Free gambling apps top security risk list

MAHESH SHARMA
Last updated 05:00 04/11/2012

Relevant offers

Digital Living

Apple offer 1m users OS X Yosemite beta Labour pledge $21m to improve broadband Twitter admits workforce diversity problem Get paid to post? Social network's new twist Hillary Clinton praises girls who code Google hit with lawsuit over data-slurping China cracks down on online rumours, porn Google must face kids' app purchases suit Preparing for death the Yahoo way Westpac whips out digital wallet early

Free casino and racing game apps pose the biggest security risk to smartphone users, according to a new report.

The Android apps, downloaded via the Google Play store, have been revealed as the biggest offenders when it comes to accessing device functions such as camera and address book for unknown purposes.

The finding is of concern not only to individual users, but also companies struggling to manage the security of a growing fleet of bring-your-own mobile devices.

Juniper Networks's Mobile Threat Centre found that hundreds of thousands of apps could expose sensitive data or access unnecessary device functionality, after it analysed over 1.7 million apps on the Google Play store between March 2011 and September 2012. 

Apps traditionally collect user information to serve relevant content from third-party ad networks, but the research found there was a very low percentage of ads being distributed via the top five ad networks. It concluded the apps were collecting the information for other purposes.

Last month, another study found Android apps were leaking personal information.

For the latest study, the MTC installed the apps and checked that the description of their features warranted the permissions being requested. It also looked at how many ads were served by the apps. The figure of 1.7 million includes apps withdrawn or blocked from the Google Play store during the research, and newer versions of some apps.

The report detailed concerning app "behaviours" some can discreetly initiate outgoing calls, which can be used to eavesdrop on ambient conversations within hearing distance of the mobile device; some were allowed to send text messages and create a "covert channel to siphon sensitive information from the device"; some can use the device's camera to potentially obtain photos and videos of the surrounding area.

The gaming and racing apps blatantly overstepped permissions that were more than adequate for normal use.
Free card and casino games apps, which simply imitate popular casino games for fun, accessed a number of features without justification: 94 per cent accessed phone calls, 83 per cent accessed the camera, 85 per cent could send SMS.

Racing games was the most concerning category, according to the report, which noted that during the research period there was an "abnormally high" number of apps removed from the marketplace.
"This category contained the highest number of applications that the MTC would consider to be newly discovered malware."

Ad Feedback

Ninety-nine per cent of paid, and 92 per cent of free, racing game apps could send SMS; half of free downloaded apps could use the camera; 94 per cent of free games could make outgoing phone calls.
There are some legitimate reasons to access these features. In some cases, casino apps accessed the camera so users could insert a personal background picture into the interface. Some financial apps also allowed users to call financial institutions.

Overall, compared to their paid counterparts, free downloads were four times more likely to track location - a quarter of all free apps were allowed to track user location - and they were three times more likely to access user address books.

The report author Dan Hoffman, chief mobile security evangelist at Juniper Networks, said developers should better explain why an app needed to access certain features. Apps should only ask for permissions if absolutely necessary to function, and they should inform users of exactly how their data and device are used.

"It seems there is no such thing as a free lunch in mobile," he wrote.

"If people choose to use free applications, they will likely need to provide information in exchange. Many do not realise that this tracking is happening and may not be making informed choices."

The report said Apple does not disclose information about its apps.

Pure Hacking chief technology officer Ty Miller said hackers could control the apps to attack users, even if the apps weren't developed for malicious purposes.

Miller said that, generally, mobile developers didn't code with the same level of maturity as their enterprise counterparts, who were more security-conscious. They often requested as many permissions as possible to ensure their app works.

Google, developers and users are all responsible, he said.

"Developers could be assisted by understanding applications' security basics; and once again having good enforcement, such as maybe random audits by Google; and consumers, should make sure that in the case of Android, they should think twice about giving apps some permissions," Miller said.

"Look for apps with good reviews, apps that have been around for a while and featured by various stores."

-IT Pro

Comments

Special offers

Featured Promotions

Sponsored Content