Free gambling apps top Juniper’s security risk list

Friday November 2,  2012 : TOP RESEARCH FIRM WARNS AGAINST SOME GAMBLING APPS
 
Free gambling apps top Juniper's security risk list
 
With apps all the rage at present, a leading international research company, Juniper Networks Mobile Threat Centre, has warned mobile users to be careful with some free gambling apps, which it says top its security list.
 
Reporting on the findings Friday, the Australian newspaper The Age said that free casino gambling and racing game apps head the security risk list for smartphone users.
 
Those on the Android platform downloaded from the Google Play store are allegedly the biggest offenders, accessing device functions such as camera and address book for unknown purposes.
 
Juniper's Mobile Threat Centre found that hundreds of thousands of apps could expose sensitive data or access unnecessary device functionality, after it analysed over 1.7 million apps on the Google Play store between March 2011 and September 2012.
 
Apps traditionally collect user information to serve relevant content from third-party ad networks, but the research found there was a very low percentage of ads’ being distributed via the top five ad networks. It concluded the apps were collecting the information for other purposes.
 
In the latest study, the MTC installed the apps and checked that the description of their features warranted the permissions being requested. It also looked at how many ads were served by the apps. The figure of 1.7 million includes apps withdrawn or blocked from the Google Play store during the research, and newer versions of some apps.
 
"The report detailed concerning app "behaviours," The Age notes. "Some can discreetly initiate outgoing calls, which can be used to eavesdrop on ambient conversations within hearing distance of the mobile device; some were allowed to send text messages and create a ‘covert channel to siphon sensitive information from the device'; some can use the device's camera to potentially obtain photos and videos of the surrounding area."
 
Juniper observes that some gaming and racing apps blatantly overstepped permissions that were more than adequate for normal use.
 
Free card and casino games apps, which simply imitate popular casino games for fun, accessed a number of features without justification: 94 percent accessed phone calls, 83 percent accessed the camera, 85 percent could send SMS.
 
Racing games was the most concerning category, according to the Juniper report, which noted that during the research period there was an "abnormally high" number of apps removed from the marketplace.
 
"This category contained the highest number of applications that the MTC would consider to be newly discovered malware," Juniper observed, adding that 99 percent of paid, and 92 percent of free, racing game apps could send SMS; half of free downloaded apps could use the camera; 94 percent of free games could make outgoing phone calls.
 
To be fair, the study comments that there are some legitimate reasons to access such features. In some cases, casino apps accessed the camera so users could insert a personal background picture into the interface. Some financial apps also allowed users to call financial institutions.
 
In general, Juniper discovered that, compared to their paid counterparts, free downloads were four times more likely to track location – a quarter of all free apps were allowed to track user location – and they were three times more likely to access user address books.
 
Dan Hoffman, chief mobile security exec at Juniper Networks, said developers should better explain why an app needed to access certain features.
 
Apps should only ask for permissions if absolutely necessary to function, and they should inform users of exactly how their data and device are used, he proposed.
 
"If people choose to use free applications, they will likely need to provide information in exchange. Many do not realise that this tracking is happening and may not be making informed choices," Hoffman wrote in the MTC report.
 
One anti-hacking expert recommended that developers should be encouraged to pay more attention to security coding, and that companies like Google could help by assisting developers to better understand basic applications' security, and tightening up on enforcement through random audits.
 
Consumers, he said, also needed to take more care over what they downloaded, and what permissions they gave.