There are more than five million apps available on the largest app stores, and over half of these run on Android OS. Consequently, it is challenging for app store owners to guarantee these applications are completely clean of malware, greyware or privacy risks. This creates an opportunity for attackers to create apps that can steal personal data and compromise business.
To protect customers’ data, security providers need detailed intelligence on the risks associated with Android apps.
Mobile application reputation is the key. It enables security vendors to understand the behavior of an app, and helps protect customers from harm. In this article we will look at how we build that data, and how you can use it.
Who benefits from mobile application reputation?
In a previous article, we explored the role of mobile app reputation in protecting users’ devices, data, finances, and privacy. Although mobile application reputation is an essential component of every consumer security suite (because of the widespread use of Android by consumers), it also provides valuable intelligence to enterprise security vendors. Anyone providing Endpoint Protection and Response (EDR), Unified Threat Defence (UTM), Mobile Device Management (MDM), Unified Endpoint Security or Management (UES/UEM) should consider using mobile app reputation.
Developing application reputation
To build a picture of an app’s reputation we use powerful anti-malware and behavioral analysis engines. These drill down into the APKs, libraries, frameworks, and links to external services that are used by an application. Our intent is to expose hidden behavior, malicious or otherwise.
Our advanced systems develop a detailed picture of an app’s behavior. This data is highly granular and is delivered in response to an API request. Using this, security vendors can make sophisticated decisions – to choose to block malicious apps, or limit an app’s use to mitigate users’ risks.
What is in reputation data?
Reputation data comprises several key elements: The meta-data associated with the app, the app’s behavior (malicious or merely irritating), the risks that it presents to user data, and the impact on the device. Let’s look at these in more detail.
Exploring the meta-data associated with the app and publisher, enables us to establish a credibility score. It provides the data needed to understand the level of trust we can place in them. It asks:
- How many apps has the publisher previously published?
- Did those apps have any security or behavioral issues?
- How long have they been publishing apps?
- What is the prevalence of this app (how many people use it)?
When we consider behavior, we identify actions that compromise the user’s private information and look for malicious intent.
- Does it collect data on the user without informing the user?
- Is user data shared?
- Does it act without privilege?
- Are there connections to external services?
- Does it operate an unwanted ad framework?
Data risk analysis
When data is stored off-device, there will be a risk of data leakage. The data risk analysis looks at what information the app accesses and how.
- Does the app access personal data?
- Is call history or browser history accessed?
- Does it store data in a way (or a location) that could lead to data compromise or loss?
- Where is the data stored? Is data stored outside the user’s legal jurisdiction, even if the location is ‘safe’?
Mobile app reputation services may also consider the performance impact on the user. Some apps consume unwelcome amounts of memory, slowing or stopping the device. Others may use more power than necessary, limiting battery life. This data helps build an overall reputation of an app.
The value of granular mobile app reputation data
For each element described above, the result is a granular score. This score gives detailed insight into the app’s meta-data, its behavior, and the risk it presents for data loss or compromise. Although a consumer may just see that some apps are blocked from download, others may simply have a warning attached. However the security provider receives the detail they require to enable these decisions.
For example, an app may be allowed if the user is in the US. But it may be blocked because of data privacy risks if the user is in Europe. Alternatively, an app may be accessible only to network subscribers over a specific age because of the ad framework it uses.
How do we create reputation intelligence?
Avira’s Mobile Application Reputation Service leverages our extensive experience with Android heuristic engine detection systems, code emulation, behavioral analysis, and advanced machine learning models. We’ve been developing these technologies for more than five years. To date, the intelligence we have developed has helped power our Anti-malware SDK for Android and deliver top ratings in the AV-Test and AV-Comparatives tests. Now we’re making this essential reputation data available as part of our threat intelligence portfolio.
How it works
Our application reputation service analyzes millions of Android apps across multiple app stores and builds a detailed picture of each app. Our partners access it through a simple Rest API. The API request might include a hash (sha256) of the app, or the package name, and specifics of the required information. In response, the Mobile Application Reputation Service delivers a security rating, a view of privacy risks, and will, in a later version, report on the impact on device performance.
In addition to our powerful heuristic engines, we make extensive use of deep inspection, detonation and emulation technologies to explore the behavior of an app, revealing:
- Ad frameworks within the app
- Toolkits employed
- Permissions and capabilities of the app
- Connection to external components identifying hidden behavior
- A complete insight into the code structure to expose active and inactive elements
We recently launched our new Mobile Application Reputation Service. If you would like to learn more about how it can help you protect your customers from harm, click here to set up a call, and we can have a chat.
Want to comment on this post?
We encourage you to share your thoughts on your favorite social platform.