It’s 2019, and digital scammers are going mobile. Do you know what your permissions allow?
An analysis of 30,000 iOS applications released Wednesday by Wandera shows that social networking, weather, and e-commerce apps request access to lots of valuable information about users. Sixty-two percent of the iOS apps examined sought permission to a user’s photo library, while 55 percent requested camera access and 51 percent wanted to know a mobile user’s location.
While app developers said they sought user permissions for a number of reasons — typically for functionality or for marketing purposes — Wandera’s research demonstrates the different risks mobile-device users can be up against, depending on what’s in their pocket. While hackers may exploit Androids to steal financial information or mine for cryptocurrency, iOS apps may abuse user trust for reasons that are less clear-cut.
The London-based company’s previous research found that most Android apps asked for permission to connect to technical functions, such as full network access, a view of which other devices have been connected or controls over sleeping or controlling vibration.
Apps for iOS, by contrast, more often seek permission to use more sensitive functions, such as activating the microphone or taking photos. That kind of high-level access should compel users to question whether they really need an app and, if so, whether granting that access presents any risks, said Michael Covington, vice president of product at Wandera.
Granting an app permission does not create a security vulnerability. But researchers in the past have found examples of developers abusing their privileges.
“It’s less about the threats, and more about if you’re comfortable working with the app developer on the other side,” he said. “On the Android side, there’s more of a malware threat. With Apple … there are different types of permission you can request as long as it doesn’t intrude on user privacy.”
“On Android its easier to identify malicious applications and to clearly differentiate [between them],” Covington said.
The risk of blind trust in Apple’s App Store has been on display before, such as when researchers discovered that 14 video game apps for iOS were communicating with a server known to host the Golduck malware.
Numerous investigations, including one by the New York Times last year, found that both iOS and Android apps share data in ways their users often are not aware.
“You don’t know the business relationships these app developers have with other companies,” Covington said. “A lot of the time it’s the data that’s being collected and shared on a channel we don’t have visibility into. That’s why you’ve got to review what these app developers are doing.”