In the economy of mobile apps, you are less a consumer of software than consumed by it. That's according to security firm Zscaler that has analysed the surprisingly intrusive permissions demanded by many popular Google App store apps before they will allow a download to start.
After looking at 75,000 popular apps from Android central (based on detections through its cloud mobile filtering), the firm discovered that 68 percent required the user to agree to the ability to send SMS messages, one of the main mechanisms apps use to charge users.
Of these, 28 percent were also able to gain access to SMS, a risk because it could be abused to spy on mobile authentication of the sort used by online banks and other services such as Gmail, PayPal and Twitter.
In Zscaler’s view, the most risky permissions coveted by legitimate apps cover SMS, GPS and phone call access, the ability to read personal information on accounts and the device being used, and access to the address book.
The firm rightly points out that even experienced users will give permission for apps to access these kinds of data because not doing so often means that the app can’t be downloaded. This calls into question the whole permission-based model used not only by Google’s Android but all mobile platforms.
Plotting other permissions, Zscaler also found that 36 percent accessed a user’s location, 46 percent its phone state (IMEI and SIM card information), 10 percent the address book with 4 percent even checking the calendar.
There are legitimate reasons why an app would want to study some or all of these with the most intrusive being Google’s own apps. But many other apps ask for intrusive permissions as part of a business model built on offering a free app inside of which is embedded an ad network whose intention is to gather as much information as they can the better to target their wares.
Address book permissions are often part of a model in which an app is promoted en masse via a user’s address book contacts. Sometimes this happens with the user’s consent but not always – complaints about address book hijacking have become legion on some Android messaging apps, so much so that this promoted Google to change its terms and conditions for developers earlier this year.
“While Android was once the open and transparent rebel to Apple’s rigid and restrictive iPhone, it has of late taken on more the image of a questionable rogue,” said Zscaler, perhaps a slightly harsh judgment.
The web of permissions has spurred the growth in a security apps that analyse them on behalf of the user. For the time being this looks like the only rational way to keep on top of the issue.
On top of this are vulnerabilities in Android itself such as the flaw discovered by German outfit Curasec last week that would allow an app running on any version prior to 4.4.4 to make unauthorised phone calls.