As increasingly powerful smartphones and other mobile devices have infiltrated enterprise environments in recent years, security professionals have often feared a corresponding rise in mobile malware, similar to what was witnessed on the PC landscape more than a decade ago. But according to a recent report, those worries have largely been unrealized, with mobile app data collection posing a far greater risk to enterprises and users.
The report on mobile app reputation, released this month by app analysis vendor Appthority, detailed the widespread collection of data by the current top 100 free and top 100 paid apps on both the Android and iOS mobile platforms. Appthority collected the data for the report by running static, dynamic and behavioral app analysis against all 400 apps in a test environment.
Among free Android apps, 88% of the top 100 apps available on the Google Play store collect data unique device identifiers (UDIDs) or IMEIs, while 82% engage in some form of location tracking and 30% access users' address books. Though Apple often touts iOS as a more secure and privacy-oriented alternative to Android, the Appthority statistics aren't much more flattering for the platform. More than half of the top 100 free apps on the App Store engage in the same UDID and location tracking, and 26% also access users' address books.
Even when users paid for apps, the San Francisco-based firm found that data collection was still prevalent. Out of the top 100 paid Android apps, for instance, 65% still utilized UDID details, 49% collected location data and 14% accessed address books. On the iOS side, 28% used UDIDs, 24% collected location data and 8% accessed address books.
In comparison, out of the 400 apps analyzed, Appthority didn't find a single instance of mobile malware. Only .4% of all apps in enterprise settings contain malware, the company noted, as Apple maintains a strict, manual security review process for all apps entering the iOS App Store and Google employs a variety of tactics to screen Google Play apps for malware.
"Everyone knows about mobile malware," said Appthority President Domingo Guerra in an interview, "but not everyone knows about these other issues."
Data collections risks
Guerra said that mobile app data collection exposes enterprises and users to a number of risks that may not initially be apparent. For example, if a user syncs their corporate Outlook account with a personal smartphone, that device may now have access to an extensive address book that contains contact details for a variety of important figures in the business. If an app that collects that address book information is compromised, attackers could have the information necessary to spam the office phones of those contacts, gather dial-in details for sensitive corporate calls, read attachments in a calendar and more.
Most organizations outside the government aren't overly concerned about location tracking data, said Guerra, though if attackers can glean the location of key executives, they can potentially utilize that information to predict mergers or acquisitions based on visits to relevant businesses. Guerra also noted the famous incident when a U.S. soldier shared a picture on Twitter of himself arriving at a base in Iraq. The picture included location details via geotagging, he said, which led to insurgents launching a mortar attack on the exact location and destroying the helicopters on base.
The prevalence of mobile ad networks poses multiple risks, according to Guerra. Attackers themselves can pose as ad networks and glean user data directly, compromise an ad network's software development kit and infiltrate an app, or simply target the potentially vast data collection being stored by dozens of ad networks around the world.
"So, from a developer's perspective, the more data we host, the more of a target we can be, and that's definitely the case with advertising networks," said Guerra. "Now that's compounded by the fact that most apps that have an ad network have more than one, so even the developers themselves might not know where all this data is going to end up. From an attacker's perspective, it's not even about finding the most popular ad network -- it's finding the weakest ad network that's still going to have a lot of data."