Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Smartphone apps expose personal data

29 January, 2014
Using smartphone apps could be providing national intelligence services with personal information through poor software security

An article has been published on Propublica stating that intelligence services are probing common smartphone apps for data leakages and that the NSA has actively accessed such data. Many apps collect personal information in order for them to operate and include information such as names, telephone number and ages as well as geo-location coordinates.

The information is used by the apps themselves for advertising but with many having poor security engineered into them, it could also be accessed by others for whatever purposes they want, including national intelligence services.

This revelation comes as no surprise to Kaspersky Lab's senior malware analyst, Vicente Diaz, who explained, "Some apps don't allow users to opt out of sharing data, whether or not it is legitimately done for advertising purposes, and the user has no way to use the apps without the program sending this data".

Having no way of opting out of providing this information, users are left with a stark choice of either using the app and sharing the data or disposing of the app and doing without. As some of these apps are games aimed at the younger community, there is more of a chance that they'll take the risk and use the app anyway.

The responsibility should therefore be with the app developers to ensure they're providing enough security to protect personal information. App developer Apadmi is sure that in most cases, the amount of personal information gathered by apps is unnecessary. The company's CEO, Garry Partington advises companies that want apps developed to only access the information that's needed for the operation of the app. He went on to say, "It needs to be made very clear to the user what information is being collected and how this will be used so that users can make informed choices.”

Giving the users the ability to make informed choices is becoming more of an imperitive since apps are already a mainstream lifestyle commodity with one being available for pretty much anything. If the app developers don't do something more to protect the user's information, there is little else for providing that protection, certainly not the platform operators. Apple and Google go some way towards ensuring there are no malicious apps available in their offerings but this only extends to overtly malicious applications. Recognising that many free apps need to have some way of making revenue, the advertising model isn't deemed malicious so the collection and distribution of personal information currently has no policing within the app stores.

Apple is beginning to make some progress but is it enough? Zscaler's Michael Sutton told us, "While Apple in particular has started cracking down on more egregious data leakage issues such as collecting geolocation data or contact information in violation of their developer guidelines and has added features to limit advertiser tracking, both iOS and Android still permit apps to share a significant amount of data about users and their devices".

Informed choices or built-in protection?

With the app market being filled with games, useful widgets and high-quality tools for professionals, it's important for developers to understand that the range of users is wide and that the capabilities of those users to make informed choices also has a very wide range. It isn't enough to display a warning clause during installation saying "Your information may be shared with third parties - click to continue" as this doesn't consitute an "informed" choice. Users expect to be protected and don't expect to agree to relinquish their data privacy rights in order to be able to use an app.

To provide the ability to make more informed choices, some third party tools are available from companies like Zscaler's ZAP which shows users what data is collected by apps running on the iOS or Android platforms. Making use of such tools is something users can do to fulfil their own responsibilities for protecting their data rather than relying on app developers to do it for them.

According to Webroot's security intelligence director, Grayson Milbourne, “There needs to be a certain level of consumer responsibility as people tend to be very trusting of apps they know and have used for some time. To protect themselves, consumers must think about the data they’re giving away. If they’re playing a game and it asks to access their microphone or geo-location – question why the app would need that. If it makes no sense, don’t agree. Certain data – location, photos and so on - can only be taken if consumers agree"

There is also the continuing perception of smartphones as being more "phone" than "smart" despite the very high levels of functionality and the ability for complex integrations of applications. Both the operating system and functions that are native to the phone itself and the applications running on it produce a cocktail of information that can be very useful if it falls into the wrong hands. Apps that make use of this high level of integration are of particular worry to end-user privacy, according to Catalin Cosoi of Bitdefender.

Catalin told us, "Applications that require permissions related to social networks or access to the device’s sensors (for example the camera, accelerometer, microphone or GPS) are highly likely to collect and report these inputs. We advise users to not install any such applications unless they feel comfortable with this information landing in a third party’s hand".

So how widespread is the problem? Well, according to research undertaken by Arxan into the top 100 paid Android and iOS applications as well as the top free apps on both operating systems, there is widespread and unfettered hacking of mobile applications on both iOS and Android.  100% of the top paid Android applications and 73% of free apps had been subjected to some form of hacking, with 56% of paid iOS applications also having been compromised.

This level of app leakiness places the ball firmly in the court of the developers to start designing security into the software from the outset. Arxan's Kevin Morgan believes that such developers simply aren't putting enough effort into security. He said, "Users need to be aware that applications are often designed with functionality in mind and not security and therefore need to be wary of the information they provide to an app.  App developers and owners need to be incorporating security into the app from the outset with the aim of ensuring that protecting data held within the app remains one of the top priorities throughout development.”

Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan

Bookmark and Share