What do your apps know about you?

January 2013

Girl using SmartphoneEach day, consumers download millions of applications to their smartphones, tablets and other mobile devices. Unbeknownst to them, along with games, news, utilities and other things, they also often download software that could put their privacy at risk according to Harry Sverdlove, CTO of Bit9.

That problem is compounded when people use their personal mobile devices at work to connect to their employers' network, the same network that carries sensitive company data.

Bit9 analysed a statistically meaningful sample of more than 400,000 Android apps available from Google Play. We chose Android because it is the most widely used smartphone OS and Google Play is the default marketplace for downloading Android apps. We also conducted a survey of select IT decision makers who are responsible for the mobile device usage policy of more than 400,000 employees.

We looked at the permissions, categories, publishers, ratings and popularity to rate the overall trustworthiness of each mobile app. While perhaps not surprising, the results should be a wakeup call to IT professionals about the challenges of today’s BYOD culture.

Unlike traditional desktop and server software, the risks in mobile devices come not just from malicious programs; they also involve privacy and control of confidential or sensitive data.

We found that the majority of Android apps (72 per cent) use at least one permission that gives the app access to private data or control over the smartphone’s functionality. But it’s not just what permissions an app requests that matter, it’s whether those permissions make sense for the nature of the application.

For example, it is less suspicious for a social media app to have access to email contacts than it is for a wallpaper app to do the same.

We took into account information about the publisher, the number of high-risk permissions requested, and the category of the application, and grouped our results into three buckets: green (trustworthy), yellow (low trust, but not malicious) and red (no trust and suspicious). We found that 25 per cent, or more than 100,000 apps, fell into the red category.

We’re not saying that 100,000 apps on Google Play are ‘malicious’. In fact, very few apps are actually evil, and Google does a pretty good job of catching and removing them from Google Play. But these ‘red’ apps do perform questionable tasks and have access to private information, which represent a risk to enterprises that allow BYOD.

Why do companies deploy security technologies? To stop bad guys from getting into their network and stealing intellectual property. When a company owns (or controls) all of the computers that manage its data, it can react to changing threats because the company can control what runs on those systems.

Imagine if a company allowed employees to bring their own personal laptops and desktops into work and use them for business with few, if any, restrictions on what other programs those personal systems might be running. It would be a security nightmare.Conceptually, this is not too different from having a BYOD smartphone policy, as 71 per cent of the companies we surveyed do.

Mobile devices are used to access corporate email, documents, contacts and more. And who knows what else they’re running? Less than a quarter of the IT decision makers we surveyed have visibility into what else is on these mobile miniature computers.

When a smartphone is used for business, the line between personal data and corporate IP gets blurry in a hurry. Personal and business contacts intertwine and email accounts merge. A social media app that an employee uses to interact with friends might now have access to email addresses and information about company executives or customers.

A game app with advertising banners might now have access to the internal internet addresses or at least the keywords used for business browsing activity.

In fact, most free apps that embed advertising to support their development do not understand or control what information those third-party advertisers may collect (the advertising component automatically inherits the permissions of the app itself).

The risk for IT security departments is not just in losing primary control over data stored on (or transmitted from) a smartphone. Mobile data such as contacts and emails can easily be used to launch more sophisticated spear-phishing or other targeted attacks directly against traditional desktop and laptop systems.

So to put the research in context, we are not saying the sky is falling. We are not saying 25 per cent of all apps are malicious. What we are saying is a large percentage of mobile apps are accessing more information on their devices than people realise, and when those devices are holding both corporate and personal data, this is a problem for individuals and their employers.

What can consumers do to protect themselves and their employers from these risks? Pay better attention to the permissions requested by the mobile apps they download. Don't just automatically check ‘Yes’ to every permission request from an app.

Be wary if, for example, a wallpaper app asks to use your GPS data. Mobile consumers don't have to become paranoid that every app is a potential threat, but we need to be aware of that possibility and act thoughtfully and responsibly.

Comments (2)

Leave Comment
  • 1
    David J Dunmore wrote on 28th Jan 2013

    As a 3rd year BSc. student in Computer Security & Forensics, I'm well aware of these risks (Which is why I have NO Ad-supported Apps on my Android devices). My Disseration is investigating the extent of security awareness among Android users, and ways to increase security awareness and practices among Android users.

    If I was the relevant decision maker in a company, IDfinitely would not permit BYOD unless the devices were free of Ad-supported Apps, AND had Company-Approved security software installed (Remote Wipe and location reporting as a minimum.)

    Report Comment

  • 2
    Matt Phillipson wrote on 13th May 2013

    There is an alternative to your suggestion David. My company has a separate guest wifi network which employees and visitors can use to access the internet, download apps, whatever they like really. This is much easier to implement, monitor and control than trying to manage security on each guest device individually and does not put our company or its data at risk.

    Report Comment

Post a comment