The threats from free smartphone apps

What exactly do those app permissions imply?

Phones with apps

As more small companies embrace the smartphone as a way to keep in touch with the office, it is all too tempting to save money by kitting out a phone with free apps. But there is a hidden cost.

The allure of running business software on a smartphone for next to nothing may be attractive, but while the developers won't make money from you, they can make money from selling your personal details.

We can expect apps to collect some data: a crash report that helps the developer fix problems, performance data or location data for a navigation app. But some applications collect large tranches of data, ranging from the highly personal to little snippets that can be pieced together to identify the person using the smartphone.

Research carried out by security firm Bit9 last November found that more than 100,000 Android applications on Google's Play app store were "suspicious" or "questionable" because of what they did without the user knowing. Such activity includes location tracking, contact list access, and reading through email messages - activities that go beyond the stated purpose of the app.

Information access

But what information can they glean and how? A social media app might be used for keeping in touch with friends, but it can access the email addresses and information about company executives.

Another app running adverts could see internal IP addresses or keywords used for business browsing. In most cases the developers of free apps supported financially by these adverts are not aware of, or able to control, what information the third party advertisers collect. (The advertising inherits the permissions of the app itself).

According to David Emm, Senior Security Researcher at Kaspersky Lab, it is difficult to know just what an app have given itself permission to do.

"Understanding app permissions can be daunting process, even for security professionals. It's not always clear what the permissions allow the app to do, what data it will collect and importantly what it will do with that data," says Emm.

Data collected by apps, when in the wrong hands, could easily be used to carry out sophisticated spear-phishing attacks.

Harry Sverdlove, Bit9's Chief Technology Officer, says of these apps that they "perform questionable tasks and have access to private information, which represent a risk to enterprises."

He adds that a large percentage of mobile apps are accessing more information on their devices than people realise, and "when those devices are holding both corporate and personal data, this is a problem for individuals and their employers".

Protection measures

So what can a small business do to protect information on mobile devices? Emm says that organisations need to implement anti-malware protection on smartphones, to defend against the growing number of threats.

"They also need to develop a wider security strategy that incorporates every aspect of how staff conduct business – including, but not limited to, mobile devices," says Emm. "This includes weighing up the risks and benefits from adopting a 'bring your own device' approach and developing a policy for staff on how to reduce the risks from mobile devices."

This should include not rooting the device, avoiding public Wi-Fi networks for confidential transactions, not relying solely on a simple PIN and only installing apps from trusted sources.

"Employees need to understand that they are handling business data and that they share responsibility for ensuring its security," Emm adds.

Mark James, Technical Team Leader at internet security firm ESET UK, says organisations should limit the type of apps installed on a device.

"It sounds simple, but games or apps can and will often send a variety of data off to other countries or areas, which don't have the same legal data protection that the EU has," James says.

"A mandatory message is presented to users with an option to view what the apps will send, but often no option is presented to choose what is or is not allowed to be sent. Users either want the app or not, and sadly most people choose 'want' over security."

McAfee's EMEA Chief Technology Officer, Raj Samani, says that in addition to controlling which applications can or cannot be installed on the device, it is important to detect any attempts to circumvent the security of the device.

"This refers to the ability to identify any modified devices, such as 'jailbroken' phones," he says. "All of these features, as well as other key mobile security controls, should all then be able to be easily managed."