As mobile applications evolve from occasional accessories into ubiquitous utilities, security researchers are hoping to get a grip on privacy implications before it's too late. Analysts from Juniper Networks recently contributed to the cause, releasing their findings from an 18-month assessment of more than 1.7 million apps available on Google Play. The conclusions drawn by research coordinator Daniel Hoffman revealed significant disparities between paid and free apps and an overarching lack of transparency from publishers and developers.
No free lunch
As Hoffman noted, reports of popular apps surreptitiously gathering user data for questionable purposes have surfaced many times in recent months. But after looking out over the entire mobile app ecosystem, it appears the first distinction to be made is the increased privacy risk posed by freeware.
According to Juniper's research, free apps are 401 percent more likely to track device location than paid apps. In fact, nearly one in four free programs now have permission to collect geospatial data. Similarly, free apps were 314 percent more likely to access the contents of user address books. While this capability was only seen in approximately 7 percent of free apps, it's important to remember the study sample included 1.7 million programs.
Conventional wisdom may have predicted such results, as third-party advertising is a popular monetization strategy for developers of free applications. As the logic goes, no user data means no revenue.
"While this is true in some cases, Juniper examined 683,238 application manifests and found the percentage of apps with the top five ad networks is much less than the total number tracking location (24.14 percent)," Hoffman wrote. "This leads us to believe there are several apps collecting information for reasons less apparent than advertising."
Mobile device owners are starting to recognize that understanding application permissions regarding location tracking and address book harvesting is now a crucial data protection discipline. However, few are aware of the text messaging, call initiating and photo taking capabilities buried in a growing number of licensing agreements.
According to Juniper researchers, approximately 2 percent of all mobile apps have permission to "silently send text messages" from user devices. In addition, approximately 4 percent have similar power to place calls and access onboard cameras.
"An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device," Hoffman noted. "Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present, as was recently presented with the proof-of-concept spyware PlaceRaider."
The existence of such capabilities is concerning enough, but the danger is only compounded by the fact that app developers are not being forthright when describing feature functionality. According to Juniper, 94 percent of free mobile card playing and casino games that have permission to make outbound calls do not explicitly describe or justify their use of such capabilities. More than 80 percent of free apps in this category do not delineate their SMS or camera access intentions either.
Even paid applications suffer from a similar lack of transparency. Among racing games, 99 percent of paid apps boasting text messaging permissions did not reveal what role – if any – they played in program operations. This is particularly concerning considering the app genre saw an "abnormally high number" of programs removed from Google Play over the course of the assessment period – suggesting a prevalence of cybercriminal ties.
End user education
Hoffman was quick to note that, upon further review, the majority of developers had legitimate operational reasons for gathering user permissions. However, inconsistent or nonexistent disclosure practices have given rise to serious data security doubts. As a result, Juniper recommended that app developers not only do a better job of aligning permissions with actual app functionality, but do so in a more transparent and informative manner.
Part of the problem seems to be a lack of differentiation among permissions. For example, a spyware app could use silent call capabilities to conduct mobile wiretapping whereas as a banking app could use the same feature to call a local branch to resolve a potential fraud alert. These may be extreme cases, but without a proper debrief, users won't be able to distinguish legitimate acts from malicious traps.
Developers would do well to heed this call for transparency, as authorities may soon intervene to trigger the change they hope to see in the market. This week, California Attorney General Kamala Harris sent a pointed letter to more than 100 top mobile app developers – including the likes of restaurant reservation specialist Open Table and both Delta and United Airlines.
Data Security News from SimplySecurity.com by Trend Micro