Risky behaviors abound in mobile apps

A study of the top 200 Android apps and the top 200 iOS apps shows that free apps are very risky, but even paid apps will sell you out.

Everyone understands that mobile apps are fraught with risks and unknown behaviors, even if it's hard to know or appreciate them when you install the app. Appthority's new Winter 2014 App Reputation Report provides a useful overview of the types and frequency of risky behaviors among today's top apps.

Appthority provides an app reputation service for enterprises that allows IT to set policies for particular groups of users to accept different forms and levels of risk in mobile apps. Appthority collects apps from app stores and analyzes them for their behaviors, such as location tracking, and scores them for customers. This data was used to create the report.

This report looked at the top 200 apps each from Google and Apple in their stores. Since Appthority's last report last year, almost 50 percent of the top 100 iOS apps have changed. This makes manual management of whitelists and blacklists impractical, and illustrates the need for Appthority's service, automating the process.

Both free and paid apps engage in risky behaviors, but free apps do so to a far greater degree. 70 percent of free apps and 44 percent of paid apps perform location tracking, often without any need of the app to do so.

Some of the other behaviors studied in the report are use of single sign-on (SSO), accessing the user's UDID (Unique Device IDentifier, a 40 character code unique to your device), in-app purchasing and sharing data with advertising networks or analytics companies. SSO is considered risky because loss of the credential (typically a social network) could compromise all the sites to which the user logs in with the SSO. Furthermore, any permissions granted to an app accessed with an SSO are also available to the SSO site. For instance, if you log in to an app using your Facebook credentials and grant that app access to your contact list, Facebook gets access to it as well.

Accessing the UDID used to be standard practice, but after iOS 6 Apple told developers not to do it anymore and provided reasonable alternatives which weren't quite as invasive. Use of the UDID dropped for a while, but it's back up at high levels on iOS, and much higher on Android. In-app purchases often end up on an employee's cell phone bill.

Some other highlights of the report:

  • 56 percent of the top 200 Android and iOS apps identify the UDID. 100% of free Android gaming apps identify the UDID.
  • 31 percent of free apps and 22 percent of paid apps access the user's contact list or address book.
  • 58% of the top free Android apps share data with ad networks, compared to 24% of paid apps.
  • Games are not always more risky than non-games. Overall, they have very similar characteristics.
  • Candy Crush is the top free app and also the top grossing app from in-app purchasing.

Appthority also announced two new features: They have a policy generator to let companies define their own risk profiles. Now they are announcing the ability to define different policies for different groups in the company. IT can also now schedule remediation of an app to occur automatically. For example, for a minor issue the policy may be to prompt the user periodically to perform the change; if they haven't after two weeks, the system can perform it automatically.