Enterprise mobility specialist Appthority looked at 400 apps: the top 100 free and paid apps for both iOS and Android. It applied static, dynamic and behavioral analysis on each app, looking for specific behaviors. The results are both to be expected and surprising: expected in that free apps are riskier than paid apps; surprising in that iOS apps are riskier than Android, and that as many as 83% exhibit at least one risky behavior.
This, warns the report, has implications for both the consumer and businesses that allow BYOD in the workplace. "When employees own the device," it notes, "companies can’t necessarily dictate which apps employees may or should be allowed to download. Even more challenging is the task for organizations to identify which mobile apps put corporate data at risk versus which apps are benign."
A point in question is monitoring the unique device identifier (UDID). "Access to UDIDs is a concern," says Appthority, "because developers could correlate user behavior across multiple apps (even if they have different user names and passwords) and then match them to a unique user." Seventy-eight percent of the most popular free Android apps identify the user's UDID. The surprise, however, is that 6% of iOS apps do similar, even though Apple has specifically prohibited it.
Identifying the UDID is the only area in which Android apps are riskier than iOS apps. Overall, 91% of iOS apps exhibit at least one risky behavior, while 80% of Android apps do similar. A primary motivation for these behaviors is increased monetization of the app; and for this reason it is not surprising that free apps do so more than paid apps.
Two popular methods for increasing revenue is to share user data with marketing companies, and the inclusion of in-app purchasing. For the former, app developers are sometimes paid by the amount of data they collect and share. "Have you ever noticed an app that’s constantly running in the background (that really has no need to)? It’s possible that it’s tracking your location and sharing it with outside parties for advertising purposes."
While developers often ask for such permissions, "unfortunately that’s not always the case; or, the language they use is intentionally deceptive." Free apps are more likely to gather personal data than paid apps: 72% of the top free apps track for the user's location, compared to 41% of paid apps. But it's not limited to free apps: 39% of paid iOS and 16% of paid Android apps still share data with ad networks.
The second method for monetizing the app is in-app purchasing. Surprisingly, perhaps, more paid iOS apps (59%) support in-app purchasing than free iOS apps (58%), even though they already have a revenue stream through the purchase price. This is reversed in Android, where 24% of paid apps offer in-app purchasing, against 42% of free apps. The risk here is more for the consumer where children engage in in-app purchasing that parents don't discover until faced with the bill.
The only way to avoid these problems is to spend more time on app risk management in order "to prevent security and corporate privacy risks, from the location tracking of executives to leaked corporate data," warns Appthority.