Juniper Networks, a leading international research company, has issued a warning against downloading and using some free gambling apps, because they pose serious security risks by collecting sensitive user information (such as address book entries, for example) and access mobile device functions (camera, SMS, phone conversations, etc.) not deemed necessary for the apps’ normal operation.
During a study running between March 2011 and September 2012, the company’s Mobile Threat Center (MTC) analysed more than 1.7 million apps available on the Google Play store and found that many free casino gambling and racing game apps were major offenders. However, the figure also includes apps that were either blocked by or withdrawn from Google Play during the research period, as well as improved newer versions of some apps.
Particularly apps for the Android platform were accessing mobile device functions for unknown purposes that were not directly related to the respective apps’ functionalities. During the study, MTC downloaded and installed apps and then checked to what extent their features descriptions matched the data access requests for which users have to give their permission.
“Some [apps] can discreetly initiate outgoing calls, which can be used to eavesdrop on ambient conversations within hearing distance of the mobile device; some were allowed to send text messages and create a covert channel to siphon sensitive information from the device; some can use the [mobile] device’s camera to potentially obtain photos and videos of the surrounding area,” the study report noted.
While racing game apps were by far the biggest offenders, many free card and casino games apps also blatantly access a number of mobile device features without justification – and potentially unlawfully. According to the study report, 94% of them accessed phone calls, 83% accessed the camera, and 85% could send out SMS.
However, the study also commented on some legitimate reasons why such features are accessed. For example, some casino apps accessed the mobile device’s camera so users could insert a personal photo into the interface or their profile, or they accessed the SMS function so users could engage in chats with other users via the app.
The MCT report also noted that during the research period an “abnormally high” number of apps were removed or withdrawn from the marketplace, suggesting that marketers or developers of potentially harmful apps got wind of the study and took countermeasures in order to not expose their products to closer scrutiny.
While it is generally accepted that users of free apps need to give some access permissions in exchange for free usage and to enable the respective apps’ functioning, the MCT report called on developers to better explain why access to certain mobile device functions or data is needed and inform users exactly how these access permissions are used.
However, some of the blame also was put on the users themselves, who often grant permissions carelessly without checking whether they are actually absolutely necessary. “If people choose to use free applications, they will likely need to provide information in exchange. Many do not realise that this tracking is happening and they may not be making informed choices [when they give access permission],” Dan Hoffman, Chief Mobile Security Executive at Juniper Networks, wrote in the MTC report, adding that consumers needed to take more care over what they download and install on their mobile devices.