Just days after the last mobile security report that emphasized Android malware is up 580 percent, here’s another one that should make you more worried than you need to be. The 14-page report from security firm Bit9 is titled “Pausing Google Play: More Than 100,000 Android Apps May Pose Security Risks” (PDF) and has the following key finding: “72 percent of all Android apps (more than 290,000) access at least one high-risk permission.” The rest of the report focuses on why companies should be wary of staff bringing their devices to work and makes statements such as “10 apps on the average employee’s personal device could have some level of suspicious activity.”

Is this more FUD? Yes indeed; let’s break down the data. Bit9 evaluated more than 400,000 apps on Google Play and found that:

  • 72 percent of all Android apps (more than 290,000) access at least one high-risk permission.
  • 21 percent (more than 86,000) access five or more.
  • 2 percent (more than 8,000) access 10 or more permissions flagged as potentially dangerous.

Wait a minute, those numbers seem smaller than they should be. Last we heard, Google Play has over 700,000 apps, so 72 percent is definitely not 290,000, and so on. It turns out Bit9 only evaluated 400,000 apps.

Unless you go ahead and evaluate all the apps, your results are going to end up a bit skewed. While Bit9 did go over more than half of the apps, available, it’s unfortunate that it didn’t simply go all the way and do them all. That would have required more work, but it would have given more accurate results.

There was a way to do less work, however, but still get more accurate results. Many apps are never downloaded, or are downloaded but not installed. How many of those 8,000 apps above do you think actually get downloaded, installed, and used? Most Android users just stick to the popular apps. As such, if Bit9 had evaluated a set number of the top apps (say 100,000), its findings would have been much more useful.

Don’t get me wrong: there are tons of Android apps out there, even on the Google Play store, which ask for more permissions than they need, for one reason or another. It’s important for all users to only install apps which do what they claim to. All I’m saying is that the number of questionable Android apps is not being portrayed accurately here.

Bit9 had this say about its results:

We determined the risk level by relating the degree of privacy intrusion or the capability of the permission (e.g., ability to wipe devices or change systems settings). Risk levels, however, do not attribute malicious activity to the identified apps, but allude to the capability of the app to do damage if compromised. Many apps also ask for permissions that are not essential to their advertised functions. Another concern is the significant level of variant apps in relation to popular “known” titles. For example, of the 115 apps that contain the words “Angry” and “Birds” in the title, only four are from
Rovio Mobile (the official publisher of the Angry Birds app). Among them, “Angry Birds Live Wallpaper” requests twice as many permissions as the original Angry Birds game app, including fine-grained GPS location tracking.

Right, it’s important to distinguish that we aren’t talking about malware here, just apps requiring permissions they probably don’t need. Always look at what permissions an app is asking you before installing it.

Image credit: Ricardo Becerra