The FISA Court, Justice Department, XKeyscore, And Your Online Passwords
Researchers Demonstrate That Products With Embedded Computers Can Be Hacked And Need Stronger Protections

83% Of The Leading Mobile Apps Put Your Sensitive Personal Information At Risk

Appthority logo On July 30, Appthority released a report about the risks with mobile apps. The report including a study of the 400 leading apps across the Apple iOS and Google Android platforms. The study included 100 leading free apps and the 100 leading paid apps from both platforms.

Since there are more than a million apps in the Apple App Store and in Google Play, there is stiff competition among app developers. As a result, many app developers increase their revenues by selling mobile users' information to both advertising networks and analytic/tracking companies. Developers of both free and paid apps do this.

Key findings from the study:

"Overall, 83% of the most popular apps are associated with security risks and privacy issues.

iOS apps exhibited more risky behaviors than Android apps overall. 91% of iOS apps exhibit at least one risky behavior, as compared to 80% of Android apps.

95% of the top free apps and 78% of the top paid apps exhibited at least one risky behavior.

78% of the most popular free Android apps identify the user’s ID (UDID).

Even though Apple prohibits its developers from accessing the UDID, 6% of the tested iOS apps still do.

72% of the top free apps track for the user’s location, compared to 41% of paid apps.

Although paid apps already generate revenue when downloaded, 59% of paid iOS and 24% of paid Android apps still support in-app purchasing. Furthermore, 39% of paid iOS and 16% of paid Android apps still share data"

The UDID is a bonanza for companies, marketers, analytics/tracking companies, advertising networks, and any entity interested in tracking consumers. When matched with your 10-digit phone number and App Store account, the UDID is a powerful identification (and tracking) tool that allows the compilation of all data, usage, and information on a mobile device to a person: phone calls, email messages, photos, video, text messages, GPS position, phone book, web browser history, apps downloaded, music, movies, and more. That compilation is more extensive since many consumers now use multiple email addresses (e.g., work and personal) on a single mobile device.

While both types of apps expose you to risky behavior, the researchers found that free apps are riskier than paid apps:

"The biggest disparity between free and paid apps is location tracking. While 73% of free apps track for location, less than half of paid apps (41%) do the same. Free apps are also more likely than paid apps to use single sign-on (67%), share data with ad networks and analytics (51%), offer in-app purchasing (50%), identify the user or UDID (44%), access the address book or contact list (42%), and access the calendar (15%). Paid apps, on the other hand, aren’t as safe as one might think..."

So, using only paid apps is not a security solution for consumers. The researchers also found that Apple iOS apps exhibited more risky behavior than Android apps:

"... 91% of iOS apps exhibit at least one risky behavior, as compared to 80% of Android apps. Of the 200 iOS apps Appthority tested (100 free, 100 paid), 62% tracked for location, 56% used single sign-on, 59% offered in-app purchasing, 43% shared data with ad networks or analytics companies, 39% accessed the address book or contact list, and 20% accessed the calendar..."

So, assuming that Apple iOS apps are safe is not a good security solution for consumers. Many apps track your GPS location needlessly. That is, the app doesn't need your geo-location to operate, but it collects it anyway so the developer can sell more data to advertising networks and analytics/tracking companies. And the apps won't always tell you they are doing this:

"In some cases, developers are paid based on the amount of data they collect and share about users. Have you ever noticed an app that’s constantly running in the background (that really has no need to)? It’s possible that it’s tracking your location and sharing it with outside parties for advertising purposes. App developers will often ask for these types of permissions upfront, but unfortunately that’s not always the case; or, the language they use is intentionally deceptive."

Plus, these apps that constantly collect and report your geo-location will consume more of your valuable data plan minutes, since many telecommunications providers have eliminated the unlimited data plan option. Some of the companies that built the leading Apple iOS apps:

"Disney dominated the market share of popular iOS apps (10 apps), followed by Electronic Arts (5), Apple (4), George CL (4) and Rovio Entertainment (makers of Angry Birds) (4). There were 79 different developers in the top 100 paid iOS apps... From the top 100 free iOS apps, there were 81 different developers... "

Some of the companies that built the leading Android apps:

"... Electronic Arts led the pack (5 apps), followed by Disney (4), Gameloft (4), Google (4) and Chainfire (3). There were 88 different developers in the top 100 paid Android apps... With the top 100 free Android apps, there were 85 different developers..."

Most of these apps are games, followed by social networking apps, music apps, and utilities:

"... gaming apps exhibited more risky behaviors across all categories, with the exception of accessing the address book or contact list. More than twice as many gaming apps (68%) supported in-app purchasing, as compared to non-gaming apps. Also, interestingly enough, gaming apps and non-gaming apps showed the same level for location tracking (57%)... 56% used single sign-on, 51% shared data with analytics or ad networks, 43% identified the user (UDID), 27% accessed the address book or contact list, and 13% accessed the calendar..."

The complete report lists the apps studied by type (e.g., free, paid), by platform (e.g., Apple iOS, Android), and by name.

Since many consumers use their mobile devices for both work and personal activity, some IT departments might be tempted to block or ban gaming apps as a data security policy. The researchers advise against this, because not all gaming apps are risky, and not all  apps in other categories (e.g., social networking, music, utilities) are safe. Plus, most employees will resent and resist being told what apps they cannot download onto their personal devices.

While the Apple iOS platform seems safer than the Google Android platform, the Apple iOS apps are riskier. So, brand loyalty isn't necessarily a good data security strategy.

In my view, using mobile apps today is like the wild west frontier of the 1800s. Anything goes. Past studies have documented the lack of privacy policies with too many mobile apps. In some instances, class-action lawsuits have been a remedy to abuses for consumers.Some states' attorney generals have cracked down on apps that abuse consumers' sensitive personal data.

Download the complete App Reputation Report by Appthority.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.