Study shows 8% of Android apps leak private data on purpose

A May study estimated 99% of Androids at risk, but that was from a flaw, not snooping apps.

It may become fashionable once again to carry a cell phone somewhere other than your pocket once news gets out of a study showing that 8 percent of the Android apps leak.

Of 10,000 Android apps surveyed, 800 leak private information about the user to either the programmer or a third-party server not authorized by the user to get the information, according to Neil Daswani, CTO of Dasient which analyzed the Android apps, who will present the full report at Black Hat in Las Vegas Aug. 4.

That level of leakage is only possible because the Android market is not rigorously controlled in the same way Apple controls the iOS applications market. Apple's control filters out much of the malware and adware Google has to keep pulling from its Apps Market, but also limits the kinds of function and content iOS users have available.

If the number of apps taking private data without permission is only 8 percent, it's a huge improvement from May, when a study from a German security firm estimated 99 percent of Android apps leaked users' identification data.

That leakage was due to a flaw in which the authentication token required for an application to continue interacting with a web site were being sent in clear text, where they could easily be intercepted by identity thieves.

Because most of those tokens identified the user but weren't tied to a particular phone, tokens that were intercepted could be used by fraudsters easily from any device they chose.

The Dasient study looked at the purposeful behavior of individual Android apps, however, not at flaws in the OS itself.

It did not release much information on what kind of data the apps are leaking, however. Daswani will reveal those details at Black Hat.

In September, 2010, however, researchers at Duke, Penn State and Intel found a large number of Android apps were sending data from the phones' GPS systems to either their developers or third parties, usually without the knowledge or permission of the owner.

Other information being poached could include what competitive apps are running on a phone, a user's phone number and address, the owner's list of other contacts with all their contact information, or simply the type of searches, requests and other uses the phone owner makes of a particular app.

Android apps ask for permission to use a range of phone resources, including the right to update themselves and access GPS or WiFi data, which they often need simply to function.

Dasient did find that 11 applications were sending SMS messages out to other smartphones – spamming other users without the Android owner's knowledge and potentially costing the owner money in per-text charges.

Users can refuse those permissions, but might lose the reason they downloaded the app in the first place. An app designed to find every coffee shop with free WiFi within a mile of your location isn't effective if it can't look at your GPS data to find out where you are, for example.

The study also examined behavior of particular pieces of malware, confirming that the most popular source of infection is the drive-by – in which malware is inserted using its open connection to the cell-phone network.

The most dangerous infections still require some action by the user – most typically a fake ad, fake request that looks like a real Android system request or other mechanism that will get the user to click "Yes" to give a bit of malware full access to the machine.

If the data leaks and progressive development of smarter malware continues, smartphones really will catch up to the full functional ability of desktop or laptop machines, an expectation projected for years by futurists who focused on the growing power of smartphones but usually ignoring the growing capabilities of the hackers intending to take advantage of them.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon