Those free apps can cost you big

A new report by Juniper confirms your worst suspicions: Many free Android apps steal your location data, make calls, or access your camera without permission.

Everyone knows there’s no such thing as “free” on the InnerWebs. Everything costs something – if not money, then your personal information.

OK, Fine. Tell me something I don’t know. Right?

The problem: When you spend a buck or two on an app, you know exactly what it costs. When a free app asks to track your location or comb through your contacts, however, the real cost is almost entirely hidden from view. You don’t know how that data will get “spent,” how many times it will be sold, who will have access to it, and what could happen to you as a result. All of that is invisible.

If that doesn’t concern you, well, it should.

Today’s example of Apps Behaving Badly comes from a report by Juniper Networks’ Mobile Threat Center, which looked at 1.7 million apps available on the Google Play market over the last year or so. The key finding: Free apps are far more likely to use and abuse your personal information than paid apps. To wit:

Free apps are 401 percent more likely to track location and 314 percent more likely to access user address books than their paid counterparts.

In other words, one out of four free apps tracks your location. (Only one out of 16 paid apps does this.) About seven percent comb through your address book (three times as many as paid apps); roughly the same percent of apps can initiate phone calls or access your phone’s camera without getting the A-OK from you.

The usual explanation for this rampant data gathering is that the apps need your location to deliver the services they offer, or need to access your address book to make connections with other people who use the same app, or they need this stuff to deliver targeted ads to you. And that may all be true in many cases. But Juniper found that most apps that track location, for example, aren’t part of any ad network. So what do they need this information for? Excellent question. Nobody knows.

It gets worse. The Google Play (aka Android) market is well known for having lax standards at best when it comes to screening apps. Though Google began automatically scanning all uploads for malicious code last January, malware laden apps were still widely available on the Google Play market six months later.

According to Juniper, the worst offenders are faux gambling apps and racing games. Nearly all cards/casino/racing apps have the ability to make calls or send texts on your behalf, which can rack up steep charges for premium calls; most also can access your camera independently as well.

Some of these apps had legit reasons for this capability – like enabling you to capture an image to use as a background. Still, as Juniper’s Dan Hoffman notes:

An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device. Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present… Silently sending SMS messages can also be a means to create a covert channel for siphoning sensitive information from a device. Further, the potential for stealth SMS messages or calls can have monetary repercussions by communicating with services that will subsequently charge a fee, such as calling a 1-900 in the U.S. or sending premium SMS messages. 

Even if the apps do none of that, the potential for them to track your location and/or data mine your address book is reason enough to avoid them. And while Apple fanboys may take some devious joy in this report, they’re not immune. Malicious apps have found their way past the bouncers at even the highly guarded iTunes Store, and more will follow.

According to a survey of 1100 mobile apps users conducted at SodaHead, some 77 percent were strongly in favor of an app rating system, similar to the ones used for games and movies. Me, I’d like to see a privacy rating system for Android and iOS apps, similar to the PrivacyScore and App Advisor services for Facebook and Web sites.

Until then, my advice is don’t be stupid. Don’t download that stupid game (it’s really not worth it, trust me). Don’t give stupid permissions to apps that don’t really need it. Don’t be a stupid cheapskate. That buck or two you spend on an app today may prove much cheaper in the long run.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

Politics vs privacy: Heads they win, tails you lose

Facebook's 'man in the middle' attack on our data

Making Facebook private won't protect you

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon