Juniper Networks’ Mobile Threat Center (MTC) analyzed over 1.7 million apps on the Google Play market from March 2011 to September 2012.
Juniper found that most app users are being tracked, surveilled and put at risk for exposure, and this activity is disturbingly unjustified by the majority of app makers.
Juniper wrote, "We found a significant number of applications contain permissions and capabilities that could expose sensitive data or access device functionality that they might not need."
Free apps, in particular, Juniper said, "are 401 percent more likely to track location and 314 percent more likely to access user address books than their paid counterparts."
Most smartphone owners download lots of applications, and the number of downloads is expected to reach upward of 45 billion in 2012 (21 billion going to Apple apps).
It's widely believed that free apps take and collect more data - such as tracking user location - than users are comfortable with.
Many users aware of this may feel that boundary-pushing data collection is an acceptable trade-off for apps that, because free, must compensate their revenue through advertising (conventional wisdom is that free apps need detailed user information for targeted advertising partnerships).
It has been revealed that most apps tracking location and accessing private user permissions - upward of 90% of free apps - do not use the data for ad partnerships.
Upon examining the results of researching permissions use of 1.7 million mobile apps, Juniper Networks is now openly wondering just exactly what that user information is being collected for.
The state of user privacy across the app ecosystem, exposed
Juniper cautions that users are presented with a list of permissions they must agree to when downloading apps - but few people understand what they're agreeing to.
Most don't know what how much over their phone (or how much private information) that they're giving to the companies behind the apps, or how easy it is for the private info these companies collect to be exposed.
Juniper focused on the facts that both free and pay for play apps:
- Track your location
- Access your address book
- Silently send text messages
- Can clandestinely initiate calls in the background
- Some (like Facebook) require permission to access your camera, and have permission to record you
Possibly more concerning are the other permissions being requested from applications like the ability to clandestinely initiate outgoing calls, send SMS messages and use a device camera.
An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device.
Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present, as was recently presented with the proof-of-concept Spyware PlaceRaider.
MTYH: Free apps need your info for advertisers, which is how apps can be free
Most people think that apps tracking users' location to better serve ads and thereby "pay" for free apps.
It's part of the conventional wisdom behind statements such as "you're the product."
Juniper found that the percentage of apps with the top 5 ad networks was much less than the total number of apps tracking location - meaning that most apps tracking your location are not serving ads.
The researchers found that only between 0.32 (AdWhirl) and 4.10 percent of over half a million apps that run tracking (ostensibly for ad targeting). well known ad network AdMob is only featured on 0.75 percent of apps that track and collect user location data.
Juniper categorically stated,
This leads us to believe there are several apps collecting information for reasons less apparent than advertising.
The permissions required by apps are not justified
Popular game categories such as gambling (cards/casino) and racing caused the most concern for Juniper's researchers.
For instance, 94% of both gaming and racing apps that force users to give the apps permission to make outbound calls don't say why the apps require this capability.
Meanwhile, nearly 84% of the apps force permission to use your phone's camera function but don't describe why or provide any justification whatsoever for such non-trivial access.
Keep in mind that Juniper endeavored to make a distinction between an app's legitimate use of permission, and determine when the permissions were being taken from users without justification.
Juniper's researchers examined cases where data was being collected and permissions taken when the immediate use of the data and permissions was not readily obvious. Juniper also contacted devs to fully understand if there was justification, and if, so what that justification was.
What this meant was that researchers dug a little deeper so they could stand behind their statements of justified and not-justified forced permissions.
In an instance with one gambling app they examined, the researchers couldn't find the justification for the app to access the users' camera - until the developer explained the premium version of the app, which used the camera to allow users to make custom icons.
Installation equals consent - but for what?
Juniper's report revealed no small amount of alarm and concern on the researchers' part - especially about the pervasiveness of mobile tracking - as well as some unexpected insights.
According to Juniper Networks, most free smartphone apps cost users their individual privacy and control over personal, sensitive and private information about everything from where they live and where they go (location tracking), to who they talk to (address book access), what they say (listening to calls), and potential impersonation or interception of transmitted communications (making clandestine SMS or calls as the user).
The problems emerging from apps accessing - and potentially exposing - personal information about you not required to run the app could be solved by apps doing a better job of disclosing specifically why they need permissions to use address books, track user location and access phone functions that could put the user at risk of impersonation, surveillance or exposure.
Helping people understand what is actually occurring on their device and with their data has considerably more value than a list of permissions.
More educated users means they are more comfortable installing apps and less likely to uninstall once they see the number of permissions being requested without explanation.
One thing is true: free apps definitely 'cost' us more than we know, and app users have no control over the data and permissions being claimed on their devices by app companies.
In my opinion, the naive hope for best practices in the app ecosystem for consumer safety is a childish fantasy.
It's time for concrete action to protect our privacy.
Salient Juniper Networks footnote:
"The research contained in this report was conducted on the Google Play market. Apple does not disclose related information about its apps, and questions regarding the Apple App Store and related privacy statistics should be directed towards Apple."