SMobile Systems, a company that sells Android security for $29.99 per year, has released a report that indicates one of every five of Android applications access your private data. Of course, discovering that you have unwittingly allowed a stranger to peek into our private life is enough to make a person turn their back entirely on a given platform’s mobile apps that have access to, say, financial information. However, having access to data does not indicate the distribution or misuse of it.
SMobile Systems utilizes an automated analysis system that logs the permission requests of applications. The data is then interpreted to assess security risks:
“Since is possible to identify whether an application may be malicious by the permissions it requests, a large scale analysis of the Android Market was conducted to gain further insight into its applications.” [emphasis added]
After analyzing over 48,000 apps in the Android Market via this largely automated process, SMobile Systems determined, among other things, that:
*383 applications were able to read or use authentication credentials from other apps
*29 applications request identical permissions as software considered malware by SMobile Systems
*8 applications request permissions that, if allowed, would facilitate the capability of bricking a device.
The report also indicates that a number of apps can make phone calls or send SMS messages that could incur substantial charges for the phone owner, though the purpose for such capabilities and the criteria for maliciousness are not established in the report; only applications’ technical abilities.
As frightening as the test results are, remember that the report belongs to, and was funded by, a security firm with software to sell. While I do not doubt the soundness of their data collection methods or that security threats are present in the Android Market, SMobile Systems’ interpretation of the data and the wording of their presentation of that data could easily be called into question. Please read the report for yourself here.