Application risk management vendor Appthority has been a constant trusted source for us in detailing where many mobile app security issues are to be found. The company has a knack for digging in behind the obvious and for pulling out what are more often than not the “not so obvious” issues that many of us – including those among us who are supposed to know better – often fall prey to. Well, the company has now delivered on its “Summer 2013 App Reputation Report,” which brings us up to date on where things stand, and it isn’t all that pretty a picture the report paints.

Why do we trust Appthority? The answer to that question is to be found in the methodology the company employs – a cloud-based and automated App Risk Management service that employs static, dynamic and behavioral analysis to discover the true behavior of apps and to measure total risk within minutes. Over time, the company has built the world's largest database of analyzed public and private apps from a global network of sources. Appthority has analyzed over one and a half million apps for its Global 2000 and government customers. We trust the data.


Image via Shutterstock

The new report examines how the BYOD movement has led to the mixing of personal and corporate data on employee-owned devices (yes, that is obvious) and how the apps we use every day can put that data at risk (ah, the not so obvious). The report also shares some very interesting information on how some app developers collect data on users as a money-making technique.

Domingo Guerra, co-founder and president at Appthority, notes, "In analyzing both paid and free apps in our report, we've identified several new security trends within the global app ecosystem. For example, we measured how paid apps – like free apps – are now supporting in-app purchasing and sharing data with ad networks as a method of generating revenue. The problem is they do this even if it means putting user and corporate data at risk. We also discovered several popular iOS apps that access the unique device identifier associated with every device, even though Apple strictly prohibits this activity.  These identifiers can easily be linked back not only to private user information but to activity as well as users navigate across apps."

Below we’ve pulled the key findings from the App Reputation Report.

• To begin with, 83 percent of the most popular apps are associated with security risks and privacy issues.
• It turns out, surprisingly we think, that iOS apps exhibit more risky behaviors than Android apps: 91 percent of iOS apps exhibit at least one risky behavior, as compared to “only” 80 percent of Android apps.
• 95 percent of the top free apps and 77.5 percent of the top paid apps exhibited at least one risky behavior.
• 78 percent (!) of the most popular free Android apps identify the user's unique ID.
• Even though Apple prohibits its developers from accessing unique device identifiers (and this is a reason that one should more or less trust iOS), Appthority finds that a non-trivial 5.5 percent of Apple-tested iOS apps still manage to get through to the App Store.
• 72 percent of the top free apps track user locations. For paid apps this is less onerous, with only 41 percent of paid apps doing so (we aren’t suggesting 41 percent is a comforting number however).
• Although paid apps obviously already generate revenue when downloaded, 59 percent of paid iOS and 24 percent of paid Android apps still support in-app purchasing. This isn’t as bad as one might think – we believe developers should be able to find ways to maximize revenue in this manner, but there is still a huge need for enterprises in particular to be concerned about it.
• Finally, 39 percent of paid iOS and 16 percent of paid Android apps share data with ad networks. It isn’t clear to us if these apps require user opt-in and permission to allow this but for the enterprise it requires complete disengagement.

That’s more than enough to keep security and privacy hawks on their toes, especially within the enterprise. We continue to find that enterprises are far too lax in policing these issues, and in many cases they simply don’t know what they should be policing. Appthority’s findings at least help us to better understand where the vulnerabilities are.

The full report and a very interesting infographic with additional details are available directly from Appthority.