Mobile Apps: The Hidden Risks To Your Privacy

Mobile Apps: The Hidden Risks To Your Privacy

While many mobile users are becoming a lot savvier in protecting their devices from mobile malware, there is another, relatively unknown (or perhaps ignored) risk to your privacy you face every time you hit that “Install” button.

While most apps on both the Google Play and Apple App store might not contain malicious code seeking to suck your bank account dry, they do engage in risky behaviours that all mobile device owners should be aware of as they potentially compromise your privacy and security.

Appthority’s new Winter 2014 App Reputation Report provides an insight into what type of risky behaviours the top 100 free and top 100 paid apps in both the Google Play store and the Apple app store engage in.

Appthority provides an app reputation service that collects apps from app stores and analyses them for their behaviours such as location tracking and then scores the app for their customers. The findings of this report were based on this data.

Report Findings

What Kind Of Risky Behaviours Are We Talking About?

Before diving into the findings, Appthority defined risky behaviours in this report as certain permissions that affect user security and privacy.

Mobile app security - location trackingAppthority analysed each app for particular behaviours in a test environment. These behaviours included:

  • Location tracking
  • Single Sign-On (SSO) support for social networking
  • In app purchasing
  • Sharing data with ad networks or analytics companies
  • Accessing the address book or contact list
  • Accessing the calendar
  • Accessing UDID

Why Are These Behaviours Risky?

For most app developers, revenue generated from the price to download the app is not enough, particularly for those apps that offer a free download, which means developers must seek out additional ways to generate revenue. Unlike developers of paid apps who receive part of the initial download cost; developers of free apps are completely dependent on other revenue streams such as sharing app user data with advertising networks and analytics companies or in-app purchases.

These behaviours, while generating revenue for developers, can compromise user privacy and security without the user’s knowledge.

While the privacy issues surrounding location tracking, access to the address book, contacts list and calendar and data shared with ad networks or analytics companies is quite obvious, you may be wondering what risks there are with apps using SSO support or accessing the UDID.

SSO is considered risky because loss of the credential (typically a social network) could compromise all the sites to which the user logs in with the SSO. In addition to this, the SSO site (e.g. Facebook) also gains access to the permissions that you grant to the app such as accessing your contact list.

The UDID or Unique Device Identifier is a unique alphanumeric number attached to your device. It holds information as to what apps you have installed on your phone, which ad networks use to obtain a general idea of the user from a marketing perspective so they can target ads more effectively.  It might also be used by developers to track usage of their apps.

Up until iOS 5, a user’s UDID was freely available to developers, which was sent to several databases for ad networks to use when the user opens and uses the app. From iOS 6, Apple banned the use of UDIDs in any apps submitted to the App Store, rejecting any apps that access the UDID. While it was effective for a while, according to Appthority’s report, the use of UDIDs has risen again on the iOS platform.

Mobile security - top free vs top paidRisky Behaviours In Paid apps vs Free Apps

When looking at paid apps vs free apps, we have come to expect a higher level of security from paid apps. However, this report has shown that both free and paid apps engage risky behaviour.

While the percentage of free apps engaging in risky behaviours (95%) was higher than paid apps (80%), this indicates that users should still be cautious when using apps regardless of whether they are paid or free.

In terms of the type of risky behaviours exhibited by paid and free apps, the biggest difference between the two categories was in location tracking. 70% of free apps used location tracking, while only 44% of paid apps tracked location, most of which had no need for this.

Mobile security - iOS vs Android

Is iOS Safer than Android?

There have always been questions raised as to how secure the Android platform is, however, when it comes to apps exhibiting risky behaviour, iOS apps exhibited a greater percentage (91%) of risky behaviours than Android apps did (83%).

However, when you look at the number of apps that exhibit specific behaviours on each platform, there’s not too much difference between Apple and Android. For example, the number of iOS and Android applications that used location tracking were pretty much on par, with 56% of iOS apps exhibiting this behaviour, compared to 58% for Android applications.

What’s important to note here is that although more iOS apps collect user data than Android apps, the Android apps that do collect data capture more information than their iOS counterparts.

Are Gaming Apps The Riskiest Category?

Mobile security - risk of gaming appsApps that fall under the Games category have traditionally been viewed as one of the riskiest mobile app categories. This is usually the biggest app category, with gaming apps comprising of 37% of free apps and 30% of paid apps in the Apple app store, and 45% of free apps and 30% of paid apps in the Google Play store.

While the results of this report did support this view, there wasn’t that great of a gap between gaming apps and non gaming apps. Where gaming apps did stand out, however, was in the percentage of apps that use in-app purchasing and shared data with analytics companies or ad networks. Around 60% gaming apps used in-app purchasing compared to 34% of non gaming apps and 52% shared data with analytics companies or ad networks compared to 30% of non gaming apps.

While in-app purchases are not necessarily a threat to privacy or security, in an enterprise setting where devices are provided to staff the purchase will show up on the employee’s phone bill.

Perhaps one of the most concerning statistics about Android gaming applications, is that 100% of the free gaming apps tested for the report identified the UDID.

Keeping Your Data Safe

Now that you are armed with the knowledge of how apps can compromise your privacy and security, you’ll probably want to know how to keep your data safe. The key here is to be cautious everytime you download an app, even if the app is for iOS and in the top 100 paid apps category.

Check out our 3 simple tips on keeping your data safe:

  • Based on the results of the study, it pays to be selective when choosing apps to download. Be cautious when it comes to free apps and gaming apps, which have been found to be slightly riskier than paid apps in non-gaming categories.
  • Avoid using your Facebook, Google or other social network credentials to sign into an app as much as possible.
  • Make sure you read what permissions the app requires before you download. If an app requires location tracking for instance, ask yourself whether the app would really need this kind of permission. If the answer is no, better to avoid the app.

What steps do you take to ensure your privacy and security remains uncompromised?