Business Users Risk Data Loss Through 78% of Mobile Apps

Many mobile apps come with a slew of ads, the ability to connect to social media, or both. These may seem like harmless add-ons, placed in the app for the purpose of profit for the app's developer. However, these features may have the ability to access a user's PII, or personally identifiable information. The add-ons' ability to access sensitive information is dangerous not only because its functions can gather sensitive information after the user approves the app's permissions, but the information can also be exposed without the user's knowledge.
A study by Mojave Networks, a technology security startup based in San Mateo, California, used their Threat Labs to test 11 million URLs that send and receive data in over 2000 apps installed by its customers, with the study focusing on business users. These URLs were then put in categories based on their connection to one of three libraries: ad networks, social media APIs, or analytics APIs. The results showed that 78 percent of apps downloaded connected to one of the three groups, which put users at risk for unknown access to their personal information or even worse, personal or business data loss.
 
A Lack of Accountability
What's even more shocking is how these libraries are implemented. They are utilized by the developer, who receives the code from a third party. These codes are primarily used to help collect ad revenue, keep track of user statistics, or integrate with social media. The report mentioned that there are thousands of these libraries available, and for the most part, these third party codes usually don't collect PII. However, not all of them can be trusted. In most cases the developer will usually implement the code withlittle or no review of what it contains, leaving you with the decision to blindly trust the developer's judgement and risk the chance to allow these libraries to access your data without your knowledge.
To make matters worse, the user is bound by the library's particular policies just by downloading and installing the app without ever seeing the details of the policy. From a business standpoint, this can result in a lack of accountability and makes it difficult for IT administrators to decide which app poses a security risk.
On average, each app has about nine permissions. Five of those are considered to be very dangerous since they can provide access to information that would otherwise be kept private. For example, Airpush, one of the top ad libraries in the study, collects the following data:
 

[list]
• Android ID
• Device make and model
• Mobile browser type and version
• IP address
• An Airpush-generated ID
• List of mobile apps installed on the phone.
• "Other technical data about your device."

[/list]If you give it permission to do so, Airpush can also collect:
 

[list]
• Precise geo-location including country and ZIP code.
• Device IDs including the International Mobile Equipment Identity (IMEI) number, device serial number, and the Media Access Control (MAC) address.
• Browser history and more.

[/list]Users can opt out of some of the data collection such as the list of mobile apps installed and browser history.
If you install an app that uses Airpush, it can gain access to all this information without your knowledge. The worst part is that this broad access to private information is typical, and nothing new in the mobile app market.
Full Article