Bring your own danger with Google Play: Survey

• More than 400,000 apps within the Google Play marketplace may pose security risks to organizations
• 26% of apps access private information such as email and contacts, with only 2% of apps being from highly trusted publishers

MORE than 100,000 Android apps may pose security risks to organizations and attempts to secure bring your own device (BYOD) environments, according to a new study by endpoint security solutions provider Bit9.
 
In a blog post detailing the report called Pausing Google Play, Harry Sverdlove (pic), chief technology officer for Bit9 stressed that the company was not saying that 100,000 apps on online app marketplace Google Play are “malicious.”
 
“In fact, very few apps are actually evil, and Google does a pretty good job of catching and removing them from Google Play. But these ‘red’ apps do perform questionable tasks and have access to private information, which represent a risk to enterprises,” he said.
 
Out of the more than 400,000 apps evaluated, Bit9 found that 72% of all Android apps (more than
290,000) access at least one high-risk permission; 21% (more than 86,000) access five or more; and 2% (more than 8,000) access 10 or more permissions flagged as potentially dangerous
 
Google defines a high-risk or dangerous permission as a “permission that would give a requesting application access to private user data or control over the device that can negatively impact the user.”
 
According to Bit9, another concern is the significant level of variant apps in relation to popular “known” titles. For example, of the 115 apps that contain the words “Angry” and “Birds” in the title, only four are from Rovio Mobile, the official publisher of the Angry Birds app.
 
Among them, “Angry Birds Live Wallpaper” requests twice as many permissions as the original Angry Birds game app, including fine-grained GPS location tracking.
 
According to Sverdlove, when a smartphone is used for business, the line between personal data and corporate intellectual property gets blurry.
 
“A social media app that an employee might have for personal friends might now have access to email addresses and information about company executives or customers. In fact, most free apps that embed advertising, to support their development, do not understand or control what information those third-party advertisers may collect as the advertising component automatically inherits the permissions of the app itself,” he said.
 
The risk for IT security departments then, said Sverdlove, is not just in losing primary control over data stored on or transmitted from a smartphone.
 
“Mobile data, such as contacts and emails, can be easily used to launch more sophisticated spear-phishing or other targeted attacks directly against traditional desktop and laptop systems,” he added.
 
The report also found that (click on image on right to enlarge):

• 71% of respondents say that their organization allows employee-owned devices to connect to their company's network
• 84% of respondents feel iOS is significantly more secure than Android.
• 96% of respondents that allow employee-owned device access, allow employees to access company email using their personal device.
• 26% of apps access private information such as email and contacts, with only 2% of apps being from highly trusted publishers.

“So to put the research in context, we are not saying the sky is falling. We are not saying 25 percent of all apps are malicious. What we are saying is a large percentage of mobile apps are accessing more information on their devices than people realize, and when those devices are holding both corporate and personal data, this is a problem for individuals and their employers,” said Sverdlove.

Some of the recommendations made by Bit9 following to results of the study include employee education, preventing the use of apps from third-party markets and use of rooted or jailbroken devices. In addition the company also recommended establishing typical security such as screen locking, PINs, encryption and remote wipe.
 
The survey was conducted in Aug and Sept of this year with 139 IT security decision makers responsible for the mobile security posture of more than 400,000 employees from a range of industry verticals. The survey focused on employee use of personal devices in the workplace, and the organizations’ mobile policy or lack thereof.
 
To read the full report, click here.