Security vendor Bit9 has released an analysis of more than 400,000 Android apps and found that almost a quarter of them were `over permissioning’ – that is, they requested access to one or more smartphone or tablet functions that they should not normally need access to.
In parallel with the analysis, the security vendor surveyed a 139 IT security decision makers responsible for the mobile policy of more than 400,000 employees.
According to the report, 26 pc of apps in the Google Play Store can access personal data such as contacts and email, whist 76 pc of businesses said they did not know which mobile apps access their networks.
Delving into the report reveals that 71 pc of organisations allow their employees to bring your own device (BYOD) to work, yet only 24 pc deploy application monitoring – or controls to provide visibility into what applications employees are using on their mobile devices.
Bit9 says that the criteria for defining an application as `questionable’ or `suspicious’ included the permissions requested by the application, categorisation of the application, user rating, number of downloads, and the reputation of the application’s publisher.
In its examination of the more than 400,000 Android apps, Bit9 found that 72 pc use at least one high-risk permission, with 42 pc of applications accessing GPS location data, and these include wallpapers, games and utilities.
31 pc, meanwhile access phone calls or phone numbers, whilst 26 pc access personal data, such as contacts and email, and 9 pc use permissions that can cost the user money.
Commenting on the report, Harry Sverdlove, Bit9′s CTO, said that a significant percentage of Google Play apps have access to potentially sensitive and confidential information.
“When a seemingly basic app such as a wallpaper requests access to GPS data, this raises a red flag. Likewise, more than a quarter of the apps can access email and contacts unbeknown to the phone user, which is of great concern when these devices are used in the workplace,” he explained.
Of the IT security decision makers surveyed in the report, 78 pc felt that phone makers do not focus enough on security, even though 71 pc of them allow employees to bring their own smartphones to the workplace.
68 pc, meanwhile, rank security as their most important concern when deciding whether to allow employees to bring their personal devices to work, but only 24 pc of companies employ any sort of application control or monitoring to know what applications are running on employees’ mobile devices.
Bit9 also found that just 37 pc of organisations surveyed have deployed any form of malware protection on employee-owned devices.
These results, says the vendor, spotlight an interesting-and disturbing-policy contradiction: Whilst the majority of organisations allow employees to bring their personal devices to work and connect to the company network, the organisations have little visibility into the privacy and security risks the mobile applications on the devices pose to the companies’ networks.
The problem stems from the fact that convenience, rather than security, is driving the growing trend to allow BYOD policies. The survey, says the report, highlights a clear call to action for companies to realise that when employees access company data from a smart device, their intellectual property is being put at risk.
So what can be done to counter this latest Android security issue?
Bit9 recommends that education is a central plank of any security strategy, since the Android model of capability-based security squarely places responsibility on device owners to know what apps they are running and whether they can access their employers’ sensitive data and system services.
As a result, the vendor argues that a major component of effective Android and mobile security revolves around the better education of end users in order to help them avoid common security pitfalls.
The company also says that another aspect of education is for each user to know the capabilities of their mobile devices and whether it will allow apps to be loaded from sources other than Google Play. In general, the firm says, users should stay away from public app markets that lack trustworthiness.
Rooting of devices is a another problem area, says Bit9, as it provides unfettered access to all data on a device and allows risky apps to make changes to system resources.
This effectively gives malware a foothold to install other apps that could steal data and monitor its use across the device’s capabilities such as voice calls, SMS, camera and so on, whilst sending the data to a remote command-and-control server.
The final step in an organisation’s security strategy is to establish good levels of Android security, such as screen locking, PINs, encryption and remote wiping facilities. Encryption should also be applied to data-in-motion and data-at-rest – with Android 3.0 and above supporting native encryption facilities.