Google's Android OS has received its fair share of flack over the past couple of years for its security issues, but sometimes, it's not the company or its OS at fault: It's the third-party developers. Proof of that can be seen from the results of a recent study conducted by the same firm, Codenomicon, that discovered the major "Heartbleed" OpenSSL vulnerability that came to a head this past April.
After evaluating the top 50 apps on Google's Play Store, it was discovered that many do not play by the rules that most users would set. For example, one in ten of these apps send the device's IMEI or location data to a third-party, while one in ten connected to more than two ad networks. Close to half of the 50 apps checked sends the user ID to third-party advertising networks. A bit absurd, isn't it?
Android's OS security can only go so far...
A major problem with these apps is that a lot of them reuse code libraries which contain blocks of code that can exploit user information. As a developer, reusing code is common, because there's no reason to reinvent the wheel. But because that's being done, vulnerabilities are being looked over - vulnerabilities which could be easily discovered via sandboxing, the researchers note.
What's more concerning is that some developers might implement this code on purpose, because it can benefit them greatly because of the information that's procured - and then probably sold to ad networks. Worrying also are those people or companies who commission others to create an app for them. These folks have no easy way to verify that the app they paid to be created doesn't suffer these kinds of flaws.
As big of a problem as this all is, the solution is simple - as long as the developer is honest. As mentioned above, sandboxing is the best way to verify that an app is only doing what it's supposed to do. As for Google, it could test out each app on its own, but it's virtually impossible given the number of apps - and their individual updates - that hit the app store. More and more, it seems like anti-malware and other security apps are not so useless on mobile platforms after all.