Apple apps are more risky than Android when it comes to location tracking, sharing data with third parties and weak authentication.
According to analysis by Appthority of 400 paid and free apps offered for both iOS and Android, 95 per cent of the top 200 free apps on iOS and Android exhibit at least one risky behaviour. While 80 per cent of paid-for apps demonstrate risky behaviour, Appthority said that iOS apps are riskier overall than Android apps – 91 per cent contain risky behaviour as opposed to 83 percent on Android.
Appthority found that 95 per cent of the top 200 free apps on iOS and Android exhibit at least one risky behaviour, and commonly these are location tracking weak authentication, sharing data with ad networks, accessing the contact list, or identifying the user or UDID.
While Android apps tend to collect more information about the user and the user’s mobile activities than their iOS counterparts, Michael Sutton, director of security research at Zscaler, said that both iOS and Android permit apps to collect a significant amount or personal data including device and personal information, as this is a necessary component of an ecosystem that heavily relies on free apps.
“While Apple has taken steps to curb apps that directly track device identifiers such as the UDID, developers are simply adapting and collecting other identifiers, such as MAC addresses,” he said.
“In short, both Apple and Google permit the collection of device/personal data and do so by design. An important difference exists in how the end user is informed of and consents to the collection. With iOS apps, the user consents as functionality is required as opposed to Android which requires up front acceptance of all needed functionality when an app is first installed. A downside to the Android approach is that end-users tend not to take the time to understand what they’re consenting to and blindly accept whatever is requested in order to get the app installed.”
Research by RiskIQ found that the number of malicious apps has increased by 388 per cent between 2011 and 2013, while the number of malicious apps removed annually by Google has dropped from 60 per cent to 23 per cent in that period.
Elias Manousos CEO of RiskIQ, said: “Malicious apps are an effective way to infect users since they often exploit the trust victims have in well known brands and companies they do business with like banks, insurance companies, healthcare providers and merchants.
“Our unique visibility directly into App Stores allows us to shine a light on this problem and prevent attackers from impersonating brands to exploit their customers.”
Sutton said that the greater concern, outside of aggressive app permissions which request device/personal data, is the number of apps which are poorly coded and are vulnerable. “It is frighteningly common to find apps that expose users to security issues such as leaking passwords in clear text or are vulnerable to basic web security vulnerabilities such as cross-site scripting (XSS),” he said.
“While Apple and Google acting as app store gatekeepers do a reasonable job of filtering out malicious apps, they need to improve their efforts when it comes to filtering out vulnerable applications.”