Android apps too free and easy with access permissions

News by Doug Drinkwater

Android apps ask for far too many device and data permissions, with 68 percent of 75,000 apps scanned requiring the ability to generate text messages, according to new research.

The analysis - from security firm Zscaler - adds that 28 percent of the apps surveyed gained access to the text message content, which the company says may be a security risk, given the increasing use of text messages as an authentication medium for Internet services.

Perhaps the most risky actions of the apps, the report concludes, is the widespread access to GPS data and even phone call permissions, as well as the contacts list on the device itself.

"From our analysis, outside of internet permissions, a significant number of apps request access to the phone's state permissions, which provide apps with the ability to harvest SIM card information and IMEI number information," says the analysis, adding that this is important as apps - and especially the advertising libraries they used - want to be able to track user behaviour across apps.

"By having access to unique identifiers, such as the IMEI, the same user (or at least the same device) can be identified when accessing various content or apps. This allows advertisers to better customise the advertisements that are delivered," the research notes.

"Some people are fine with this, but others consider it a breach of privacy. The second most common permissions sought by Android apps involve GPS and user location. GPS data can also be used by advertisers to better target ads; apps are also increasingly becoming location aware, with apps such as Uber leveraging geo-location information to deliver a given service," it concludes.

Commenting on the conclusions of the research, Sarb Sembhi, an analyst and director with STORM (Strategic Tactical Operational Risk Management) Guidance, said the reason for Android apps apparently wanting greater access to on-device data and functionality comes down to the business model of the platform concerned.

Whereas desktop applications have a high degree of granularity - and control - he says, mobile devices have far less granularity of what can and cannot be done.

On top of this, he adds, the Android business model is different from other platforms such as Apple's mobile strategy, which is first to create the market for a given set of apps - for example health - and then attract software developers to the platform to work up the apps.

"Contrast this with the Android strategy, which is to take a wider approach of attracting all developers to the platform and then developing the market accordingly. This is why Apple's business model is more focused and why you are seeing distinct new categories of apps, with controls, being developed," he explained.

Professor John Walker, a visiting professor with the Nottingham Trent University's School of Science and Technology, said he wrote a paper about the app permission topic a few years back and concluded there is a severe risk with permissions granted to those apps that are subsequently uninstalled - but it remains unclear whether the app company was still accessing the smartphone data.

"The problem here is that people often agree to the T&Cs of the app without really reading and thinking them through – and they then hand over the rights to all sorts of data for convenience's sake. This creates lot of unknowns, as you are effectively handing over access to a slice of your life, such as online bank accounts and a variety of contact data," he said, adding that this makes the smartphone a key target for cybercriminals as a result.

Steve Smith, managing director of security consultancy Pentura, agreed.

Businesses, he explained, are increasingly using mobile applications to enhance their operations but they need to consider the access they may be inadvertently offering to third parties by using such services.

"With applications often requiring a variety of access permissions both businesses and employees need to be aware of what potentially sensitive data they are making accessible to people outside the organisation" he said.

"For instance if an application that requires address book access is running on a corporate device do you really want to give that app access to your corporate address book? This further highlights the importance of businesses reviewing and updating their data loss prevention strategies to all aspects of their IT operations to ensure best data protection practices," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews