Free Android apps often secretly make calls, use the camera
Free: it isn't, in mobile and in lunches
Freebie mobile applications come with a higher privacy and security risk, according to an 18-month long study by Juniper Networks.
The networking giant ran an audit of 1.7 million applications on the Android market and discovered that free applications are five times more likely to track user location and a whopping 314 per cent more likely to access user address books than paid counterparts.
Around one in four (24.1 per cent) free apps require permission to track location, while only 6 per cent of paid apps request this ability. Around 6.7 per cent of freebie Android apps have permission to access user's address book, a figure that drops to just 2.1 per cent for paid apps.
It's commonly assumed that free apps collect information in order to serve ads from third-party ad networks. While this is true in some cases, Juniper found that the percentage of apps with the top five ad networks (9 per cent) is much less than the total number tracking location (24.1 per cent).
Around 4.1 per cent of apps feature ads from the AirPush network, with a total of nearly 5 per cent of freebie Android apps hooked into either the AdMob, Millennial Media, AdWhirl or the Leadbolt ad networks.
"This leads us to believe there are several apps collecting information for reasons less apparent than advertising," Juniper said.
The spy in your pocket
Many applications solicit personal information or perform functions not needed for the apps to work. The lack of transparency about who is collecting information and how it is used poses a long term threat for the development of the mobile applications marketplace.
Some apps request permission to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device, Juniper warns. Similarly, access to the device camera could enable a third party to obtain video and pictures, as illustrated by the recent proof-of-concept Spyware PlaceRaider 3D mapping app.
One in 40 (2.64 per cent) of free apps request permission to send text messages without notifying users (a figure than drops to just 1.45 per cent for paid apps). Meanwhile, 5.53 per cent of free apps have permission to access the device camera, a statistic that drops to just 2.11 per cent for paid apps. And 6.4 per cent of free apps have permission to clandestinely initiate background calls, a figure that drops to just 1.88 per cent for paid apps.
Gambling on privacy
Certain apps categories were particularly bad for privacy, most notably racing games, which are often thinly disguised malware. Card and casino games occupy another problematic category, with the 94 per cent bundling the ability to make outbound calls and 84.5 per cent including the ability to silently send SMS messages, for example.
After actually installing apps, and in some cases contacting developers, Juniper researchers discovered that permissions or data collection was justified, even though the reasons were not immediately obvious.
For example, cards and casino apps from a specific developer that had the ability to use a smartphone's camera. This was not explained by reading In the app descriptions and installing the application. However the developer was able to explain to Juniper that the premium version of the app allowed users to take a picture to use as a background for the game, a legitimate (if inadequately explained) use of the camera functionality.
Juniper researchers also discovered that 12.5 per cent of free finance apps had the ability to initiate a phone call without going through the dialer interface. Two thirds (63.2 per cent) didn’t provide a description of this capability within the app. However, after installing a number of these applications, it became clear that this capability was legitimately used by the app to contact local financial institutions.
Time for a revamp
The issue of mobile app privacy is not new. However Juniper's research is one of the most comprehensive looks at the state of privacy across the entire Android application ecosystem.
"The analysis of the Google Play market shows the pervasiveness of mobile tracking and where apps could do a better job of disclosing why they need information up front and highlight functionality as a genuine user benefit," Juniper's research team concludes.
Smartphone users who install apps often fail to understand that they end up sharing personal information in the process. Even though a list of permissions is commonly presented when installing an app, most people fail to make an informed decision because they don't bother to read the small print or because aspects of app functionality are not explained by developers.
Permissions requested by mobile applications should be correlated to the functionality on offer, Juniper recommends. "Simply saying an app has the permission to track location, read contacts or silently perform an outgoing call doesn’t provide the necessary context of why this functionality is necessary for a specific app," the security researchers explain.
In addition there should be better differentiation between permissions. "There is a big difference between a spyware app clandestinely placing an outgoing call to listen to ambient conversations within hearing distance of the device, and a financial app that provides the convenience of calling local branches from within an application. The manner in which permissions are currently presented does not provide a means for users to differentiate between the two," according to Juniper's team.
Lastly, consumers should be realistic about accepting some private information exposure with free apps. "There is no such thing as a free lunch in mobile," the security researchers point out.
Juniper's methodology involved statistical analysis of application metadata, analysis of application manifests, review of application descriptions for Android apps as well as trying applications out to see how they actually behave. Its research was restricted to the Android market because Apple does not disclose related information about its apps. The study was carried out over 18 months between March 2011 and September 2012.
More details on the results of the study and its methodology can be found in a blog post by Juniper Networks here. ®