Google Android might have enjoyed massive growth over the past few years—research firm IDC recently estimated that the mobile operating system accounted for 75 percent of the 181.1 million smartphones shipped in the third quarter of 2012—but that popularity comes with a significant price: a new report from security firm Bit9 suggests that 25 percent of the apps in Google Play, Android’s apps marketplace, are either “suspicious” or “questionable.”
Bit9 analyzed more than 400,000 apps (out of the store’s reported tally of 600,000), judging the aforementioned 25 percent suspicious or questionable “based on the permissions requested, categorization of the app, user rating, number of downloads, and the reputation of the publisher,” according to the summary accompanying the report.
That means a much-downloaded app from a company like Microsoft or Google that does not access high-risk permissions is considered “green/trusted,” while an app from an unknown publisher that can access personal information, and which has been downloaded relatively few times, counts as “potentially unsafe.” Other apps fall somewhere in the range between those two extreme examples.
Bit9 then “leveraged this data in relation to a targeted survey of IT security decision makers.” The results could give executives reason to worry: while 71 percent of respondents indicated “their business allows employees to access company networks using their personal devices, only 24 percent of the respondents’ companies “have some level of app monitoring or control in place.” The survey involved 139 IT security decision makers with collective oversight of more than 400,000 employees.
That’s worrisome on a number of levels. If an employee’s using their personal Android smartphone for work, and a quarter of the dozens of apps installed on said device are suspicious in some way, that potentially exposes an organization’s data to all sorts of bad actors.
“In our survey, 96 percent of employers, who permit personal devices to access their networks, allow employees to connect to company email and contacts,” the summary added. “So as more companies allow their employees to access their organizational data from personal devices, employers must recognize the treats to their intellectual property posed by unmonitored devices.”
Bit9 recommends a combination of employee education, preventing use of rooted/jailbroken devices in a work context, and the establishment of security measures such as screen locking and PINs as best practices for protecting data. It also advocates preventing the use of apps from third-party markets on devices with access to organizational data: “In general, users should stay away from public app markets that lack trustworthiness.”
Image: Stuart Miles/Shutterstock.com