit9 researchers compared the specific permissions used by each app with the app type, users' ratings, and the number of times the app had been downloaded, as well as the reputation of the app publisher. The researchers then used this information to qualify, on a per-app basis, which permissions were questionable or suspicious. For example, numerous wallpaper applications -- as well as games and utilities -- include as one of their allowed permissions the ability to access a user's GPS location.

[ Read Windows 8 App Developer Says Process Stinks. ]

As that suggests, risk doesn't necessarily correlate with outright maliciousness. In the old days, of course, the chief concerns were "viruses and Trojans and apps that are out to do intentional harm, but in the BYOD and mobile space, there's a new concern, which is privacy," said Harry Sverdlove, CTO for Bit9, speaking by phone. By privacy, he's referring not just to consumer privacy, but also the privacy of corporate data, because 71% of businesses allow their employees to connect their personal smartphones to corporate networks, according to a survey of 139 "IT security decision makers" recently conducted by Bit9. Furthermore, 78% of surveyed information security personnel think smartphone vendors don't build in sufficient security controls to their devices, and 68% said their principle concern with smartphones is information security.

Even so, only 37% of businesses have deployed anti-malware software on employee-owned devices, and only 24% of businesses can see what's running on those devices via smartphone monitoring or management tools. In other words, in most businesses, "IT has no control," said Sverdlove. "You might as well just put your company's email and sensitive documents out on a coffee table in a cafe somewhere, and hope nobody's looking."

Sverdlove said the gold standard in curtailing excessive app permissions currently is Apple iOS 6, because it allows users to install apps, and then decide -- whenever the OS alerts the user that an app is making a request -- whether to grant that app access to such things as the device location, photos, contacts, or other potentially sensitive information.

"Google is making great strides, but in Android, that's not currently possible," said Sverdlove. Instead, if you install an Android app, you're agreeing to give it every permission that it asks for. One caveat is that some third-party utilities will curtail app access, but such utilities can only be run on rooted phones. "It's an all-or-nothing game, unless you root your Android phone, and that gets really messy," said Sverdlove.

Why do Android apps request so many permissions? One possibility is developer laziness: it's easier to request every permission that might be required, rather than to eliminate every permission that isn't required. Regardless of the cause, however, excessive permissions can have pernicious results because many apps don't operate alone.

"The majority of apps are free, and the way developers support themselves is they bundle in third-party advertising, and that's code that developers don't have access to, they're just bundling it in," said Sverdlove. But that gives the advertising code access to everything that the core app can access. "So you're letting your friend in the door, and your friend has all of the permissions that you have now," he said.

On a related note, California's attorney general this week announced a crackdown on mobile apps that lack conspicuous privacy policies that clearly state what personal information the app collects, as well as what will be done with that information. But might developers including third-party advertising code in their apps run afoul of California privacy laws, because the apps are hooking into advertiser-run tracking networks in ways that developers won't know?

"I do think there will be some questions raised, but more likely than not it will be from a legal standpoint, and third-party advertisers held culpable, because that's legal logistics: you go after the organization with the deep pockets," said Sverdlove.

A spokesman for the California attorney general's office wasn't immediately available to detail how the state plans to enforce the privacy law when it comes to developers bundling third-party advertiser code into their apps.

What can businesses do to better secure Android smartphones? The Bit9 report suggests that businesses educate employees about what app permission requests really mean, and tell them to stay away from third-party app markets -- where the majority of malicious Android apps lurk. They also should monitor the apps on employee-owned devices, to try to block known bad pieces of software. In addition, Bit9 recommends blocking rooted or jailbroken devices from access corporate networks, because rooting a device can disable built-in security protections. Finally, it recommends whole-device encryption for Android; enabling screen locking, which means a password is required to access a device; and using remote wiping, in the event that a device containing corporate data goes missing.

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/3/2012 | 4:35:19 PM
re: Android Apps Fail Risk Assessment Check
I'm not to surprised because Android apps being an open market makes it higher in risk. i like their apps but open market and the security apps have to come up some. This is probably why so many parents monitor their kids with Mobile spy or phone sheriff. Its like you have to.
User Rank: Apprentice
11/1/2012 | 7:08:23 PM
re: Android Apps Fail Risk Assessment Check
For excessive permissions check I'm using Anti Spy Mobile Free and aSpotCat from Google Play. They are really usefull for app downloading aficionados and regular users that care for privacy!
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...