26% Android Apps Pose Security Risks

A new research report shows that more than 100,000 Android applications in the Google Play store pose a security risk to mobile device users and the enterprise networks to which they connect. In the most comprehensive research project of its kind, my company examined the security permissions of more than 400,000 Android applications. We focused on Google Play applications because more smartphones today run Android than any other operating system.

Criteria for defining an application as “questionable” or “suspicious” included the permissions requested by the application, categorisation of the application, user rating, number of downloads, and the reputation of the application’s publisher. In its examination of the more than 400,000 Android apps, we found that 72 per cent use at least one high-risk permission. In addition, we found that:

  • 42 per cent of applications access GPS location data, and these include wallpapers, games and utilities
  • 31 per cent access phone calls or phone numbers
  • 26 per cent access personal data, such as contacts and email
  • 9 per cent use permissions that can cost the user money.

A significant percentage of Google Play apps have access to potentially sensitive and confidential information. When a seemingly basic app such as a wallpaper requests access to GPS data, this raises a red flag. Likewise, more than a quarter of the apps can access email and contacts unbeknown to the phone user, which is of great concern when these devices are used in the workplace.

In addition to this comprehensive research, we conducted a survey of IT security decision makers who collectively influence mobile device usage policy for more than 400,000 employees. Almost three quarters of those surveyed said their organisation allows employees to bring your own device (BYOD) to work and access company email, calendar and scheduling—a risky decision given the significant percentage of applications we found with access permissions to these programs. Of the IT security decision makers surveyed:

  • 78 per cent feel phone makers do not focus enough on security
  • But 71 per cent allow employees to bring their own smartphones to the workplace
  • 68 per cent rank security as their most important concern when deciding whether to allow employees to bring their personal devices to work
  • But only 24 per cent of companies employ any sort of application control or monitoring to know what applications are running on employees’ mobile devices
  • Only 37 per cent have deployed any form of malware protection on employee-owned devices
  • 84 per cent of respondents believe iOS is more secure than Android.

These results spotlight an interesting—and disturbing—policy contradiction. While the majority of organisations allow employees to bring their personal devices to work and connect to the company network, the organisations have little visibility into the privacy and security risks the mobile applications on the devices pose to the companies’ networks.

Convenience, and not security, drives the growing trend to allow BYOD policies. The survey highlights a clear call to action for companies to realise that when employees access company data from a smart device, their intellectual property is being put at risk.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Harry Sverdlove, Bit9's Chief Technology Officer, draws from nearly two decades of application design and analysis with industry-leading IT enterprises, adding a new layer of technical expertise and strategic vision to Bit9's portfolio of endpoint security solutions. Most recently, Harry served as Principal Research Scientist for McAfee, where he supervised the overall architecture of crawlers, spam detectors and link analysers. Harry joined McAfee through its 2006 acquisition of SiteAdvisor, where he worked as Chief Scientist to develop systems for testing, detecting and analysing any Windows-based application. Prior to joining SiteAdvisor, Harry ran his own consulting company specialising in Windows automation and spam detection. Before that he was Director of Engineering at Compuware Corporation (formerly NuMega Technologies). Prior to NuMega, Harry was Principal Architect for Rational Software, where he designed the core automation engine behind Rational Robot. Harry has a bachelor's degree in electrical engineering from MIT.