Majority of apps put mobile users at risk

There are a few old rules with mobile apps: free apps are much riskier than paid, and iOS apps are more secure than Android. By a new study of the most popular apps on these platforms has some surprising results – ones that IT could find worrisome for mobile users.

A study put out this week by Appthority looked at the top 200 paid apps for Android and iOS and the top 200 free apps on those operating systems.

By analyzing the permissions these apps require of users, they found some serious security concerns. Overall:

  • 95% of the top 200 free iOS and Android apps exhibited at least one risky behavior, and
  • 80% of the top 200 paid iOS and Android apps exhibited at least one risky behavior.

Perhaps the first surprise of the report: 91% of iOS apps had risky behaviors while Android had risky behaviors 83% of the time. This could indicate the old thinking on applications – Apple is safer than Android – could be a false assumption.

What’s a ‘risky behavior’?

While the report has some broad definitions for what is or isn’t risky, the top concerns it cited are likely permissions that IT would prefer users didn’t grant before downloading.

The top 5 risky behaviors found in apps were:

  1. An ability to track location of users (found in 70% of free apps, 44% of paid apps across both platforms)
  2. Single sign-on via social media (69% of free, 47% of paid)
  3. The ability to identify a user by name or their UDID, or unique device identifier (56% of free, 41% of paid)
  4. In-app purchasing (53% of free, 26% of paid), and
  5. Sharing user information with ad networks (53% of free apps, 26% of paid).

Just outside the top 5 was the ability to access a user’s address book. Almost a third of free apps (31%) required this permission along with 22% of paid apps.

Moving target

Unfortunately, staying safe from apps on company devices might not be as easy as banning only risky apps. There was almost 50% turnover in the most popular apps from last summer to when this report was released.

One of the most dangerous types of apps, however, was games and arcades. If you’re looking to keep mobile devices secure, banning these could be a good first step.

For BYOD or user-owned devices, other steps to consider:

  • Put permissions in plain English. Many users might think of the box that opens with a list of required permissions when they try to download an app as just a pop-up or confirmation screen. Tell them what these messages are actually asking for – and why it may or may not be a good idea to grant it.
    It’s easier said than done, but always stress to users to examine these permissions carefully and realize when something seems off – for instance, a game requesting to be able to send SMS messages.
  • Look into private app stores. Rather than blacklisting apps, whitelisting them might be an easier way to go. By allowing only approved apps through a company app store, you may be able to provide the most useful resources without as much risk.
  • Evaluate mobile device management choices. MDM has advanced a lot in recent years. Make sure the system you have is still meeting your needs.

Check out our sample BYOD policy here.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy