Even Apple and Google can't protect users from inherent mobile app risks

To paraphrase a phrase, there is no such thing as a free app.

Yes, there are hundreds of thousands out there that won't cost you a cent to download. But they still extract a price. The price, at a minimum, is information about you. As more than one expert has said, "You are the payment." And that payment is not risk-free.

The large majority of mobile apps, even those vetted through Apple's App Store or Google's Play Store, are (with apologies to Rogers and Hammerstein) "getting to know you, getting to know all about you," in exchange for helping you tune your instrument, see your way in the dark, find a new restaurant and any number of other services.

Except the goal of that knowledge is commercial, not romantic. The developers of those apps are selling information about you to analysts and marketers information that, knowingly or not, you are volunteering to give them.

That, in the view of many mobile users, is not necessarily risky if all it means is getting some targeted ads for things that already interest them. And there are apps available that are even designed to protect your privacy among them Telegram, Wickr and Confide for text messages and Snapchat for photos that delete what you sent in seconds or minutes.

But users may not be aware of how much more interested purveyors of malware are in them than they were even a couple of years ago.

The Mobile Security Threat Report from Sophos, released at this week's Mobile World Congress, reports that while the first mobile malware appeared 10 years ago, it has exploded in the past two years, responding to mobile subscriptions now totaling about 7 billion and app downloads of about 110 billion just from Apple's App Store and Google's Play Store.

The company, which has tracked Android malware samples since 2004, reported that they remained relatively negligible until 2012, and since then have grown to more than 650,000.

And even with apps free of malware, users may not know how deep the collection goes, and how their information (about friends and business associates, their identity and their financial transactions) can fall into the wrong hands.

Domingo Guerra, cofounder and president of mobile app risk management vendor Appthority, contends that this is a greater risk than malware right now. While he agrees that malware is "growing exponentially," he said it remains, "a sliver of the app ecosystem. Having analyzed over 2.3 million apps for our customers, we have found that less than 0.4% of apps have malware, while 79% had other kinds of enterprise risk.

In its Winter 2014 App Reputation Report, Appthority analyzed 400 apps the top 100 free and top 100 paid for each of the two most most popular mobile platforms, iOS and Android ndash; and reported multiple "risky" behaviors, most involving the privacy of users.

Of the free apps analyzed from both platforms, 70% allow location tracking, 56% identify the user's ID (UDID), 31% access users' contact list or address book, 69% use single sign-on, 53% share data with ad networks and analytics and 51% offer in-app purchasing.

That last item in-app purchasing can be especially risky, and expensive. Guerra said a growing trend is for apps to, "leverage in-app purchasing to monetize. For example, Candy Crush Saga, one of the most popular free apps, is also one of the top-grossing apps."

Guerra said Apple recently settled a case with the Federal Trade Commission about in-app purchases specifically for children's apps. "Parents thought they were authorizing one in-app-purchase transaction, but instead authorized any transaction during a 30-minute window," he said.

"This resulted in many 'unauthorized' charges, as kids used in-app-purchases to buy additional content, features, virtual goods etc. And in-app-purchases can be as high as $99 per transaction."

That does not mean paid apps are not invasive. "While 95% of free apps exhibited at least one risky behavior, so did 80% of the top paid apps," Appthority reported. "Developers of paid and free apps are seeking new methods of generating revenue and unfortunately, it comes at the cost of the user's privacy."

Security vendor McAfee reported similar findings recently. In a recent post on the McAfee Blog, Lianne Caetano wrote that company researchers, "found that privacy-invading apps are more common than ever before, and beyond violating your digital space, some even contain malware and other suspicious characteristics."

According to the report, 82% of the apps read the UDID; 64% know the wireless carrier; 59% track the last known location; 55% continuously track location; 26% read the apps used; 26% know the SIM card number; and 36% know the user's account information.

While some tracking is inevitable, given that users expect certain apps to guide them to specific locations, "the real question is: What are these apps doing with all of the information that they collect? ... some of these apps may be oversharing that information with third parties or using it to inform more nefarious groups," Caetano wrote.

And some of the promises made about privacy may not be rigorously enforced. Among Apple's latest rules for developers is that they should not request a UDID as a method of user tracking.

"However, 26% of top iOS apps still make requests for UDID, and on any device that is running an older OS than iOS7, the apps are still able to get the UDID directly from the device," said Guerra.

Beyond the privacy risks, Guerra said many apps, "are communicating without encryption, so intercepting this data in motion is also easy." A hacker doesn't need to hack a device to get this data; they could simply sniff the network.

In spite of such multiple warnings about both privacy invasion and malware from mobile apps, there is so far no perceptible consumer backlash about the risks of mobile apps. That may be in large measure because, as Scott Matsumoto, principal consultant at Cigital, puts it, "there is no backlash because people don't know it's happening."

But Matsumoto also said data collection on users is not a black-and-white issue. Some free apps, like those from a bank, collect information so they know users' typical habits and can tell more easily if someone is trying to impersonate them.

Dan Dearing, vice president of marketing at MobileSpaces, agreed. "The problem is complicated," he said. "You might want apps to see your contacts, to make your life easier, but not upload them to their server. But then the policy choices that a user needs to make get too complicated."

There are things consumers and enterprises do to improve their privacy. Among the most basic are to buy apps only from reliable sources that have been vetted by companies like Google and Apple, and to take the time to limit the amount of tracking an app can do, through privacy and/or preference settings.

"Apps are generally collecting more information than they need," Guerra said. "Why does a flashlight app need my location, calendar, and address book? The issue this creates is that these databases are not always built securely and can become targets for criminals or governments recall NSA's comments about using Angry Birds data to track user data."

Strong passwords and strong encryption also help, especially with handheld devices that can be lost or stolen.

Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender, said encryption is crucial, since, "mobile phones and tablets spend the bulk of their time on unsecure, untrusted networks."

Botezatu also said users should, "limit themselves to installing the applications they need, most of which come from trustworthy publishers. The smaller the number of applications installed, the smaller the attack surface."

But among experts, there is not much optimism for the future, at least in the short term. "This is a problem that is still in front of us," said Matsumoto.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleFederal Trade CommissionGoogleMcAfee AustraliaNSAScott CorporationSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place