Security vendor Bit9 classified more than 100,000 applications on Google Play as “questionable” or “suspicious” in a new report that the company said underscores the sometimes overlooked risks posed by permission-hungry applications.
Bit9’s criteria for defining an application as “questionable” or “suspicious” included permissions requested by the application, categorization of the application, user rating, number of downloads and the reputation of the application’s publisher.
In its examination of more than 400,000 Android apps, Bit9 found 72 percent use at least one high-risk permission. In addition, 42 percent of the apps access GPS location data, including wallpapers, games and utilities; 31 percent access phone calls or phone numbers; 26 percent access personal data, such as contacts and email; and 9 percent use permissions that can cost the user money.
“Our research shows that 26 percent of apps in Google Play have access to personal information such as contacts and email, and in our survey, 96 percent of employers, who permit personal devices to access their networks, allow employees to connect to company email and contacts,” according to the company’s report. “So as more companies allow their employees to access their organizational data from personal devices, employers must recognize the threats to their intellectual property posed by unmonitored devices.”
Most users do not pay close attention to the permissions applications are requesting, Harry Sverdlove, CTO of Bit9, told eWEEK. In addition, the problem is compounded by the fact that allowing permissions is an all-or-nothing proposition if a user wants a particular app, he said.
“Most consumers are willing to click “allow” for mobile apps in situations they probably would never have allowed on a Windows computer,” he said. “This is because people do not yet consider their smartphones as vulnerable or as sensitive as they do their desktops and laptops; even those smartphones are essentially just smaller computers, and debatably store even more personal information than the average laptop.”
“Another problem is that there are dozens of different permissions on an Android device,” he added. “The disclosure dialog box cannot list or properly explain them all. Even if it could, some are simply too esoteric or technical for an ordinary consumer to understand. If the warning described the possibly risks, not just the permission requested, that might help, but then you would be talking about a dialog box as large as a license agreement—how many people actually read license agreements in full?”
Even if an app has not been compromised by hackers, permissions still matter, Sverdlove said. For one, there will always be cases where a malicious app is not recognized or has not yet been exploited, so knowing what that app is capable of doing is important in understanding risk. Secondly, user privacy can be compromised by developers building with functionality, rather than security, in mind, he said.
“If they are transmitting or storing your personal data in an insecure manner, some other app or malicious actor might be able to steal it,” he said. “So again, knowing what an app can access is important in deciding how much trust you should have on the app or the publisher before using that app.”
In a survey of 139 IT security decision makers included in the report, Bit9 uncovered that although 78 percent feel phone makers do not focus enough on security, almost an identical number (71 percent) allow employees to bring their own smartphones to the workplace. In addition, though 68 percent rank security as their most important concern when deciding whether to allow employees to bring their personal devices to work, only 24 percent of companies employ any sort of application control or monitoring to know what applications are running on employees’ mobile devices, and only 37 percent have deployed any form of malware protection on employee-owned devices.
“We have entered a world where employees will bring their own devices to work, and organizations have started to capitulate,” said Sverdlove. “But it does not have to be one way. An organization can and should set guidelines and standards for BYOD to reduce their risk and protect their intellectual property.”
He urged organizations to assess themselves in terms of risk and consider requiring a monitoring or application reputation service on all personal devices before giving them access to the corporate network or sensitive data.
“Organizations should [also] consider requiring employees to agree to certain terms of use before using their personal devices,” he added. “For example, giving the company the right to remotely wipe the device if it is lost or compromised [or remotely wipe portions of it]. This can be a tricky area and I’m not a legal expert, but the point is that if a company is going to give up some primary control over their data, they should be able to ask for some insurance in return.”