The Appicaptor service provides regular scans of iOS, Android, Windows Phone and BlackBerry apps to warn when they include such functions. Businesses can subscribe to a report about the security of up to 100 apps for €1,500 ($2,100) per month, including the purchase cost of up to €5 per app. For €5,000 per month the service will report weekly on how up to 500 apps comply with a security policy defined by the customer, Heider said.
At the Fraunhofer Institute for Applied and Integrated Security another team has developed App-Ray, a security scanner for Android apps that can be used by businesses policing their bring-your-own-device security policy, or by developers curious about what unexpected or unwanted functions the third-party modules they use may have brought with them.
"We find stuff that is not problematic per se, but may be a problem in a company environment," said Dennis Titze, one of the researchers involved. For example, an app that can record audio may not in itself be bad -- Whatsapp can record 10-second clips to send as messages, for instance -- but combined with the ability to access the calendar and activate the microphone when the phone's owner is attending a meeting, it may become a security risk, he said.
App-Ray also detects threats inherent in what the app doesn't do, rather than what it does, such as insecure SSL certificate checking: "We look at an app's byte code to see if it implements its own trust manager, [rather than the standard APIs] and whether it looks like this does something. Many apps have a certificate check function that doesn't have any code in it, it just returns."
App-Ray is ready for commercial use, and the lab is looking at two pricing models, Titze said. An on-premises version, available as a virtual machine image, would cost somewhere between €10,000 and €100,000 a year, allowing businesses to test as many apps as they wish with no one else aware of which applications they are concerned about. This could be an advantage for a developer, for instance, looking for security risks in new versions of its apps before uploading them to an online market. A hosted version would cost between €100 and €1000 a month, he said.
Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at firstname.lastname@example.org.