Apps like Facebook are collecting all the information they can from your phone, but at least they are clear about it. The app requires the user to accept permission to access parts of the phone. Not every app is so forthcoming and it is becoming a problem for CIOs.
The mobile security firm Lookout has found that 5 percent of advertisement supported apps in the Google Play store contain code from ad networks that engage in such aggressive practices that they look like malware. Lookout’s official blog states:
Our research shows that select ad providers access personal information (including email, phone number and name) without clearly notifying the user. Many of these ad providers also use aggressive mobile ad delivery techniques that can confuse users, like changing bookmark settings or delivering ads outside the context of an individual app. Out of the vast pool of apps we analyzed, we found 5% use an aggressive ad network. That might seem like a small percent of apps, but those apps account for more than 80 million downloads, affecting millions of people.
There are nearly half a million apps in the Android market, many of them free. Most of the "free" app developers monetize their work using advertisement served by several ad networks, including Google’s Adsense. The majority of free apps in the Google Play Store are not designed to spy on users, and their developers are only looking for a legitimate way to get their effort compensated. But some of those networks serve ads that aggressively mine information on our phones, and some install additional software on the device to continue tracking when the app is not active.
"Aggressive ad networks are much more prevalent than malicious applications. It is the most prevalent mobile privacy issue that exists," Kevin Mahaffey, Lookout's technology chief and co-founder, told Reuters in an interview.
At the very least, a casual user could find these tactics annoying. At the worst, they can create a serious security problem for enterprises. With BYOD commonplace, CIOs have little control over the types of apps that are going onto devices in corporate use. If an enterprise user decides to try a new game, and the app’s advertising network installs malicious code on the phone, confidential information such as access codes, corporate data, and private contacts could start falling into the wrong hands.
One way around the problem is training your users to avoid suspicious looking apps. For instance, I refuse to use an app that wants to check my phone calls, contacts, or any other information not necessary for the app to work. That additional information is not for them, but for the ad network. For example, the popular flight searching app, Kayak, can see and modify my calendar; gather information about my phone, including provider and phone number; send emails without my knowledge; and read/write my SD card. But the only thing I can do with the app is look for flights, hotels, and rental cars. The popular game Angry Birds has similar permissions.
Another solution for users is to choose the ad-free paid version of popular apps. In fact, E2 published an article urging CIOs to buy cheap, popular apps for their users. Of course, the "free to try before you buy" structure of most apps will mean employees might be tempted to download free apps before paying for the full version. In the meantime, the damage is done.
As mentioned many times on Enterprise Efficiency, companies with corporate users need to ensure the security of the mobile devices, allowing only certified apps to be used. This is easier said than done considering enterprises don’t provide the phone and rarely have access to those phones. If you’re going to be secure you need to change the habits of your employees.