The riskiest mobile app categories in February were communication, social media, according to the “Marble Security Mobile App Threat Report March 2014.”
Based on an analysis of more than 200,000 Android apps in 34 categories, Marble Security found that the least risky apps were games, app widgets and wallpaper. Experts measured threats according to privacy, data leakage, account takeover, device takeover and malware.
The scores were weighted based on the permissions that an app requests as well as the APIs it can call and the code execution. The study also analyzed whether sensitive data was actually sent from a device. If an app scored two standard deviations above the mean, then it was deemed risky. Categories of apps were ranked by the percentage of risky apps they included.
The company pointed out that communication apps are more risky than previously thought because they can put corporate database at risk if used by employees on devices that have not been analyzed. The apps mine contact databases, which can be particularly dangerous if the databases get information and updates from the corporate Active Directory. In that case, the apps can mine data and send it out to third parties via the internet. The same holds true for information on phone call logs and SMS.
Marble Security Founder and CTO Dave Jevans told SCMagazine.com in an email correspondence that WiFi networks pose a major threat.
“People connect to up to 10 networks per month, and those networks do not have security controls that companies can audit,” Jevans said.
Given the steady stream of reports concerning leaky game apps, the most surprising statistic of the report is that the games category was ranked the least risky.
“This was a surprise to us too. The reality is that most games are focused on getting the user to click on ads or buy virtual goods or pay for the app,” said Jevans. “Games are also very difficult to develop, so we do not see many malicious apps that pretend to be a game. It’s much easier to create a simple app that steals data from your phone and pretends to be a video app or banking helper app.”
Jevans said that app developers need to be ever vigilant in boosting security. They should “focus on authentication, encryption and key management,” he explained. He advocates for the encryption of all app data.
“Network encryption needs to use mutual authentication with true certificate chain validation,” he said. “And developers need to think about key management, key storage and authentication to those keys.”
To better protect themselves and their companies against risky apps, Jevans recommended that users only download apps from the major app stores, not enter usernames or passwords into websites sent over email or text message, and “just like on your home and work computer, get a mobile security product that can detect and prevent attacks against your data, personal data and history.”