To paraphrase a phrase, there is no such thing as a free app.
Yes, there are hundreds of thousands out there that won't cost you a cent to download. But they still extract a price. The price, at a minimum, is information — about you. As more than one expert has said, "You are the payment." And that payment is not risk-free.
[Is mobile anti-virus even necessary?]
The large majority of mobile apps, even those vetted through Apple's App Store or Google's Play Store, are (with apologies to Rogers and Hammerstein) "getting to know you, getting to know all about you," in exchange for helping you tune your instrument, see your way in the dark, find a new restaurant and any number of other services.
Except the goal of that knowledge is commercial, not romantic. The developers of those apps are selling information about you to analysts and marketers — information that, knowingly or not, you are volunteering to give them.
That, in the view of many mobile users, is not necessarily risky if all it means is getting some targeted ads for things that already interest them. And there are apps available that are even designed to protect your privacy – among them Telegram, Wickr and Confide for text messages and Snapchat for photos – that delete what you sent in seconds or minutes.
But users may not be aware of how much more interested purveyors of malware are in them than they were even a couple of years ago.
The Mobile Security Threat Report from Sophos, released at this week's Mobile World Congress, reports that while the first mobile malware appeared 10 years ago, it has exploded in the past two years, responding to mobile subscriptions now totaling about 7 billion and app downloads of about 110 billion just from Apple's App Store and Google's Play Store.
The company, which has tracked Android malware samples since 2004, reported that they remained relatively negligible until 2012, and since then have grown to more than 650,000.
And even with apps free of malware, users may not know how deep the collection goes, and how their information (about friends and business associates, their identity and their financial transactions) can fall into the wrong hands.
[6 tips for smartphone privacy and security]
Domingo Guerra, cofounder and president of mobile app risk management vendor Appthority, contends that this is a greater risk than malware right now. While he agrees that malware is "growing exponentially," he said it remains, "a sliver of the app ecosystem. Having analyzed over 2.3 million apps for our customers, we have found that less than 0.4% of apps have malware, while 79% had other kinds of enterprise risk.
In its Winter 2014 App Reputation Report, Appthority analyzed 400 apps – the top 100 free and top 100 paid for each of the two most most popular mobile platforms, iOS and Android ndash; and reported multiple "risky" behaviors, most involving the privacy of users.
[7 enterprise mobile security best practices]
Of the free apps analyzed from both platforms, 70% allow location tracking, 56% identify the user's ID (UDID), 31% access users' contact list or address book, 69% use single sign-on, 53% share data with ad networks and analytics and 51% offer in-app purchasing.
That last item – in-app purchasing – can be especially risky, and expensive. Guerra said a growing trend is for apps to, "leverage in-app purchasing to monetize. For example, Candy Crush Saga, one of the most popular free apps, is also one of the top-grossing apps."
Guerra said Apple recently settled a case with the Federal Trade Commission about in-app purchases specifically for children's apps. "Parents thought they were authorizing one in-app-purchase transaction, but instead authorized any transaction during a 30-minute window," he said.
"This resulted in many 'unauthorized' charges, as kids used in-app-purchases to buy additional content, features, virtual goods etc. And in-app-purchases can be as high as $99 per transaction."
That does not mean paid apps are not invasive. "While 95% of free apps exhibited at least one risky behavior, so did 80% of the top paid apps," Appthority reported. "Developers of paid and free apps are seeking new methods of generating revenue and unfortunately, it comes at the cost of the user's privacy."
Security vendor McAfee reported similar findings recently. In a recent post on the McAfee Blog, Lianne Caetano wrote that company researchers, "found that privacy-invading apps are more common than ever before, and beyond violating your digital space, some even contain malware and other suspicious characteristics."
According to the report, 82% of the apps read the UDID; 64% know the wireless carrier; 59% track the last known location; 55% continuously track location; 26% read the apps used; 26% know the SIM card number; and 36% know the user's account information.
[iOS vs. Android: Which is more secure?]
While some tracking is inevitable, given that users expect certain apps to guide them to specific locations, "the real question is: What are these apps doing with all of the information that they collect? ... some of these apps may be oversharing that information with third parties or using it to inform more nefarious groups," Caetano wrote.
And some of the promises made about privacy may not be rigorously enforced. Among Apple's latest rules for developers is that they should not request a UDID as a method of user tracking.
[Security risk in Starbucks app a 'wakeup call' for consumers]
"However, 26% of top iOS apps still make requests for UDID, and on any device that is running an older OS than iOS7, the apps are still able to get the UDID directly from the device," said Guerra.
Beyond the privacy risks, Guerra said many apps, "are communicating without encryption, so intercepting this data in motion is also easy." A hacker doesn't need to hack a device to get this data; they could simply sniff the network.
In spite of such multiple warnings about both privacy invasion and malware from mobile apps, there is so far no perceptible consumer backlash about the risks of mobile apps. That may be in large measure because, as Scott Matsumoto, principal consultant at Cigital, puts it, "there is no backlash because people don't know it's happening."
But Matsumoto also said data collection on users is not a black-and-white issue. Some free apps, like those from a bank, collect information so they know users' typical habits and can tell more easily if someone is trying to impersonate them.
Dan Dearing, vice president of marketing at MobileSpaces, agreed. "The problem is complicated," he said. "You might want apps to see your contacts, to make your life easier, but not upload them to their server. But then the policy choices that a user needs to make get too complicated."
There are things consumers and enterprises do to improve their privacy. Among the most basic are to buy apps only from reliable sources that have been vetted by companies like Google and Apple, and to take the time to limit the amount of tracking an app can do, through privacy and/or preference settings.
"Apps are generally collecting more information than they need," Guerra said. "Why does a flashlight app need my location, calendar, and address book? The issue this creates is that these databases are not always built securely and can become targets for criminals or governments — recall NSA's comments about using Angry Birds data to track user data."
Strong passwords and strong encryption also help, especially with handheld devices that can be lost or stolen.
Bogdan "Bob" Botezatu, senior e-threat analyst at Bitdefender, said encryption is crucial, since, "mobile phones and tablets spend the bulk of their time on unsecure, untrusted networks."
[Mobile users at risk from lack of HTTPS use by mobile ad libraries, security researchers say]
Botezatu also said users should, "limit themselves to installing the applications they need, most of which come from trustworthy publishers. The smaller the number of applications installed, the smaller the attack surface."
But among experts, there is not much optimism for the future, at least in the short term. "This is a problem that is still in front of us," said Matsumoto.