Free mobile apps a threat to privacy, study finds

Free mobile apps pose a serious threat to privacy because of their ability to capture large amounts of user information

Free mobile apps pose a serious threat to privacy because of their ability to capture large amounts of user information, a study has revealed.

Free mobile applications are 401% more likely to track user location and 314% more likely to access user address books than paid-for apps, according to research from Juniper Networks.

Many apps analysed had permission to access the internet, which could provide a means for exposed data to be transmitted from the device.

Analysis of 1.7 million apps on the Android market by Juniper’s Mobile Threat Center also found that many apps solicit personal information or perform functions not required for the apps to work.

For example, the study found that 94% of free gambling apps that have permission to make outbound calls do not describe why the app would justifiably use this capability.

Similarly, 83.88% of free gambling apps have permission to use the camera and 84.51% have permission to send SMS messages.

There is an overall lack of transparency as to who is collecting information and how it is used, said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

Top findings

  • 24.14% of free apps have permission to track location, compared with 6.01% of paid apps
  • 6.72% of free apps have permission to access to your address book, compared with 2.14% of paid apps
  • 2.64% of free apps have permission to silently send text messages, compared with 1.45% of paid apps
  • 6.39% of free apps have permission to initiate background calls, compared with 1.88% of paid apps
  • 5.53% of free apps have permission to access the device camera, compared with 2.11% of paid apps

The study found that other permissions being requested from applications include the ability to initiate outgoing calls, send SMS messages and use a device camera without the user's knowledge.

“An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device,” said Hoffman.

Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present, he said.

Silently sending SMS messages can also be a means to create a covert channel for siphoning sensitive information from a device.

“Further, the potential for stealth SMS messages or calls can have monetary repercussions by communicating with services that will subsequently charge a fee, such as sending premium SMS messages,” said Hoffman.

Research firm Gartner predicts that the number of mobile applications downloaded this year will double to 45 billion.

In the light of this prediction, Hoffman said more needs to be done to inform people about the information being captured, particularly as an increasing number of people use personal devices in the workplace to access business-critical information.

The problem, he said, is that the companies, consumers and government employees who install these apps often do not understand with whom they are sharing personal information.

“Even though a list of permissions is presented when installing an app, most people do not understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust,” said Hoffman.

While the European parliament is working to update its data privacy legislation to better reflect today’s connected world, it could be a couple of years for these changes to come into play, leaving businesses and consumers highly vulnerable in the meantime, he said.

Read more about security within mobile apps

  • Android devices vulnerable to security breaches
  • Attackers besiege Google Android OS, Trend Micro reveals
  • Google Android smartphones hijacked by spam botnet
  • Google changes Android policy to tackle malicious apps
  • Android mobile attack: Hacked websites target Android users

Based on the research, Juniper Networks is calling on mobile app industry to:

Correlate permissions to actual app functionality. 

Simply saying an app has the permission to track location, read contacts or silently perform an outgoing call does not provide the necessary context of why this functionality is necessary for a specific app. Developers should provide a means to  communicate how permissions align with how the app works.

Better differentiate between permissions.

There is a big difference between a Spyware app clandestinely placing an outgoing call to listen to ambient conversations within hearing distance of the device, and a financial app that provides the convenience of calling local branches from within an application. The manner in which permissions are currently presented does not provide a means for users to differentiate between the two. More needs to be done to provide developers with differentiated permissions and to perform the very different actions.

Accept some exposure with free apps.

It seems there is no such thing as a free lunch in mobile. If people choose to use free applications, they will likely need to provide information in exchange. Often, the value provided by the app is well worth the information given up by a user; however, many do not realise that this tracking is happening and may not be making informed choices. Communicating why information is needed in a concise and easy-to-understand manner could help people become more comfortable with sharing.

A smaller amount of actionable data is beneficial.

Helping people understand what is actually occurring on their device and with their data has considerably more value than a list of permissions. More educated users means they are more comfortable installing apps and less likely to uninstall once they see the number of permissions being requested without explanation.


Image: iStockphoto/Thinkstock

Read more on Endpoint security