How to Protect Yourself from 'Risky' Mobile Apps

A new report from Appthority found that 95 percent of the top free Android and iOS apps pose some risk to users, compared to 80 percent of the top paid apps.'s mobile apps reviewer James A. Martin shares tips on how to protect yourself and your data from "risky" apps.

Free apps in the iTunes and Google Play stores are overwhelmingly riskier to your privacy and security than paid apps, according to new research. Which suggests the old adage is still true: When you don’t pay for a product, chances are you are the product.

It probably wouldn’t surprise CIOs, but I suspect many consumers download free apps without a second thought. In Appthority’s latest "App Reputation Report" (available as a free PDF download), there’s good reason to exercise caution. Here are some notable findings from the report:

  • Of the top 200 free iOS and Android apps, 95 percent "exhibited at least one risky behavior." Risky behaviors, as defined by Appthority, include location tracking; accessing the user’s address book; use of SSO, or single sign-on (such as using your Facebook credentials to log into a non-Facebook app); UDID, or the practice of identifying the user; in-app purchasing; and sharing information with ad networks and analytics companies.
  • By comparison, 80 percent of the top 200 paid iOS and Android apps exhibited one or more risky behaviors. While that’s better than the free apps, 80 percent is still a high percentage.
  • Among free apps, location tracking was the most prevalent risky behavior, with 70 percent of free apps tracking the user’s whereabouts. Only 44 percent of paid apps used location tracking.
  • Free apps are more likely than paid apps to use single sign-on, share data with ad networks and analytics, and perform other potentially risky behaviors.
  • In general, iOS apps "exhibited a greater percentage of risky behaviors" than did Android apps. Statistically, 91 percent of iOS apps showed at least one risky behavior compared to 83 percent of Android apps.
  • However, Android apps access user identity (71 percent of the top 200) more than iOS apps. Even though Apple prohibits iOS developers from accessing UDIDs, 26 percent of the top iOS apps manage to do it anyhow. That’s an increase of 20 percentage points from Appthority’s summer 2013 report.

So what can you do to protect yourself and your data?

  • Be selective about the apps you download, especially free ones. Gaming apps are slightly riskier than non-game apps, the study found.
  • When in doubt, don’t sign into an app using your Facebook, Google or other social network credentials.
  • Don’t assume Apple’s "walled garden" is safer than Android’s open-source environment. With 26 percent of the most popular iOS apps using UDIDs to identify and track users despite Apple’s policy against it, “this makes one wonder what else Apple might be missing during their app review process,” the report says.
  • And as with any research study, take the findings with a grain of salt. For example, some behaviors deemed risky in the report, such as in-app purchasing, aren’t inherently risky and aren’t automatically a cause for alarm.
  • Keep location tracking on only for those apps you know need it, such as GPS apps.
  • Take additional security precautions. Two tools worth considering: Clueful is a free Web-based "app" that shows how your Android and iOS apps "use, and possibly abuse, your personal information and treat your privacy."

Avast Software’s Mobile Security & Antivirus is a highly-rated Android security app that includes a Privacy Report & App Manager feature that helps you understand what your apps are up to. The app is free, but some other features require a paid subscription ($2/month or $15/year). 

NEW! Download the State of the CIO 2017 report