Thursday, May 26, 2022

Android apps ask for too many permissions, survey warns

Savvy CISOs remind staff toting Android devices that the safest place to download apps is from the Google Play Store — unless the enterprise has an app store of its own.

But a report released this week by the Pew Research Center highlights that Google’s efforts to toughen app security doesn’t mean software in the Play Store is without problems.

INSIDE Android phone permissions page

The study of over 1 million apps there last year found apps asked for 235 distinct types of permissions on installation, some of them with serious security implications. These include the ability to connect to the Internet, add or change calendar events and send email without the owners’ knowledge, add or remove accounts, change network connectivity and download files without notification.

For example:

— over 163,000 apps could get the list of accounts on the device;

–over 4,700 could change passwords;

–over 84,00 could place phone calls;

–almost 35,000 could modify the contact list.

“The number of permissions — 235 — is a lot,” report co-author Kenneth Olmstead said in an interview. “You really have to be aware of what’s in the permission agreement” before downloading an app.  “You really have to read these things.”

Separately, mobile app security vendor Bluebox Security said it has research showing most consumers are somewhat to very confident that the apps they use are safe from hackers, but the majority of developers believe most mobile apps are moderately vulnerable — with 24 per cent of developers surveyed agreeing these apps are highly vulnerable.

Almost half of the 300 developers surveyed agreed they have rushed an app to market and 53 per cent said they have taken shortcuts or put temporary solutions in place in order to get their app out on deadline.

Over 95 percent of developers said they use third-party frameworks that may or may not be safe to build their apps.

Some of the permissions in apps Pew studied may be benign relative to the app’s purpose, but if the device is infected with malware they could leverage these permissions to cause havoc.

Admittedly, the apps analyzed are a year old and could have been updated since with better permissions. Also, Google recently released Android 6.0, which has better permissions control — although few devices at the moment run that version.

“Ultimately —despite user concerns about the information being requested by the apps they use — the amount of personal information users are putting at risk depends almost entirely on the individual app, the permissions it requests and the context in which those permissions are being used,” say the Pew authors.

Unless the enterprise has its own app store with approved software or has a policy that staff only use devices that separate corporate and personal data, one could only conclude from the report that CISOs have to remind Android users check each app’s Google Play page before download to see what it services it will access. After installation users can check the permissions of each app in Android’s settings menu and selecting either application manager or apps, depending on the device. If there is no need to access a service the app should be deleted.

Devices running Android 6.0, however, allows users to toggle individual permissions on and off on an app-by-app basis. Permissions will also be displayed when an app requires it.

Finally, for CISOs who think banning Android is the solution a study by two security vendors issued last week suggests iOS apps have at least as many vulnerabilities. Forty per cent of vulnerabilities found on iOS apps were critical or high severity, compared to 36 per cent of the Android vulnerabilities, said the study by Checkmarx and AppSec Labs

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.