Security vendor Bit9 has issued another stark warning about the security risks associated with Android devices.
The security specialist has classified more than 100,000 applications on Google Play as “questionable” or “suspicious” in a new report. The company said its findings underscores the sometimes overlooked risks posed by permission-hungry applications.
Bit9’s criteria for defining an application as “questionable” or “suspicious” included permissions requested by the application, categorisation of the application, user rating, number of downloads and the reputation of the application’s publisher.
In its examination of more than 400,000 Android apps, Bit9 found 72 percent use at least one high-risk permission. In addition, 42 percent of the apps access GPS location data, including wallpapers, games and utilities; 31 percent access phone calls or phone numbers; 26 percent access personal data, such as contacts and email; and 9 percent use permissions that can cost the user money.
Most users do not pay close attention to the permissions applications are requesting, Harry Sverdlove, CTO of Bit9, told eWEEK. In addition, the problem is compounded by the fact that allowing permissions is an all-or-nothing proposition if a user wants a particular app, he said.
“Most consumers are willing to click “Allow” for mobile apps in situations they probably would never have allowed on a Windows computer,” he said. “This is because people do not yet consider their smartphones as vulnerable or as sensitive as they do their desktops and laptops, even those smartphones are essentially just smaller computers, and debatably store even more personal information than the average laptop.”
“Another problem is that there are dozens of different permissions on an Android device,” he added. “The disclosure dialogue box cannot list or properly explain them all. Even if it could, some are simply too esoteric or technical for an ordinary consumer to understand. If the warning described the possibly risks, not just the permission requested, that might help, but then you would be talking about a dialogue box as large as a license agreement- how many people actually read licence agreements in full?”
Even if an app has not been compromised by hackers, permissions still matter, Sverdlove said. For one, there will always be cases where a malicious app is not recognised or has not yet been exploited so knowing what that app is capable of doing is important in understanding risk. Secondly, user privacy can be compromised by developers building with functionality in mind rather than security, he said.
“If they are transmitting or storing your personal data in an insecure manner, some other app or malicious actor might be able to steal it,” he said. “So again, knowing what an app can access is important in deciding how much trust you should have on the app or the publisher before using that app.”
In a survey of 139 IT security decision makers included in the report, Bit9 uncovered that although 78 percent feel phone makers do not focus enough on security, almost an identical number (71 percent) allow employees to bring their own smartphones to the workplace. In addition, though 68 percent rank security as their most important concern when deciding whether to allow employees to bring their personal devices to work, only 24 percent of companies employ any sort of application control or monitoring to know what applications are running on employees’ mobile devices and only 37 percent have deployed any form of malware protection on employee-owned devices.
“We have entered a world where employees will bring their own devices to work, and organisations have started to capitulate,” said Sverdlove. “But it does not have to be one way. An organisation can and should set guidelines and standards for BYOD to reduce their risk and protect their intellectual property.”
He urged organisations to assess themselves in terms of risk and consider requiring a monitoring or application reputation service on all personal devices before giving them access to the corporate network or sensitive data.
“Organisations should [also] consider requiring employees to agree to certain terms of use before using their personal devices,” he added. “For example, giving the company the right to remotely wipe the device if it is lost or compromised (or remotely wipe portions of it). This can be a tricky area and I’m not a legal expert, but the point is that if a company is going to give up some primary control over their data, they should be able to ask for some insurance in return.”
How much do you know about smartphones? Take our quiz!
ChatGPT developer OpenAI reportedly discussing removal of provision that blocks Microsoft from accessing super-intelligent AI
European Commission reportedly questions Nvidia competitors, customers over business practices in AI chip market over…
Apple reportedly planning to use first-generation in-house 5G modem in iPhone SE next year, hopes…
European Commission queries TikTok for information on alleged Russian campaign to influence Romanian presidential election
US exempted Chinese DRAM memory chip manufacturers from latest round of export controls under pressure…
Huawei sees sales of premium smartphones in China grow by 34 percent as Apple declines,…
View Comments
With 78 per cent of security professionals feeling unsafe using devices at work, it is clear someone needs to take ownership of the application security issue.
At present, there is a misconception that Google regulates and is responsible for the security of the applications built on its platform. The reality, however, is that it’s entirely down to the developer and their decision to build security into the development. Essentially, blaming Google for all of the unsecured apps on its platform is no different to blaming Microsoft for every poorly-written desktop application!
If a major bank develops a mobile app that stores unencrypted user information in device memory, that bank has written a bad app. The security of that app has nothing to do with the target viewer (laptop, smartphone, browser). Rather, it has to do with poor gathering and planning of requirements.
Mobile apps are no different from any other kind of app and rigorous security standards must be applied. The easiest way to achieve this is to use an enterprise mobility platform that has security built into its core and handles the security for you. Take a look at this blog on security: http://www.verivo.com/mobility-watch/why-app-security-is-a-non-issue-in-todays-byod-era/