Are apps in the Android and Apple markets really secure?

Graham Cluley
Graham Cluley
@[email protected]

Google Play, iOS App StoreOne of the interesting presentations given at the Virus Bulletin conference in Berlin last week was entitled “Google and Apple markets: Are their applications really secure?”

The paper, written by Bitdefender security researchers Vlad Bordianu, Razvan Benchea, and Dragos Gavrilut, looked at risks associated with apps in the Google Play and iOS App Store, and described how an examination of over 800,000 apps found a worrying number with security issues.

Common problems included that some apps transferred sensitive information (such as usernames and passwords) over unsecured connections, uploaded address books and phone numbers, or activated GPS tracking.

How does this happen? Well, according to the Bitdefender researchers, it can be result of having app developers who are inexperienced with security issues.

Sign up to our free newsletter.
Security news, advice, and tips.

The security researchers looked at a total of 630,000 Android apps. 3.71% of them made a point of grabbing the user’s email address, and 8.38% created icons on the device’s home screen.

0.44% of Google Play apps were found to use an unencrypted connection for authentication/registration – opening the possibility of hackers stealing email addresses and passwords en route by capturing network traffic.

An example of an Android app which behaves like this is TalkBox Voice Messenger, which has millions of users.

[TalkBox Voice Messenger] sends the username and password in plain text during the registration and login phase. It also sends some less critical data, including the Android version, UDID and device name.

Sensitive information sent insecurely by an Android app

In addition, the researchers examined 240,000 iOS apps – with 0.51% found to use unencrypted connections for authentication and registration.

Examples of iOS apps which exhibited the security issue included “Runtastic GPS Running, Walking & Fitness Tracker”, “Free Books – Wattpad eBook Reader” and “SKY.FM Internet Radio”. The Bitdefender researchers say that some of these apps have since been fixed.

But it’s not just poorly-coded apps that are to blame. Third-party advertising libraries are also responsible for sensitive data being leaked out through smartphone apps.

FlashlightBordianu, Benchea, and Gavrilut highlighted the example of “Brightest Flashlight Free”, a free Android app in the official Google Play store.

The app requires you to grant it permission to access your location.

Why does a flashlight app require your location?

Because the third party in-app advertising library embedded inside it, plans to display different advertisements depending on where you are in the world.

In their testing, the researchers discovered that the app displayed a fake anti-virus warning (in their case, it appeared in Romanian).

In short, you’re not getting a free flashlight app for your Android. You’re getting a program that delivers malicious ads and can lead to a real pain in your pocket.

Beach Buggy BlitzAnd it’s not just “Brightest Flashlight Free”.

BitDefender also took a close look at “repackaged” apps.

These repackaged apps claim to be a popular, legitimate app (such as a game) but are really designed to steal private information and make money through adverts.

Over 5000 repackaged Android apps were found in the Google Play store, including bogus versions of “Beach Buggy Blitz” and “Riptide GP 2”.

Clearly there are a lot of apps which are not taking proper care of users’ privacy, and putting innocent people at risk, and the researchers’ conclusion doesn’t make for comfortable reading:

Smartphones are becoming more popular as the number of available applications grows while their prices fall. This also creates a new environment for malware, or from which private data can be stolen. Many applications are written quickly, without proper testing and with no consideration for security. This leads to high privacy risks, such as sending sensitive data in unencrypted format. In order to spread their applications widely and earn some money, many developers include advertising SDKs in their applications – which may cost users a lot more than they bargained for.

Be careful out there.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.