Feeds

Free Android apps often secretly make calls, use the camera

Free: it isn't, in mobile and in lunches

Remote control for virtualized desktops

Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks.

The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books than paid counterparts.

Around one in four (24.1 per cent) free apps require permission to track location, while only 6 per cent of paid apps request this ability. Around 6.7 per cent of freebie Android apps have permission to access user's address book, a figure that drops to just 2.1 per cent for paid apps.

It's commonly assumed that free apps collect information in order to serve ads from third-party ad networks. While this is true in some cases, Juniper found that the percentage of apps with the top five ad networks (9 per cent) is much less than the total number tracking location (24.1 per cent).

Around 4.1 per cent of apps feature ads from the AirPush network, with a total of nearly 5 per cent of freebie Android apps hooked into either the AdMob, Millennial Media, AdWhirl or the Leadbolt ad networks.

"This leads us to believe there are several apps collecting information for reasons less apparent than advertising," Juniper said.

The spy in your pocket

Many applications solicit personal information or perform functions not needed for the apps to work. The lack of transparency about who is collecting information and how it is used poses a long term threat for the development of the mobile applications marketplace.

Some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device, Juniper warns. Similarly, access to the device camera could enable a third party to obtain video and pictures, as illustrated by the recent proof-of-concept Spyware PlaceRaider 3D mapping app.

One in 40 (2.64 per cent) of free apps request permission to send text messages without notifying users (a figure than drops to just 1.45 per cent for paid apps). Meanwhile, 5.53 per cent of free apps have permission to access the device camera, a statistic that drops to just 2.11 per cent for paid apps. And 6.4 per cent of free apps have permission to clandestinely initiate background calls, a figure that drops to just 1.88 per cent for paid apps.

Gambling on privacy

Certain apps categories were particularly bad for privacy, most notably racing games, which are often thinly disguised malware. Card and casino games occupy another problematic category, with the 94 per cent bundling the ability to make outbound calls and 84.5 per cent including the ability to silently send SMS messages, for example.

After actually installing apps, and in some cases contacting developers, Juniper researchers discovered that permissions or data collection was justified, even though the reasons were not immediately obvious.

For example, cards and casino apps from a specific developer that had the ability to use a smartphone's camera. This was not explained by reading In the app descriptions and installing the application. However the developer was able to explain to Juniper that the premium version of the app allowed users to take a picture to use as a background for the game, a legitimate (if inadequately explained) use of the camera functionality.

Juniper researchers also discovered that 12.5 per cent of free finance apps had the ability to initiate a phone call without going through the dialer interface. Two thirds (63.2 per cent) didn’t provide a description of this capability within the app. However, after installing a number of these applications, it became clear that this capability was legitimately used by the app to contact local financial institutions.

Time for a revamp

The issue of mobile app privacy is not new. However Juniper's research is one of the most comprehensive looks at the state of privacy across the entire Android application ecosystem.

"The analysis of the Google Play market shows the pervasiveness of mobile tracking and where apps could do a better job of disclosing why they need information up front and highlight functionality as a genuine user benefit," Juniper's research team concludes.

Smartphone users who install apps often fail to understand that they end up sharing personal information in the process. Even though a list of permissions is commonly presented when installing an app, most people fail to make an informed decision because they don't bother to read the small print or because aspects of app functionality are not explained by developers.

Permissions requested by mobile applications should be correlated to the functionality on offer, Juniper recommends. "Simply saying an app has the permission to track location, read contacts or silently perform an outgoing call doesn’t provide the necessary context of why this functionality is necessary for a specific app," the security researchers explain.

In addition there should be better differentiation between permissions. "There is a big difference between a spyware app clandestinely placing an outgoing call to listen to ambient conversations within hearing distance of the device, and a financial app that provides the convenience of calling local branches from within an application. The manner in which permissions are currently presented does not provide a means for users to differentiate between the two," according to Juniper's team.

Lastly, consumers should be realistic about accepting some private information exposure with free apps. "There is no such thing as a free lunch in mobile," the security researchers point out.

Juniper's methodology involved statistical analysis of application metadata, analysis of application manifests, review of application descriptions for Android apps as well as trying applications out to see how they actually behave. Its research was restricted to the Android market because Apple does not disclose related information about its apps. The study was carried out over 18 months between March 2011 and September 2012.

More details on the results of the study and its methodology can be found in a blog post by Juniper Networks here. ®

Remote control for virtualized desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?