Overall, according to the related report released by Bit9, 72% of the apps studied have at least one potentially risky permission. The leading culprits in risky permissions are access to GPS data (42% of apps), phone calls or numbers (31%), contacts and email or other personal data (26%), and permissions that can lead to fraudulent phone charges (9%).
For the study, Bit9 researchers compared the specific permissions used by each app with the app type, users' ratings, and the number of times the app had been downloaded, as well as the reputation of the app publisher. The researchers then used this information to qualify, on a per-app basis, which permissions were questionable or suspicious. For example, numerous wallpaper applications -- as well as games and utilities -- include as one of their allowed permissions the ability to access a user's GPS location.
As that suggests, risk doesn't necessarily correlate with outright maliciousness. In the old days, of course, the chief concerns were "viruses and Trojans and apps that are out to do intentional harm, but in the BYOD and mobile space, there's a new concern, which is privacy," said Harry Sverdlove, CTO for Bit9, speaking by phone. By privacy, he's referring not just to consumer privacy, but also the privacy of corporate data, because 71% of businesses allow their employees to connect their personal smartphones to corporate networks, according to a survey of 139 "IT security decision makers" recently conducted by Bit9. Furthermore, 78% of surveyed information security personnel think smartphone vendors don't build in sufficient security controls to their devices, and 68% said their principle concern with smartphones is information security.
Even so, only 37% of businesses have deployed anti-malware software on employee-owned devices, and only 24% of businesses can see what's running on those devices via smartphone monitoring or management tools. In other words, in most businesses, "IT has no control," said Sverdlove. "You might as well just put your company's email and sensitive documents out on a coffee table in a cafe somewhere, and hope nobody's looking."
Sverdlove said the gold standard in curtailing excessive app permissions currently is Apple iOS 6, because it allows users to install apps, and then decide -- whenever the OS alerts the user that an app is making a request -- whether to grant that app access to such things as the device location, photos, contacts, or other potentially sensitive information.
"Google is making great strides, but in Android, that's not currently possible," said Sverdlove. Instead, if you install an Android app, you're agreeing to give it every permission that it asks for. One caveat is that some third-party utilities will curtail app access, but such utilities can only be run on rooted phones. "It's an all-or-nothing game, unless you root your Android phone, and that gets really messy," said Sverdlove.
Why do Android apps request so many permissions? One possibility is developer laziness: it's easier to request every permission that might be required, rather than to eliminate every permission that isn't required. Regardless of the cause, however, excessive permissions can have pernicious results because many apps don't operate alone.
"The majority of apps are free, and the way developers support themselves is they bundle in third-party advertising, and that's code that developers don't have access to, they're just bundling it in," said Sverdlove. But that gives the advertising code access to everything that the core app can access. "So you're letting your friend in the door, and your friend has all of the permissions that you have now," he said.
On a related note, California's attorney general this week announced a crackdown on mobile apps that lack conspicuous privacy policies that clearly state what personal information the app collects, as well as what will be done with that information. But might developers including third-party advertising code in their apps run afoul of California privacy laws, because the apps are hooking into advertiser-run tracking networks in ways that developers won't know?
"I do think there will be some questions raised, but more likely than not it will be from a legal standpoint, and third-party advertisers held culpable, because that's legal logistics: you go after the organization with the deep pockets," said Sverdlove.
A spokesman for the California attorney general's office wasn't immediately available to detail how the state plans to enforce the privacy law when it comes to developers bundling third-party advertiser code into their apps.
What can businesses do to better secure Android smartphones? The Bit9 report suggests that businesses educate employees about what app permission requests really mean, and tell them to stay away from third-party app markets -- where the majority of malicious Android apps lurk. They also should monitor the apps on employee-owned devices, to try to block known bad pieces of software. In addition, Bit9 recommends blocking rooted or jailbroken devices from access corporate networks, because rooting a device can disable built-in security protections. Finally, it recommends whole-device encryption for Android; enabling screen locking, which means a password is required to access a device; and using remote wiping, in the event that a device containing corporate data goes missing.
Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)