Top Paid and Free Mobile Apps: Think They're Secure? Really?

By Tony Rizzo July 30, 2013

Application risk management vendor Appthority has been a constant trusted source for us in detailing where many mobile app security issues are to be found. The company has a knack for digging in behind the obvious and for pulling out what are more often than not the “not so obvious” issues that many of us – including those among us who are supposed to know better – often fall prey to. Well, the company has now delivered on its “Summer 2013 App Reputation Report,” which brings us up to date on where things stand, and it isn’t all that pretty a picture the report paints.

Why do we trust Appthority? The answer to that question is to be found in the methodology the company employs – a cloud-based and automated App Risk Management service that employs static, dynamic and behavioral analysis to discover the true behavior of apps and to measure total risk within minutes. Over time, the company has built the world's largest database of analyzed public and private apps from a global network of sources. Appthority has analyzed over one and a half million apps for its Global 2000 and government customers. We trust the data.

Image via Shutterstock

The new report examines how the BYOD movement has led to the mixing of personal and corporate data on employee-owned devices (yes, that is obvious) and how the apps we use every day can put that data at risk (ah, the not so obvious). The report also shares some very interesting information on how some app developers collect data on users as a money-making technique.

Domingo Guerra, co-founder and president at Appthority, notes, "In analyzing both paid and free apps in our report, we've identified several new security trends within the global app ecosystem. For example, we measured how paid apps – like free apps – are now supporting in-app purchasing and sharing data with ad networks as a method of generating revenue. The problem is they do this even if it means putting user and corporate data at risk. We also discovered several popular iOS apps that access the unique device identifier associated with every device, even though Apple strictly prohibits this activity.  These identifiers can easily be linked back not only to private user information but to activity as well as users navigate across apps."

Below we’ve pulled the key findings from the App Reputation Report.

  • To begin with, 83 percent of the most popular apps are associated with security risks and privacy issues.
  • It turns out, surprisingly we think, that iOS apps exhibit more risky behaviors than Android apps: 91 percent of iOS apps exhibit at least one risky behavior, as compared to “only” 80 percent of Android apps.
  • 95 percent of the top free apps and 77.5 percent of the top paid apps exhibited at least one risky behavior.
  • 78 percent (!) of the most popular free Android apps identify the user's unique ID.
  • Even though Apple prohibits its developers from accessing unique device identifiers (and this is a reason that one should more or less trust iOS), Appthority finds that a non-trivial 5.5 percent of Apple-tested iOS apps still manage to get through to the App Store.
  • 72 percent of the top free apps track user locations. For paid apps this is less onerous, with only 41 percent of paid apps doing so (we aren’t suggesting 41 percent is a comforting number however).
  • Although paid apps obviously already generate revenue when downloaded, 59 percent of paid iOS and 24 percent of paid Android apps still support in-app purchasing. This isn’t as bad as one might think – we believe developers should be able to find ways to maximize revenue in this manner, but there is still a huge need for enterprises in particular to be concerned about it.
  • Finally, 39 percent of paid iOS and 16 percent of paid Android apps share data with ad networks. It isn’t clear to us if these apps require user opt-in and permission to allow this but for the enterprise it requires complete disengagement.

That’s more than enough to keep security and privacy hawks on their toes, especially within the enterprise. We continue to find that enterprises are far too lax in policing these issues, and in many cases they simply don’t know what they should be policing. Appthority’s findings at least help us to better understand where the vulnerabilities are.

The full report and a very interesting infographic with additional details are available directly from Appthority.

Edited by Alisen Downey

TechZone360 Senior Editor

Related Articles

Bloomberg BETA: Models Are Key to Machine Intelligence

By: Paula Bernier    4/19/2018

James Cham, partner at seed fund Bloomberg BETA, was at Cisco Collaboration Summit today talking about the importance of models to the future of machi…

Read More

Get Smart About Influencer Attribution in a Blockchain World

By: Maurice Nagle    4/16/2018

The retail value chain is in for a blockchain-enabled overhaul, with smarter relationships, delivering enhanced transparency across an environment of …

Read More

Facebook Flip-Flopping on GDPR

By: Maurice Nagle    4/12/2018

With GDPR on the horizon, Zuckerberg in Congress testifying and Facebook users questioning loyalty, change is coming. What that change will look like,…

Read More

The Next Phase of Flash Storage and the Mid-Sized Business

By: Joanna Fanuko    4/11/2018

Organizations amass profuse amounts of data these days, ranging from website traffic metrics to online customer surveys. Collectively, AI, IoT and eve…

Read More

Satellite Imaging - Petabytes of Developer, Business Opportunities

By: Doug Mohney    4/11/2018

Hollywood has programmed society into believing satellite imaging as a magic, all-seeing tool, but the real trick is in analysis. Numerous firms are f…

Read More