72% percent of Android apps pose a potential security risk, says study

by Colton Kaiser on Nov 4th 2012, 7:21pm
tagged Android Applications, Android Security, Google, Play Store

According to a recent study, 72 percent of all Android applications in the Google Play Store request access to at least one extraneous permission that it doesn’t inherently need to function properly. This number may seem alarming, but let’s break down some of the research firm’s so-called “results.”

According to the published findings:

72 percent of all Android apps (more than 290,000) access at least one high-risk permission.
21 percent (more than 86,000) access five or more.
2 percent (more than 8,000) access 10 or more permissions flagged as potentially dangerous.

As you can see, Bit9 claims 290,000 apps to be labeled as “high risk” which it says equates to 72 percent of all apps available on the Play Store. But wait–Google just announced that the Play Store now houses over 700,000 total applications. So, it appears as though the company’s findings were based on a sample of 400,000 apps. A statement from Bit9 reveals the method by which risky apps were determined:

“We determined the risk level by relating the degree of privacy intrusion or the capability of the permission (e.g., ability to wipe devices or change systems settings). Risk levels, however, do not attribute malicious activity to the identified apps, but allude to the capability of the app to do damage if compromised. Many apps also ask for permissions that are not essential to their advertised functions.

Another concern is the significant level of variant apps in relation to popular “known” titles. For example, of the 115 apps that contain the words “Angry” and “Birds” in the title, only four are from Rovio Mobile (the official publisher of the Angry Birds app). Among them, “Angry Birds Live Wallpaper” requests twice as many permissions as the original Angry Birds game app, including fine-grained GPS location tracking.”

It’s important to note that these applications are not considered malware. Instead, they simply require more permissions than they actually need to perform their desired function. And while this may be a decent determinant in evaluating the potential security risks of applications on the Play Store, without testing all available apps, the results will undoubtedly be inaccurate and skewed.

It’s unfortunate that Bit9 didn’t just finish evaluating the other 300,000 apps, though that would obviously be an expensive and tedious task. Nonetheless, these reported figures are astonishing. So remember, whenever installing an application, whether it be on the Play Store or not, be sure that you read the full list of required permissions. This will help cut down on the possibility of installing a malicious or risky application.

For more help with security for your Android device, be sure to check out our Android Security Hub.

Via: TNW
Source: Bit9

» See more articles by Colton Kaiser

Categorized as Android Applications, Android News, Android Security, Android Software

rjace

Apple probably funding these studies, cause most of the developers develop for both platforms
- Thomas T.
  
  I agree. These numbers are ridiculous. I’m sure apps from the App Store require the same type of permissions, they just don’t tell you what they are before you download them.
  
  It’s some bullshit.
Nicky

what a load of kaka
lostsync

It really is a good idea to at least give the requested permissions a cursory glance before installing it. Even if you think you’re downloading from a trusted dev, it’s never a bad idea to double check.

I always really appreciate it when the devs give a breakdown of the permissions used and why they are requested in the app description.
Conan

Bit9 are a retail company that sell threat protection. Reporting this as a “study” is an embarrassment.
Ben

Those permissions are in many times needed for an app to function properly.
Apple fo example DOESN’T even list the permissions their app has.
But if you are worried about permissions you can always root your phone and use Privacy Guard. =)
Aadam Gibson

Cheers and thanks for posting something superior reading. This post gave truly quality information. I am once again feeling happy and proud to say that this is my favorite web site.
- http://www.facebook.com/mikewestak Mike West
  
  You do know that a huge number of those apps are written for iOS too right? It’s just that Google is upfront about the permissions, unlike Apple. Go Google it or Bing it, whatever.
http://twitter.com/PascalBrokmeier Pascal Brokmeier

Good thing the average power user knows how to protect himself.

No kidding, I know what to do (permissions denied, privacy guard, droidwall etc.) but most of my ppl (family and friends) have no clue about it nor what to do about it. But it doesn’t really matter anymore anyways. My full contact information is in about 200 phones if not more and if just one of them has facebook, whatsapp or any other such app on their phone my stuff is circulating in the web without me having a chance to control it.
So even if you are careful with your info, that one girl from last weekends party is still spreading your phone number around the web
tnpapadakos

name me one instance where someone has had their info compromised because of an app…I’m with Nicky…total BS
http://www.facebook.com/mikewestak Mike West

What’s being failed to be mentioned is that even a lot of Apple apps have these same permissions. The difference is that Google lets you know upfront. Also I literally read an article on Appy Geeky this morning that stated that a lot of these “studies” are mostly written as scare tactics by MALWARE companies wanting you to buy their crap. They never disclose how they get this info. Unless you’re downloading apps that say “Sexy wet hot Asians in your pocket” you should be fine.
http://www.facebook.com/people/Dave-Ellis/100002067963819 Dave Ellis

74% percent sounds like one of those stats from the department of made stats, in other words, a wild ass guess. Valid or not, it does bear closer scrutiny if the statement has even a small percentage of truth to it. Technology isn’t fool proof and nothing is really safe from being hacked, this has been proven to us time and time again, especially by Microsoft.