Free mobile applications put users’ privacy at risk more often than paid apps, and iOS applications are more likely to transmit private information than Android applications, according to a survey of the top-400 mobile applications conducted by application-analysis firm Appthority.
The survey, released the day before the Black Hat security conference in Las Vegas, found that 95 percent of the top-100 free apps for both iOS and Android exhibited at least one kind of privacy-compromising behavior, while 78 percent of paid apps leaked similar data. Risky behavior included sending data on the location of the device, identifying the user, leaking address book information, or using single sign-on (SSO), which allows a single company to track the user across multiple applications.
“While IT professionals are eying malware as, perhaps, a future problem, they are seeing data leakage and corporate risk and privacy risk as current problems,” Domingo Guerra, president and co-founder of Appthority, told eWEEK.
Although many security firms have focused on malware as the most serious threat to mobile users, in most countries infections by malicious software continues to be rare. Instead, mobile software developers in search of profits are adopting aggressive and questionable tactics—or advertising frameworks that use such tactics—to monetize their users.
With employees increasingly bringing their own devices into the workplaces, companies need to worry more about what information even personal applications are leaking. While such privacy issues have not always been seen as a significant threat, the potential of applications to grab corporate data as well as the user’s personal information is a problem, said Guerra.
“Sure, not everyone is going to freak out about location tracking, but if you couple location tracking without encryption or you combine location tracking when people are traveling, then maybe it’s a bigger issue,” he said.
Considering its reputation as a premium platform, the top iOS applications surprisingly included more privacy-threatening behaviors than Android applications. Overall, 91 percent of iOS applications communicated some user information to the application developer, compared with 80 percent of Android applications, the report stated. While paying money for an application generates revenue for the application developer, many still used ad networks to generate more income: According to the study, 39 percent of iOS applications and 16 percent of Android applications sent user information off to advertising networks.
“If a user’s social log-in is hacked, all of the apps that a user has logged in to using the same password might be compromised as well,” the report stated. “Furthermore, when using SSO, the user agrees to share data not only with the app developer—and by default the ad network associated with the app—but also with the social networking site as well.”
Games and social networking applications are the programs that most often send off information about their users in some manner. In addition, for companies that issue phones to their users, in-app purchases—another behavior flagged in the survey—can be an expensive issue.