1.7M mobile apps analyzed: Users tracked and put at risk, and it's unjustified

1.7M mobile apps analyzed: Users tracked and put at risk, and it's unjustified

Summary: Network security company Juniper Networks investigated 1.7 million mobile apps. It concluded that free apps cost us our privacy, expose us unnecessarily, and most app permissions are unjustified.

SHARE:

Juniper Networks’ Mobile Threat Center (MTC) analyzed over 1.7 million apps on the Google Play market from March 2011 to September 2012.

Juniper found that most app users are being tracked, surveilled and put at risk for exposure, and this activity is disturbingly unjustified by the majority of app makers.

Juniper wrote, "We found a significant number of applications contain permissions and capabilities that could expose sensitive data or access device functionality that they might not need."

Free apps, in particular, Juniper said, "are 401 percent more likely to track location and 314 percent more likely to access user address books than their paid counterparts."

Most smartphone owners download lots of applications, and the number of downloads is expected to reach upward of 45 billion in 2012 (21 billion going to Apple apps).

apps-marquee

It's widely believed that free apps take and collect more data - such as tracking user location - than users are comfortable with.

Many users aware of this may feel that boundary-pushing data collection is an acceptable trade-off for apps that, because free, must compensate their revenue through advertising (conventional wisdom is that free apps need detailed user information for targeted advertising partnerships).

It has been revealed that most apps tracking location and accessing private user permissions - upward of 90% of free apps - do not use the data for ad partnerships.

Upon examining the results of researching permissions use of 1.7 million mobile apps, Juniper Networks is now openly wondering just exactly what that user information is being collected for.

The state of user privacy across the app ecosystem, exposed

Juniper cautions that users are presented with a list of permissions they must agree to when downloading apps - but few people understand what they're agreeing to.

Most don't know what how much over their phone (or how much private information) that they're giving to the companies behind the apps, or how easy it is for the private info these companies collect to be exposed.

Juniper focused on the facts that both free and pay for play apps:

    • Track your location
    • Access your address book
    • Silently send text messages
    • Can clandestinely initiate calls in the background
    • Some (like Facebook) require permission to access your camera, and have permission to record you

Juniper explains,

Possibly more concerning are the other permissions being requested from applications like the ability to clandestinely initiate outgoing calls, send SMS messages and use a device camera.

An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device.

Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present, as was recently presented with the proof-of-concept Spyware PlaceRaider.

MTYH: Free apps need your info for advertisers, which is how apps can be free

Most people think that apps tracking users' location to better serve ads and thereby "pay" for free apps.

It's part of the conventional wisdom behind statements such as "you're the product."

Juniper found that the percentage of apps with the top 5 ad networks was much less than the total number of apps tracking location - meaning that most apps tracking your location are not serving ads.

The researchers found that only between 0.32 (AdWhirl) and 4.10 percent of over half a million apps that run tracking (ostensibly for ad targeting). well known ad network AdMob is only featured on 0.75 percent of apps that track and collect user location data.

Juniper categorically stated,

This leads us to believe there are several apps collecting information for reasons less apparent than advertising.

The permissions required by apps are not justified

Popular game categories such as gambling (cards/casino) and racing caused the most concern for Juniper's researchers.

For instance, 94% of both gaming and racing apps that force users to give the apps permission to make outbound calls don't say why the apps require this capability.

Meanwhile, nearly 84% of the apps force permission to use your phone's camera function but don't describe why or provide any justification whatsoever for such non-trivial access.

Keep in mind that Juniper endeavored to make a distinction between an app's legitimate use of permission, and determine when the permissions were being taken from users without justification.

Juniper's researchers examined cases where data was being collected and permissions taken when the immediate use of the data and permissions was not readily obvious. Juniper also contacted devs to fully understand if there was justification, and if, so what that justification was.

What this meant was that researchers dug a little deeper so they could stand behind their statements of justified and not-justified forced permissions.

In an instance with one gambling app they examined, the researchers couldn't find the justification for the app to access the users' camera - until the developer explained the premium version of the app, which used the camera to allow users to make custom icons.

Installation equals consent - but for what?

Juniper's report revealed no small amount of alarm and concern on the researchers' part - especially about the pervasiveness of mobile tracking - as well as some unexpected insights.

According to Juniper Networks, most free smartphone apps cost users their individual privacy and control over personal, sensitive and private information about everything from where they live and where they go (location tracking), to who they talk to (address book access), what they say (listening to calls), and potential impersonation or interception of transmitted communications (making clandestine SMS or calls as the user).

The problems emerging from apps accessing - and potentially exposing - personal information about you not required to run the app could be solved by apps doing a better job of disclosing specifically why they need permissions to use address books, track user location and access phone functions that could put the user at risk of impersonation, surveillance or exposure.

Juniper concluded,

Helping people understand what is actually occurring on their device and with their data has considerably more value than a list of permissions.

More educated users means they are more comfortable installing apps and less likely to uninstall once they see the number of permissions being requested without explanation.

One thing is true: free apps definitely 'cost' us more than we know, and app users have no control over the data and permissions being claimed on their devices by app companies.

In my opinion, the naive hope for best practices in the app ecosystem for consumer safety is a childish fantasy.

It's time for concrete action to protect our privacy.

#

Salient Juniper Networks footnote:

"The research contained in this report was conducted on the Google Play market. Apple does not disclose related information about its apps, and questions regarding the Apple App Store and related privacy statistics should be directed towards Apple."

