Apps are often free……but don’t fool yourself. Many, if not most, free apps are getting something in exchange — your personal information. And this means, they access your location, your friends, your contact information, your passwords, your phone calls and your device’s camera. As many as half of top mobile apps collect or share user location data without users affirmative consent. Health apps, which track a user’s sleep, weight, and exercise, among other things, are increasingly popular. Some can initiate phone calls, send SMS messages and turn on your camera without your knowing it. The transfer of this type of personal data to third parties potentially opens app users to insurance or employment problems as well as targeted advertising that references personal health struggles. They have the ability to become a secret monitor of all of your digital activities. And most consumers have no idea how much they are giving away and how this information is being used.
Free mobile apps pose a serious threat to privacy because of their ability to capture large amounts of user information, a 2012 Juniper Networks study revealed. It examined 1.7 million apps in Google Play and found that free applications are five times more likely to track user location and a whopping 314 percent more likely to access user address books than paid counterparts. Similarly, the Wall St. Journal found that a significant number of applications contain capabilities that could expose sensitive information to 3rd parties. For example, neither Apple nor Google requires apps to ask permission to access some forms of the device ID, or to send it to outsiders. It examined 101 popular Android (and iPhone) apps found that showed that 56 — that’s half — of the apps tested transmitted the phone’s unique device ID to other companies without users’ awareness or consent. 47 apps — again, almost a half — transmitted the phone’s location to other companies. Twitter, Yelp, and Foursquare are but a few of the app developers who had admitted that they transmitted users’ contact information whenever people selected features with labels such as “find friends.” But such information was often stored in unencrypted format, again creating an information security risk.
Mobile apps are also notoriously vulnerable to hackers. Recent studies suggest that as many as 80%-90% of these apps do not have basic information security features that would defend against common attacks. In addition, apps have become a popular avenue for hackers to introduce malware into a device or network. This is particularly true with the Android platform, but the problem exists for iOS apps as well. Recently, cybersleuths reported finding an app that targeted jailbroken iOS and Android mobile phones used by the pro-democracy protesters in Hong Kong. It was capable of stealing text messages, photos, call logs, passwords and other data from Apple mobile devices and they believe that it was produced by the Chinese government to spy on the protesters. If true, this is a chilling revelation as it demonstrates how mobile phones can be used against its owners and a reminder about the ramifications of jailbreaking your phone.
Another problem lies in the fact that many online advertisers participate in this sneaky tracking in order to build up reading profiles of users for marketing purposes, whether users have opted in or not. Some apps have been created to block these types of ads—even though ad-blocking is incidental to its primary goal. But they don’t surive; Google has banned apps that interfere with Google’s business model. By removing this app from the Play Store Google is putting its users at risk and sending the message that it cares more about its bottom line than its users’ security.
One reason that privacy and security concerns are more acute with apps is that it is relatively easy to enter the app business. App development requires a small budget as compared to most other technologies. The lower barrier to entry means that small companies are turning out new apps in huge numbers. Many of those companies are relatively unsophisticated about privacy concerns, legal requirements, and the best privacy practices.
One area of particular concern is the use of apps by children. The Federal Trade Commission (FTC) has reported that the apps and app stores provide inadequate information to parents about what data is collected from their children, how it is being shared, or who will have access to it. The FTC found that “most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data.” This was true even when the app shared sensitive data, such as location and phone numbers, with third parties. Educators, public officials, and advocates have raised similar concerns about the use of education-related apps. These concerns are centered on the use of student data for commercial purposes and the potential for long-term harm to children when companies collect, analyze, and store data obtained from these apps.
Even though a list of permissions is presented when installing an app, most people do not understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust. Or worse, they aren’t given a choice about how many permissions to grant. One enterprising blogger examined the top 20 free and the top 20 paid apps showing in the Android Market, and see what permissions they used. He identified certain “dangerous” permissions which are commonly requested. They included:
– Manage Accounts – Allows apps to add to the in built accounts list, where details such as Facebook, Google and Twitter logins are stored
– Account Authenticator – Allows an app to respond to account detail requestsSend SMS – Allows apps to send SMS messages, without user prompting or going through the default SMS app
– GPS – Allows apps to access the GPS sensor, for accurate location detail
– Net Access – Allows bi-directional internet access, via whatever means the device uses to connect. This could be 3G, WiFi, or any other data connection (Bluetooth, USB connection, LTE)
– Read Contacts – Allows apps to access but not modify the user’s contact list
– Write Contacts – Allows apps to modify and add to the user’s contact list
– Direct Phone Calls – Allows apps to dial numbers without going through the default dialer app, or prompting the user
– Global System Settings – Allows apps to change core system settings
– Read Browser History and Bookmarks – Allows apps to read but not modify the browser history and bookmarks. This applies to both the default browser, and any browsers which share the history and bookmarks of it
– Write Browser History and Bookmarks – Allows apps to modify and add to the browser history and bookmarks.
– Sensitive Log Data – Allows apps to read potentially sensitive log data, which may contain phone numbers, email addresses and so on
A graphic example of the abuse of permissions are flashlight apps. A report by a security firm says that the top ten flashlight Android apps are malicious. The firm, SnoopWall, created both a flashlight and privacy app for Android users that is less pernicious than the other “free” apps. MyPermissions.com has also created a privacy app that may be worth your time investigating.
Our most urgent advice is don’t download free apps that require lots of permissions. Be especially wary of permissions that appear to have no connection at all to the app’s functions. Additionally, remove apps that have no reasonable excuse for requesting certain permissions—also known as “over-privileged” apps. You can identify errant apps using software like Permissions Explorer, which can look at the apps on your device, filtered by permission. An alternative is to upload your apps to Stowaway, which performs an analysis as to whether or not the app requests too many freedoms with your data. However, Stowaway might present an issue to users not familiar with managing APK files, the Android executable file. Another useful software, called “No Permissions” illustrates what an over-privileged app looks like. To learn more about the importance of permissions, this is a useful discussion.