Study: 100K Android apps may pose BYOD security risk

Convenience, not security, appears to be driving the growing trend toward BYOD policies.

IT security specialist Bit9 has released new research showing that more than 100,000 Android applications in the Google Play store (25 percent) pose a security risk to mobile device users and the enterprise networks to which they connect. The research project examined the security permissions of more than 400,000 Android applications.

Bit9 says it focused on Google Play applications because more smartphones today run Android than any other operating system. Criteria for defining an application as “questionable” or “suspicious” included the permissions requested by the application, categorization of the application, user rating, number of downloads, and the reputation of the application’s publisher. In its examination of the more than 400,000 Android apps, Bit9 found that 72 percent use at least one high-risk permission.

In addition, the report found that: 42 percent of applications access GPS location data, and these include wallpapers, games and utilities; 31 percent access phone calls or phone numbers; 26 percent access personal data, such as contacts and email; 9 percent use permissions that can cost the user money.

See also:White paper targets enterprise BYOD challenges

“A significant percentage of Google Play apps have access to potentially sensitive and confidential information,” comments Harry Sverdlove, chief technology officer for Bit9. “When a seemingly basic app such as a wallpaper requests access to GPS data, this raises a red flag. Likewise, more than a quarter of the apps can access email and contacts unbeknown to the phone user, which is of great concern when these devices are used in the workplace.”

In addition to the above research, Bit9 also conducted a survey of IT security decision makers who collectively influence mobile device usage policy for more than 400,000 employees. Almost three quarters of those surveyed said their organization allows employees to bring-your-own-device (BYOD) to work and access company email, calendar and scheduling -- a potentially risky decision, given the significant percentage of applications Bit9 found with access permissions to these programs.

According to Bit9, of the IT security decision makers surveyed: 78 percent feel phone makers do not focus enough on security -- but 71 percent allow employees to bring their own smartphones to the workplace; 68 percent rank security as their most important concern when deciding whether to allow employees to bring their personal devices to work -- but only 24 percent of companies employ any sort of application control or monitoring to know what applications are running on employees' mobile devices.

More coverage:
Wi-Fi sensor eases BYOD challenges

Only 37 percent of respondents said they have deployed any form of malware protection on employee-owned devices. Additionally, 84 percent of respondents believe iOS is more secure than Android. Bit9 says the results of the research project "spotlight an interesting -- and disturbing -- policy contradiction: While the majority of organizations allow employees to bring their personal devices to work and connect to the company network, the organizations have little visibility into the privacy and security risks the mobile applications on the devices pose to the companies' networks."

In sum, convenience, not security, appears to be driving the growing trend to allow BYOD policies. Bit9 says its survey "highlights a clear call to action for companies to realize that when employees access company data from a smart device, their intellectual property is being put at risk."

View the full Bit9 research report, as well as a video and infographic on the survey results.


More in IP Security & AV