Roughly one out of five Android mobile apps asks to access private or sensitive information belonging to the device’s owner, according to a study by SMobile Systems.
One out of 20 apps can place a call to any number without interacting with or getting permission from the device owner, the report also states.
Further, more than 2,000 Android apps analyzed can send unknown premium SMS messages without interacting with, or getting permission, from the owner of the device, the report’s authors wrote.
Holey-er Than Thou
SMobile analyzed metadata from almost 49,000 Android Market apps — roughly 68 percent of all the apps available for download from the online store.
In addition to the flaws listed above, SMobile found that 383 apps could read or use the authentication credentials from another service or application; 29 apps requested the same permissions as known spyware apps; and another eight explicitly request a specific permission that lets the device brick itself — make certain functions inoperable so that it’s as usable as a brick.
“You can pretty much file this under things that are inevitable in this world — once you make something open or it gets popular, people are going to try to put malware on it,” Ramon Llamas, a senior research analyst at IDC, told LinuxInsider. “That’s just human nature.”
The Dirty Details
More than 34,600 apps analyzed tried to get permission to open network sockets by tapping the “Internet” service, SMobile found.
Another 12,000 apps analyzed requested permission to tap data from the “Access_Coarse_Location” service. This lets an app access the user’s cellphone ID or WiFi location.
About 7,500 apps the report’s researchers analyzed tried to tap data from the “Access_Fine_Location” service. This lets the app access GPS and other finely grained location data.
Other permissions to which apps tried to access en masse include “Read_Contacts,” “Call_Phone” and “Read_Calendar.”
The supposed security flaws are partly due to the Android Market’s open process for vetting and accepting apps, SMobile said.
“The Android Market relies on the community to identify and flag applications that either malfunction or are malicious in nature,” the report states. “This would imply that there will always be a window where a number of consumers would need to use, test and determine if an application is malicious before it could be removed from the market,” the report adds.
“At least with Apple, they’re reviewing the apps before putting them on the market, whereas with Android apps, you post them and Google doesn’t go through the process of reviewing them from top to bottom,” James McGregor, chief technology analyst at In-Stat, told LinuxInsider. “It’s really that there’s no one looking in any detail at the security level of these Android apps.”
Being New Means Having to Say You’re Sorry
The reported security flaws are also partly due to the newness of the mobile app market itself, In-Stat’s McGregor said.
“We’re still in the early stages where we don’t really know what security holes exist in a lot of mobile applications,” McGregor explained.
The widespread allure of app creation is yet another factor, McGregor pointed out.
“There’s an army of professional and amateur software engineers out there designing these apps, so there’s a huge potential for security flaws,” McGregor said.
The diversity of the hardware running the Android operating system is yet another possible reason for the large number of security holes in Android apps that SMobile claims to have found, McGregor remarked.
“Just because the mobile apps are created for a common software platform doesn’t mean they work the same on different hardware platforms,” he said.
“Mobile will eventually face the same onslaught of attacks that PCs and browsers do,” McGregor predicted. “They haven’t been the target of hackers in the past because they lacked critical mass.”
*ECT News Network editor’s note – June 24, 2010: After the original publication of this article, Google spokesperson Jay Nancarrow provided ECT News Network with the following statement: “This report falsely suggests that Android users don’t have control over which apps access their data. Not only must each Android app gets users’ permission to access sensitive information, but developers must also go through billing background checks to confirm their real identities, and we will disable any apps that are found to be malicious.”
Wow…just…WOW. I don’t even know where to begin. Maybe I should start with the fact that the vast majority of Android Market apps need the permissions they request in order to carry out their primary functions. The fact that an app accesses an API service is NOT an a security flaw – and the disclosure of this in the app’s metadata (read: manifest, an intentional disclosure) isn’t nefarious; to the contrary, it is this metadata that shows users exactly what permissions they’re granting when installing an app on their phones. I know that I’ve decided against installing a handful of apps because they requested services that were inconsistent with their purpose, thanks to this feature – it’s a benefit, not an indictment of the entire Android market and platform.
A "security study" done by a company that sells security "solutions" should be subjected to a lot more scrutiny than Mr. Adhikari has provided. In this case, all "SMobile" has done is look through publicly-available metadata, drum up a scary-sounding report using lots of loaded terms and chicken-little language, and toss it over the wall to an apparently-willing blogosphere just waiting for any opportunity to parrot doom-and-gloom "news". These types of conversations aren’t doing anything constructive; they’re just slinging FUD around, something that Linux Insider should be a lot more careful about doing.