As Facebook changes Messenger, 'risky' app behavior on the rise

A new report out says that the risks associated with mobile apps is continuing to rise, particularly for free apps on the iOS and Android platforms. 

How secure is the data on your smart phone?

That's the question posed by a new report from Appthority, a mobile app risk management company based in San Francisco. Taking the top 100 free apps and the top 100 paid apps from both iOS and Android, the report analyzed "risky behaviors" that include apps sharing users' information with advertisers, allowing for in-app purchases, and tracking users' location.

According to the report, these risky behaviors are on the rise. In a poignant example, Facebook has been forcing users to switch to its Messenger app instead of sending messages from within the Facebook mobile app. This practice has caused concern among users, particularly among Android owners, because in order to install the app, Facebook requests access to a variety of features on users' Android devices, such as contacts, calendar, and location settings. 

By way of explanation, Facebook says it needs access to this type of information to enhance the user experience. "We use these permissions to run features in the app," reads a Facebook post detailing the reasons the Messenger app requires information stored on a smart phone. 

For its part, the Appthority report shows that more iOS paid apps pose risks than Android paid apps. Ninety-three percent of all top iOS apps demonstrated risky behavior, as opposed to 89 percent of Android apps. But 99 percent of free apps on both platforms demonstrate some sort of risky behavior, the report states. 

A key cause for concern stems from the trend in people downloading apps onto personal devices that they also use for work. As people's personal and corporate data intermingle, outside parties such as advertisers can access information users have stored on their devices, according to the report. And that could include an entire address book of business contacts or meeting minutes stored in your calendar. 

"Work data now lives on the device next to personal data," says Domingo Guerra, Appthority president and co-founder. He says that having important business data transmitted to third parties not only increases the amount of spam an office receives – from advertisers targeting people’s corporate contacts – but also increases the likelihood of corporate secrets being leaked.

"Advertising networks and the app developers themselves, they're not specifically targeting corporate data," he says. "But they're targeting app data and user data, which might include corporate data." 

Still, users tend not to be as vigilant in protecting their mobile data as they would with, say, their computers, according to Mr. Guerra. With computers, he says users have learned over time to begin guarding against potential viruses and hacks, evidenced by the recent discovery of a Russian group that has allegedly amassed more than a billion usernames and passwords.

Nevertheless, there's an "inherent trust" in smart phones. 

"We carry the device with us 24/7," he says. "It's always on, we have our family pictures, our social information, our corporate information, our games, our banking information, on our device. But then we don't really seem to care about what apps we're installing." 

He further noted the risks associated with in-app purchases, which have become an important line of revenue for developers looking to monetize their apps. Because users often opt to download free apps, developers feel compelled to make money in other ways. This typically takes the form of sharing users' data with advertisers. But it also comes from creating avenues for users to spend money within the app itself, be it downloading app upgrades, or adding "premium content" to the app. Fifty-eight percent of the top free Android apps and 55 percent of the top free iOS apps allow for in-app purchases, according to the report. 

Recent months have seen a string of complaints targeted at these types of purchases, notably from unknowing parents whose children have purchased items in apps that were ostensibly "free." Last month, the US government filed a lawsuit against online mega retailer Amazon for taking in millions of dollars through in-app purchases. This primarily came from children racking up purchases on games downloaded from the Amazon App Store that their parents later found on their bills. Similarly, the European Commission, responding to large numbers of consumer complaints, is pushing to make developers omit the word "free" from any app that allows for in-app purchases.

But Guerra says that individual consumers also have the ability to influence how apps are built and when they get access to sensitive information stored on phones. He says it begins with stepping back and questioning why an app is asking you to hand over information.

"My advice would be to step back and ask, 'why does a flashlight app need access to my address book or my calendar?' " he says. As consumers "we have the opportunity to change how the apps are going to be built in the future by raising our standards of what we accept into our devices."