Topics: Apps, Android, Mobile OS, Security, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Oh here we go

    The big bad developers are watching you! Yes, some have stolen address book data but, that was across all platforms.
    slickjim
  • And this is why I stay away from free apps.

    And I don't develop them but prefer the paid side of apps.
    Bruizer
    • And yet 90% of all installed apps are free

      It appears that you do not reflect the average demographic, and since the vast majority of people will not pay for an app... the bulk of app store volume will continue to be in the free sector because.... that's what the public (not the app vendors) demand.
      spark555
    • dont know

      And this why I have permission blocker what does not give permissions even when asked at installation but I need to give them before first time use and I can choose what it actually can get and block others.

      This is the bad thing in free market when there is no one regulating what is being done.

      What comes to Google play, I would say thatGoogle open handset alliance needs to change how Android shows ads (It isn't Google what serve all the ads) by the way thatthem ad trafffic needs to go trough trusted source where every ad is checked and you can not ask internet connection and location connection per app but they use android own ad function instead own.

      I am not worried about owners own informatio here, but hundreds in theirbook address books. And every app what ask permission for that and isn't needed, should be drawn away from all digital world (not just on Android but there are same problems in Windows market place and Apple app store with their apps)
      Fri13
  • This is likely across all OS issue

    I suspect this is prevalent on Android, iOS, Win and Rim.
    rhonin
    • How you know?

      You choose the "open" Android. Open in the sense of open door, open house etc.

      Android by itself is an spyware piece, that reports back to Google. Apparently, Google do not mind if others use your (now public) information as well.

      Not all mobile OS are created equal and while it is entirely possible that all of Apple, Microsoft and RIM collect data from your device (not obvious), it's clear that they do not let other app developers free ride.
      danbi
      • you're placing a lot of blind trust in the non-Googles

        At least according to Juniper:

        "Apple does not disclose related information about its apps"

        It's curious that you would be so paranoid towards Google and yet be willing to give MS, RIM, and Apple a free pass based on nothing but faith.
        frylock
  • LBE Privacy Guard

    If there's ever been a reason to root your phone, it's this app. Don't want that free app accessing your location? It can be blocked. Fine, it needs the GPS for legit reasons...block its access to the internet! As far as the app is concerned, you chronically don't have a data connection, but it'll still show the red dot where you are. Don't want it sending texts? Denied. Don't want it accessing your camera? Denied. Want Facebook to be able to access your location ONLY when you want to check-in? Prompt each time.

    Does it void your warranty to root? Usually, though there are ways around this. But I won't use a device I can't root explicitly for this reason. Beyond the ability to use ROM Toolbox Pro to prevent apps from automatically starting when I don't want them to, beyond the ability to make Nandroid backups which is effectively Norton Ghost for my phone, beyond the ability to customize my boot screen and browse 100% of my file system...the ability to block the access to personal data from the apps I download is the single most compelling reason to root.

    Joey
    voyager529
    • This capability should be part of the OS!

      In principal, I really like the idea behind the LBE Privacy Guard app as you describe it, unfortunately, looking at the recent user review comments, it sounds like it isn't being kept up to date and is unusable on Jelly Bean in many cases.

      What I'd like to know, is WHY isn't that capability built into Android itself?
      Matte303
  • Maybe I've been lucky?

    I have over 100 apps installed on my phone (including the pre-installed apps), and not one is asking for more permissions than is required to provide the service specified. Several are paid apps, but most are free. Of course, many of the free ads ask for Internet access so that they can serve ads, and a few ask for location access so that they can serve localised ads.

    I have occasionally come across apps that ask for more permissions than are required. In those cases where I have emailed the developers, if I didn't get a satisfactory answer, I simply don't install the app.

    One question: Where does the figure of 1.7 million come from? My understanding is that there are about half a million apps on Play Store. Did they sample each app 3 times?

    Even taking into account the roughly half a million apps on on Apple App Store (which was not researched), that still does not come close to 1.7 million.
    Julie9009
  • It's not just personal info at stake... corporate data too

    Violet, great piece! I agree with you regarding the problems emerging from apps accessing and potentially exposing personal information about individuals. Another component to keep in mind is the crucial need for companies to have a concrete Mobile App Risk Management plan set in stone.

    As BYOD adoption is increasing (and quickly turning into BYO Apps), free apps employees have on their mobile devices pose a major security threat to companies. As the apps collect an overwhelming amount of personal data, they also have the ability to absorb sensitive corporate data. When a user shares his/her's addressbook or calendar for example, he/she is also sharing all of the corporate data contained in those directories. With the number of risky, free, unprotected apps increasing, companies can no longer depend on employees to secure their own devices.

    People often don’t realize how easily cybercriminals can access their private and corporate information through mobile apps. Educating employees on mobile security risks and incorporating a Mobile App Risk Management plan allows companies AND individuals to identify, manage, and possibly eliminate the risks associated with their mobile app devices proactively.
    sundaywar
  • Just because I'm paranoid does not mean that they are not out to get me.

    Just because I'm paranoid does not mean that they are not out to get me.

    Does anybody out there not know of someone put through hell by easily stolen information?

    I must be one of the few who reads terms of agreement, has anybody else ever read facebook terms? When more permissions are asked for than required then dishonest intentions have to be assumed...

    The crooked mind are at least as smart as the honest programmers.
    dumb blonde