25 percent of Google Play apps pose security risks
Bit9 has released a report summarizing our analysis of more than 400,000 Android apps available from Google Play. We chose Android because it is the most widely used smartphone OS in the United States, and Google Play is the default marketplace for downloading Android apps (we’ll look at iOS and other app stores in future research). The report also includes the results of a survey we conducted of IT decision makers who are responsible for the mobile device usage policy of more than 400,000 employees.
We looked at the permissions, categories, publishers, ratings and popularity to rate the overall trustworthiness of each mobile app. While perhaps not surprising, the results should be a wakeup call to IT professionals about the challenges of today’s BYOD (bring your own device to work) culture. Unlike traditional desktop and server software, the risks in mobile devices come not just from malicious programs; they also involve privacy and control of confidential or sensitive data. The majority of Android apps (72 percent) use at least one permission that gives the app access to private data or control over the smartphone’s functionality. But it’s not just what permissions an app requests that matter, it’s whether those permissions make sense for the nature of the application.
For example, it is less suspicious for a social media app to have access to email contacts than it is for a wallpaper app to do the same. We took into account information about the publisher, the number of high-risk permissions requested, and the category of the application, and grouped our results into three buckets: green (trustworthy), yellow (low trust, but not malicious) and red (no trust and suspicious). We found that 25 percent, or more than 100,000 apps, fell into the red category.
We’re not saying that 100,000 apps on Google Play are “malicious.” In fact, very few apps are actually evil, and Google does a pretty good job of catching and removing them from Google Play. But these “red” apps do perform questionable tasks and have access to private information, which represent a risk to enterprises.
Why do companies deploy security technologies? To stop bad guys from getting into their network and stealing intellectual property. When a company owns (or controls) all of the computers that manage its data, it can react to changing threats because the company can control what runs on those systems. Imagine if a company allowed employees to bring their own personal laptops and desktops into work and use them for business, with few, if any, restrictions on what other programs those personal systems might be running. It would be a security nightmare. Conceptually, this is not too different from having a BYOD smartphone policy, as 71 percent of the companies we surveyed do. Mobile devices are used to access corporate email, documents, contacts and more. And who knows what else they’re running? Less than a quarter of the IT decision makers we surveyed have visibility into what else is on these mobile miniature computers.
When a smartphone is used for business, the line between personal data and corporate IP gets blurry. Personal and business contacts intertwine and email accounts merge. A social media app that an employee might have for personal friends might now have access to email addresses and information about company executives or customers. A game app with advertising banners might now have access to the internal Internet addresses or at least the keywords used for business browsing activity. In fact, most free apps that embed advertising, to support their development, do not understand or control what information those third-party advertisers may collect (the advertising component automatically inherits the permissions of the app itself). The risk for IT security departments is not just in losing primary control over data stored on (or transmitted from) a smartphone. Mobile data, such as contacts and emails, can be easily used to launch more sophisticated spear-phishing or other targeted attacks directly against traditional desktop and laptop systems.
So to put the research in context, we are not saying the sky is falling. We are not saying 25 percent of all apps are malicious. What we are saying is a large percentage of mobile apps are accessing more information on their devices than people realize, and when those devices are holding both corporate and personal data, this is a problem for individuals and their employers.