A study by Mojave Networks, a technology security startup based in San Mateo, California, used their Threat Labs to test 11 million URLs that send and receive data in over 2000 apps installed by its customers, with the study focusing on business users. These URLs were then put in categories based on their connection to one of three libraries: ad networks, social media APIs, or analytics APIs. The results showed that 78 percent of apps downloaded connected to one of the three groups, which put users at risk for unknown access to their personal information or even worse, personal or business data loss.
A Lack of Accountability
What's even more shocking is how these libraries are implemented. They are utilized by the developer, who receives the code from a third party. These codes are primarily used to help collect ad revenue, keep track of user statistics, or integrate with social media. The report mentioned that there are thousands of these libraries available, and for the most part, these third party codes usually don't collect PII. However, not all of them can be trusted. In most cases the developer will usually implement the code withlittle or no review of what it contains, leaving you with the decision to blindly trust the developer's judgement and risk the chance to allow these libraries to access your data without your knowledge.
To make matters worse, the user is bound by the library's particular policies just by downloading and installing the app without ever seeing the details of the policy. From a business standpoint, this can result in a lack of accountability and makes it difficult for IT administrators to decide which app poses a security risk.
On average, each app has about nine permissions. Five of those are considered to be very dangerous since they can provide access to information that would otherwise be kept private. For example, Airpush, one of the top ad libraries in the study, collects the following data:
- [list]
- Android ID
- Device make and model
- Mobile browser type and version
- IP address
- An Airpush-generated ID
- List of mobile apps installed on the phone.
- "Other technical data about your device."
- [list]
- Precise geo-location including country and ZIP code.
- Device IDs including the International Mobile Equipment Identity (IMEI) number, device serial number, and the Media Access Control (MAC) address.
- Browser history and more.
If you install an app that uses Airpush, it can gain access to all this information without your knowledge. The worst part is that this broad access to private information is typical, and nothing new in the mobile app market.
Full Article