Savvy CISOs remind staff toting Android devices that the safest place to download apps is from the Google Play Store — unless the enterprise has an app store of its own.
But a report released this week by the Pew Research Center highlights that Google’s efforts to toughen app security doesn’t mean software in the Play Store is without problems.
The study of over 1 million apps there last year found apps asked for 235 distinct types of permissions on installation, some of them with serious security implications. These include the ability to connect to the Internet, add or change calendar events and send email without the owners’ knowledge, add or remove accounts, change network connectivity and download files without notification.
— over 163,000 apps could get the list of accounts on the device;
–over 4,700 could change passwords;
–over 84,00 could place phone calls;
–almost 35,000 could modify the contact list.
“The number of permissions — 235 — is a lot,” report co-author Kenneth Olmstead said in an interview. “You really have to be aware of what’s in the permission agreement” before downloading an app. “You really have to read these things.”
Separately, mobile app security vendor Bluebox Security said it has research showing most consumers are somewhat to very confident that the apps they use are safe from hackers, but the majority of developers believe most mobile apps are moderately vulnerable — with 24 per cent of developers surveyed agreeing these apps are highly vulnerable.
Almost half of the 300 developers surveyed agreed they have rushed an app to market and 53 per cent said they have taken shortcuts or put temporary solutions in place in order to get their app out on deadline.
Over 95 percent of developers said they use third-party frameworks that may or may not be safe to build their apps.
Some of the permissions in apps Pew studied may be benign relative to the app’s purpose, but if the device is infected with malware they could leverage these permissions to cause havoc.
Admittedly, the apps analyzed are a year old and could have been updated since with better permissions. Also, Google recently released Android 6.0, which has better permissions control — although few devices at the moment run that version.
“Ultimately —despite user concerns about the information being requested by the apps they use — the amount of personal information users are putting at risk depends almost entirely on the individual app, the permissions it requests and the context in which those permissions are being used,” say the Pew authors.
Unless the enterprise has its own app store with approved software or has a policy that staff only use devices that separate corporate and personal data, one could only conclude from the report that CISOs have to remind Android users check each app’s Google Play page before download to see what it services it will access. After installation users can check the permissions of each app in Android’s settings menu and selecting either application manager or apps, depending on the device. If there is no need to access a service the app should be deleted.
Devices running Android 6.0, however, allows users to toggle individual permissions on and off on an app-by-app basis. Permissions will also be displayed when an app requires it.
Finally, for CISOs who think banning Android is the solution a study by two security vendors issued last week suggests iOS apps have at least as many vulnerabilities. Forty per cent of vulnerabilities found on iOS apps were critical or high severity, compared to 36 per cent of the Android vulnerabilities, said the study by Checkmarx and AppSec Labs