Juniper Networks Study Finds Free Mobile Apps a Privacy Minefield

A Juniper Networks study of 1.7 million Android apps finds that free apps are far more likely to track users' locations and access their address books.

Free apps are far more likely to track users' locations and access their address books, behavior that companies should take into account when crafting policies to handle employees who bring their own devices into work, Juniper Networks stated in a report released Oct. 31.

For the report, the company scanned Google Play and other popular app stores to check the permissions required by 1.7 million applications. Free apps were four times as likely to track the user's location as paid apps and three times as likely to access the user's address book, the company found.

While users need to worry about how these applications affect their privacy, companies should be concerned of the impact on their security, said Dan Hoffman, chief mobile security evangelist at Juniper.

"Companies need to understand if they are making security policy and decisions based on BYOD scenarios," he said. "I think there is a tactical security concern that they need to have, if the users are bringing these apps into the company and, for example, there are applications that have use of the camera or a microphone."

Juniper's report is the latest study to show that many Android apps, and especially free apps, request questionable permissions that do not match the stated functionality of the application. Many apps, including the popular Pandora Internet radio app, send users' information to advertisers. A survey performed by the security group ISACA found that more than half of users have had their location information collected by an app, but only a quarter had privacy or safety concerns.

While most users assume that information is collected for advertising purposes, Juniper's study found that far more applications collect data for nonadvertising purposes. Nearly a quarter of all free apps track location and almost 7 percent access the address book, but only about one in 10 apps use known advertising networks, the company said. Paid apps are far more privacy-sensitive: Only 6 percent track location, and 2 percent access the address book.

Many free applications ask for other privacy-compromising permissions as well: nearly 3 percent asked for permission to send Short Message Service (SMS) texts in the background, 6 percent requested approval to silently make calls and almost 6 percent sought access to the camera.

Security researchers have increasingly worried about mobile devices being compromised by attackers and used as a sensor suite. One group of researchers from the University of Indiana and the Naval Surface Warfare Center (NSWC) created a program called PlaceRaider that could surreptitiously take pictures and construct a 3D virtual representation of the space.

Many of the applications are undoubtedly not malicious, but may just be developers including advertising modules without fully understanding what permissions they require, says Juniper's Hoffman.

"In many cases, these are not software companies making the apps," he said. "It is people doing it in their part time and they may not know or respect privacy laws."

Certain classes of applications accounted for a large portion of the privacy-compromising programs. Almost all card-and-casino apps, which recreate gambling games, asked for permission to make outbound calls, and more than 80 percent also asked for permission to use the camera and send SMS texts. In addition, racing games had a similar track record: 99 percent of paid apps and 92 percent of free apps asked for permission to send SMS texts, while 95 percent of free apps sought approval to initiate outgoing calls and half requested the ability to use the camera.

While Juniper noted suspicious requests for permissions, the company could not specifically investigate every instance.

"The manner in which permissions are currently presented does not provide a means for users to differentiate between" spyware and legitimate apps, the report stated. "More needs to be done to provide developers with differentiated permissions."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...