Android freeware risk to data security

Massive Juniper Networks study suggests opportunity in mobile app security

A study of 1.7 million Android applications has confirmed that freeware is much more likely to conceal data security and privacy threats in a range of forms – suggesting an opportunity for the channel in promoting paid-for software or particular threat protection.

The study by Juniper Networks' mobile threat centre found that 24.14 per cent of the freeware examined tracked the user location, compared with 6.01 per cent for commercial apps.

Some 6.72 per cent accessed users' address books, compared with 2.14 per cent of the commercial alternatives. All the applications assessed were found on the Google Play market between March 2011 and September 2012.

Dan Hoffman, chief mobile security evangelist at Juniper Networks, said in a statement that the study also found that many free applications solicit personal information or perform functions not necessary for the apps to work, and as such there is an overall lack of transparency as to who is collecting information and how it is used.

"At the same time the companies, consumers and government employees who install these apps often do not understand with whom and how they are sharing personal information.

"Even though a list of permissions is presented when installing an app, most people do not understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust," Hoffman said.

Further, some 2.64 per cent of free apps had permission to send text messages without informing the sender, whereas 1.45 per cent of paid apps did. Another 6.39 per cent of free apps had permission to clandestinely initiate calls in the background, while only 1.88 per cent of paid apps did, and 5.53 per cent of free apps had permission to access the device camera, whereas only 2.11 per cent of paid apps could do this, according to Hoffman.

"We found a significant number of applications contain permissions and capabilities that could expose sensitive data or access device functionality that it might not need. We also determined that these apps had permission to access the internet, which could provide a means for exposed data to be transmitted from the device," he added.

"Free applications were much more likely to access personal information than paid applications."

Data collection goes beyond advertising

Hoffman went on to say it was commonly assumed that free apps collect information in order to serve ads from third-party ad networks. However, the vendor had also examined 683,238 app manifests and found that many more apps tracked location than were listed with the top five advertising networks AdMob, AirPush, Millenial Media, AdWhirl and Leadbolt.

"This leads us to believe there are several apps collecting information for reasons less apparent than advertising," concluded Hoffman.

The category of most concern was racing games, although cards and casino games were also of special concern.