Exposing your personal info? There’s an app for that, says Juniper

30 Oct 2012

Recent analysis of 1.7 million downloadable mobile apps shows that many are primed to access data and functions they really should not need.

A significant number of mobile apps, downloaded by users onto personal and corporate devices, could expose sensitive data or access device functions that they should not need, according to an 18-month analysis of 1.7 million apps on the Google Play market, conducted by researchers at Juniper Networks' Mobile Threat Center (MTC). They also found that many mobile apps gain permission to access the Internet - potentially giving them a way to transmit the data they've found on a device, without the user knowing.

"Users who install these apps often don't understand what personal information they're sharing or who they're sharing it with," explained Dan Hoffman, chief mobile security evangelist at Juniper Networks and head of its Mobile Threat Center, in an interview with IP EXPO Online. "Our goal was to do some serious analysis of the expectations users should have when they download an app to their device. We also wanted to create a baseline, so that we can return to this research a couple of times a year and see how the situation is changing."

The initial analysis, conducted between March 2011 and September 2012, found a significant difference between free apps and paid-for apps. Twenty-four percent (24.1) of the free apps evaluated have permission to track location, compared to only 6 percent of paid-for apps, for example, and while 6.7 percent of free apps have permission to access a user's address book, only 2.1 percent of paid apps have this permission.

Perhaps more worrying, however, is the ability of apps to send texts, initiate calls and access the device camera. Of the free apps analysed, 2.6 percent could send texts (compared to just 1.5 percent of paid apps), 6.4 percent could clandestinely initiate calls in the background (1.8 percent of paid apps), and 5.5 percent could access the camera (2.1 percent of paid apps).

Despite his over 15 years' experience in mobile security, this was one of a couple of findings that surprised Hoffman. "The dramatic difference between free and paid-for apps was startling," he says. "Of course you'd expect free apps to be more risky than paid-for apps, but the fact that you're four times more likely to have your location tracked by a free app? That really surprised me."

Another unexpected finding, he says, is that while users may view apps that contain third-party ads with suspicion, these are often benign. "As a user, you might think that location tracking is a fair trade-off for an app, in return for using its function, and decide that’s a risk you’re prepared to take,” he says. “In fact, we found that less than 10 percent of apps that track the user's location contain advertising modules. That very much leads us to believe that many apps collect information for reasons much less apparent than simply understanding consumer behaviour," he says.

Either way, this epidemic of rogue apps collecting data and accessing functions should be a major concern not just for users, but also for their employers, particularly in an age of 'bring your own device' (BYOD) policies in the workplace. "If I have a mobile device, containing a downloaded app with the ability to make outside calls when I'm in a Juniper meeting, then my employer should be very worried about that. Likewise, if it can access the camera on my device and I'm carrying it around Juniper's headquarters, then again, that's deeply problematic for the company,” says Hoffman.

"Having this knowledge and communicating it to companies so that they can put in place intelligent security policies and intelligent security controls was one of the main goals of this study," he adds.