Bit9 Warns Of 100k Risky Android Apps

Security vendor Bit9 has issued another stark warning about the security risks associated with Android devices.

The security specialist has classified more than 100,000 applications on Google Play as “questionable” or “suspicious” in a new report. The company said its findings underscores the sometimes overlooked risks posed by permission-hungry applications.

Permission Risks

Bit9’s criteria for defining an application as “questionable” or “suspicious” included permissions requested by the application, categorisation of the application, user rating, number of downloads and the reputation of the application’s publisher.

In its examination of more than 400,000 Android apps, Bit9 found 72 percent use at least one high-risk permission. In addition, 42 percent of the apps access GPS location data, including wallpapers, games and utilities; 31 percent access phone calls or phone numbers; 26 percent access personal data, such as contacts and email; and 9 percent use permissions that can cost the user money.

“Our research shows that 26 percent of apps in Google Play have access to personal information such as contacts and email, and in our survey, 96 percent of employers, who permit personal devices to access their networks, allow employees to connect to company email and contacts,” according to the company’s report. “So as more companies allow their employees to access their organisational data from personal devices, employers must recognize the threats to their intellectual property posed by unmonitored devices.”

Most users do not pay close attention to the permissions applications are requesting, Harry Sverdlove, CTO of Bit9, told eWEEK. In addition, the problem is compounded by the fact that allowing permissions is an all-or-nothing proposition if a user wants a particular app, he said.

“Most consumers are willing to click “Allow” for mobile apps in situations they probably would never have allowed on a Windows computer,” he said. “This is because people do not yet consider their smartphones as vulnerable or as sensitive as they do their desktops and laptops, even those smartphones are essentially just smaller computers, and debatably store even more personal information than the average laptop.”

“Another problem is that there are dozens of different permissions on an Android device,” he added. “The disclosure dialogue box cannot list or properly explain them all. Even if it could, some are simply too esoteric or technical for an ordinary consumer to understand. If the warning described the possibly risks, not just the permission requested, that might help, but then you would be talking about a dialogue box as large as a license agreement- how many people actually read licence agreements in full?”

Even if an app has not been compromised by hackers, permissions still matter, Sverdlove said. For one, there will always be cases where a malicious app is not recognised or has not yet been exploited so knowing what that app is capable of doing is important in understanding risk. Secondly, user privacy can be compromised by developers building with functionality in mind rather than security, he said.

BYOD Worry?

“If they are transmitting or storing your personal data in an insecure manner, some other app or malicious actor might be able to steal it,” he said. “So again, knowing what an app can access is important in deciding how much trust you should have on the app or the publisher before using that app.”

In a survey of 139 IT security decision makers included in the report, Bit9 uncovered that although 78 percent feel phone makers do not focus enough on security, almost an identical number (71 percent) allow employees to bring their own smartphones to the workplace. In addition, though 68 percent rank security as their most important concern when deciding whether to allow employees to bring their personal devices to work, only 24 percent of companies employ any sort of application control or monitoring to know what applications are running on employees’ mobile devices and only 37 percent have deployed any form of malware protection on employee-owned devices.

“We have entered a world where employees will bring their own devices to work, and organisations have started to capitulate,” said Sverdlove. “But it does not have to be one way. An organisation can and should set guidelines and standards for BYOD to reduce their risk and protect their intellectual property.”

He urged organisations to assess themselves in terms of risk and consider requiring a monitoring or application reputation service on all personal devices before giving them access to the corporate network or sensitive data.

“Organisations should [also] consider requiring employees to agree to certain terms of use before using their personal devices,” he added. “For example, giving the company the right to remotely wipe the device if it is lost or compromised (or remotely wipe portions of it). This can be a tricky area and I’m not a legal expert, but the point is that if a company is going to give up some primary control over their data, they should be able to ask for some insurance in return.”

How much do you know about smartphones? Take our quiz!

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

View Comments

  • With 78 per cent of security professionals feeling unsafe using devices at work, it is clear someone needs to take ownership of the application security issue.

    At present, there is a misconception that Google regulates and is responsible for the security of the applications built on its platform. The reality, however, is that it’s entirely down to the developer and their decision to build security into the development. Essentially, blaming Google for all of the unsecured apps on its platform is no different to blaming Microsoft for every poorly-written desktop application!

    If a major bank develops a mobile app that stores unencrypted user information in device memory, that bank has written a bad app. The security of that app has nothing to do with the target viewer (laptop, smartphone, browser). Rather, it has to do with poor gathering and planning of requirements.

    Mobile apps are no different from any other kind of app and rigorous security standards must be applied. The easiest way to achieve this is to use an enterprise mobility platform that has security built into its core and handles the security for you. Take a look at this blog on security:

Recent Posts

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

7 hours ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

8 hours ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

9 hours ago

Elon Musk Wants Staff Names Of Twitter’s Bot Counters

Fight with Twitter, sees Elon Musk's legal team requesting names of those employees who calculate…

11 hours ago

Former Twitter Executive Convicted Of Spying For Saudi Arabia

Spying scandal. Former Twitter executive found guilty in San Francisco courtroom of spying for Saudi…

15 hours ago

Meta Raises $10 Billion In Bond Offering

First ever bond offering sees Facebook parent Meta Platforms raise $10 billion, as it seeks…

16 hours ago