Smartphone users should probably be a lot more concerned about vulnerabilities and risks to their personal data posed by applications and games, based on newly released research conducted by enterprise security solutions company Positive Technologies. That’s because not only did the study find that most attacks and data theft don’t require physical access to a smartphone. The biggest vulnerabilities are actually posed by apps that are benign.
For Android, approximately 43-percent of applications are subject to “critical” vulnerabilities. The numbers aren’t much better for Apple fans at around 35-percent and the researchers note that the overall level of security risk represented by the figures is “roughly the same.”
Of all of the apps examined, data being stored insecurely is the most common vulnerability — in as many as 76-percent of mobile apps across both operating systems. That includes applications that are storing a wealth of private and personal data such as passwords or financial information but also applies to those that are used for communications between users.
Making matters worse, 89-percent of the app vulnerabilities discovered by Positive Technologies can readily be exploited by malware. That means that any of the deliberately malicious apps that often appear for smartphones could potentially access the unsecured data in question, put out there by those apps that aren’t intentionally bad.
How does this even happen?
The risk to users according to Positive Technologies primarily stem from a multitude of smaller vulnerabilities on both the server and “client” side. A significant portion of those originates from security mechanisms, at a rate of around 74-percent for Android, and server-side components, at a rate of around 42-percent.
It isn’t unusual for the risks in question to rely on users being inattentive, researchers say.
One of the most concerning aspects of the study centers around the fact that although rooting or jailbreaking a smartphone increases risk significantly, it isn’t required. Apps can readily request permissions to access a user’s device well above the scope that might be required, even if they don’t intend to misuse those permissions. That leaves pathways for malicious applications to access data.
Granting permissions to malicious apps also enables those to send data back to would-be attackers.
From those vulnerabilities, others emerge. Specifically, Positive Technologies notes that users don’t validate or verify the emails and other communications they receive as well as might be required. Since data that’s typically fairly easy to access via the vulnerabilities makes it easier for attackers to inject their own communications, complete with official-looking headers, that represents a relatively wide attack vector.
So what’s Google doing about it?
Most of the problems seem to occur at the developer level and the researchers point out that the problem starts at the design phase, before the app is built. Once built and the vulnerabilities are recognized, it’s often too late from a developer perspective since a substantial amount of code comprising the app would need to be rewritten.
As noted above, the primary issue seems to be how permissions are used and how data is stored. On the Android side of the equation, Google has already begun implementing policies that will result in apps being reviewed and removed if they use require or request access to some permissions beyond what they actually need to function.
For example, in January, the company announced a new policy that would start to revoke access to the Google Play Store for apps that access call logs and SMS permissions without requiring them with very few exceptions.
That won’t necessarily prevent issues from occurring since user vigilance about what permissions they grant and what they download plays a key role in the problem. But those types of crackdowns and removals will undoubtedly continue moving forward as the search giant looks to move toward a more secure and user-friendly ecosystem. That should ultimately create a safer if not a completely safe ecosystem.