Many Android, iOS Apps Ask for ‘Risky’ Permissions, Push Aggressive Ads: Symantec
While Apple and Google regularly upgrade their respective app store listings to limit malicious apps to some extent, Symantec has highlighted that there are tons of apps that put user privacy at risk. The company through a new research found that there are many apps available on Google Play and Apple App Store that request for permissions or excessive access to user’s personal information. Through a couple of blog posts, Symantec has detailed how personal information is gathered through different apps, and how various fraudulent apps on Google Play contain aggressive advertisement.
Symantec, the company behind Norton antivirus, downloaded top 100 free apps from Google Play Store and Apple App Store to analyse how much personal information was the user sharing with the apps, and which smartphone features the apps accessed. It was found that email addresses were the most common piece of personally identifiable information shared with apps. As many as 48 percent of the iOS apps and 44 percent of the Android apps analysed were reportedly sharing email addresses. After email addresses, it was the username that usually users enter on social networking sites or on an app. It was shared with 33 percent of iOS apps and 30 percent of Android apps, out of the total 100 apps analysed. Phone numbers were the also spotted being shared with 12 percent of iOS apps and nine percent of Android apps. Besides, it was the user’s address that was shared with four percent of iOS apps and five percent of Android apps.
Importantly, the available stats don’t fully account for the entire personal information being shared with apps. Symantec notes that several apps integrate with social media to obtain user data directly from the connected social media account.
It was found that while many apps ask for permissions to access various features on your device, some of them could be used to provide access to data or resources that involve private information of the user or could potentially affect the user data stored on the device or the operation of other devices. Symantec has termed these permissions as “risky permissions”.
“Camera access was the most requested common risky permission, with 46 percent of Android apps and 25 percent of iOS apps seeking it. That was closely followed by location tracking, which was sought by 45 percent of Android apps and 25 percent of iOS apps. Twenty-five percent of Android apps requested permission to record audio, while 9 percent of iOS apps did. Finally, 15 percent of Android apps sought permission to read SMS messages and 10 percent sought access to phone call logs. Neither of these permissions is available in iOS,” Symantec said in the blog post.
Symantec has additionally found that some apps request for extensive permissions. One such app the company pointed out is the Android horoscope app Zodiac Signs 101 – 12 Zodiac Signs & Astrology that has been downloaded more than a million times. It asks for permissions such as precise user location, access to user’s contacts, send and receive SMS messages, receive MMS messages, directly call phone numbers, reroute outgoing calls, access to phone call logs, and access to camera among others. The second such app that the Symantec team analysed was the Android flashlight app Brightest Flashlight LED – Super Bright Torch that has 10 million installs.
“Ultimately, it may be up to the user to ask if these additional features are essential to the function of the app and if it’s worth granting permissions for features that only provide marginal benefits,” the team wrote.
“Of the Android apps that require risky permissions, 40 percent have links to third-party apps. Either normal app functionality is interrupted with advertisements or there were links to third-party apps for normal functionality (for example purchase links to seller sites). Meanwhile, 16 percent of the iOS apps that require risky permissions have links to third-party apps,” Symantec said.
Google and Facebook have also separately provided the distinct ways to see what apps are using your personal data. You can review and edit what third-party apps have access to your Google account by visiting the Permissions section from the My Account section. Similarly, Facebook has provided the Apps & Websites section in the Settings menu to help you discover and edit the permissions used by each third-party apps.
In addition to apps with risky and extension permissions, Symantec has found that as many as 68 fraudulent apps on Google Play built by five different developers contain aggressive advertisements. It is alleged that there are huge discrepancies between the app content and their description as well as title. “After users install the apps, they are subjected to a series of guided screens, with advertisements popping up at every single Next button pressed. However, despite the detailed descriptions for the apps, they provide none of the described functionalities,” the company said in a separate blog post.
Notably, the installation count of the fraudulent apps spotted by Symantec ranges from 50 to 50,000. These apps promise to unlock SIM cards or transform your device into a wireless mouse. Also, some apps were found to be named after popular games and movies, such as Far Cry and 13 Reasons Why to persuade users to install them. Instead of showing any legitimate content, the apps include only an image that looks similar to their Google Play listing and aggressive advertisement pop-ups.
While Google recently promised to have removed more than 700,000 “bad” apps and 100,000 developers from the Play store, Symantec notes that some of the fraudulent apps were published on the Android app store between January and May this year.
Symantec recommends users to keep their devices up-to-date with the latest software and don’t download apps from any unfamiliar sites. Users are also advised to make frequent backups of their important data and install apps only from trusted sources.