Too many apps leak personal data to third parties, report finds

News by Rene Millman

Researchers call on tech companies to improve security measures to protect data from mobile apps falling into the wrong hands.

Also in:

A significant number of apps are sharing data with third parties without notifying their users, according to a new report which attempts to quantify the scale of the problem.

Researchers from Harvard, MIT and Carnegie-Mellon found that these apps were sharing personal information and search terms, leaving the user in the dark about what information is shared with whom.

Around 110 free apps for both Android and iOS were looked at to see what personal, behavioural, and location data is shared with third parties. The report said that out of the two main mobile operating systems, 73 percent of Android apps shared personal information such as email address with third parties, and 47 percent of iOS apps shared geo-coordinates and other location data with third parties.

The report also found that 93 percent of Android apps tested connected to a mysterious domain, safemovedm.com. However, the researchers said that this was likely due to a background process of the Android phone.

The research was carried out by Harvard research analyst Jinyan Zang, alongside researchers from MIT and Carnegie-Mellon. Details of the research were published at the open-access Technology Science forum.

The researchers said that many mobile apps share “potentially sensitive user data with third parties, and that they do not need visible permission requests to access the data”.

The researchers found that on average, Android apps send potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.

“For location data, including geo-coordinates, more iOS apps (47 percent) than Android apps (33 percent) share that data with a third party. In terms of potentially sensitive behavioural data, we found that three out of the 30 Medical and Health & Fitness category apps in the sample share medically-related search terms and user inputs with a third party,” the report said.

It said the third-party domains that receive sensitive data from the most apps are Google.com (36 percent of apps), Googleapis.com (18 percent), Apple.com (17 percent), and Facebook.com (14 percent).

“Future mobile operating systems and app stores should consider designs that more prominently describe to users potentially sensitive user data sharing by apps,” added the researchers.

Ryan Kalember, SVP, cyber-security strategy at Proofpoint, told SCMagazineUK.com that these apps pose a large threat given all the sensitive data on the mobile devices in the typical organisation – from emails to contact records to key chains to even the users' physical locations.

“Worse, this threat is not well understood by the typical organisation, as it requires both knowing which apps are installed on employee mobile devices and an understanding of the behaviour of those apps,” he said.

He added that users do not frequently check the permissions that their apps have been granted and they often exfiltrate sensitive personal and corporate data with the full "permission" of the end user and without that user even being aware that it has occurred.

“Worse yet, app stores will not flag these apps as problematic, as they often have generic privacy policies or even disclose that they are accessing and siphoning off that information,” said Kalember.

He added that any of this information could easily end up in the hands of criminals.

“Malicious apps are another tool in the arsenals of cyber-criminals and other sophisticated attackers. As the XcodeGhost attack demonstrated, apps can compromise user credentials to very popular apps, which are highly desirable due to their capacity for monetisation,” he said.

He said that there are a number of mobile threat defence tools which proactively scan apps in App Stores around the world, giving organisations situational awareness for the mobile app-borne risks they face. “These tools often work alongside enterprise mobility management (EMM) or mobile device management (MDM) tools to lock the users' device from accessing corporate data and services until the offending apps are removed."

Kalember urged users to be aware of the permissions that their apps have, and “never trust that an app is only accessing the minimum amount of data required to perform its stated function".

Eldar Tuvey, CEO and co-founder at Wandera, told SC that leaking apps and man-in-the-middle attacks are the single largest threats in mobile security today.

“The proliferation of apps, the fragmentation of app stores and the volume of updates which are effectively completely new apps in terms of code, mean there is an avalanche of potential vulnerabilities which the app stores cannot monitor well enough,” he said.

“Companies and individuals should really be relying on a third party to act as a safety net for leaking apps – detecting them in real time and blocking the data leaks of PII (personally identifiable information) and other valuable corporate data.”

Peter Gaul, EMEA mobile security specialist at Fireeye, told SC that there are many varied mechanisms out there which are used by apps, or parts of apps, to receive, gather and send data outside of the mobile device.

“Apart from deliberately malicious building blocks in apps, reusable adware libraries are often used for this purpose,” he said. “We have discovered and investigated many ad libraries where undesirable behaviour is present.”

He added that some not only receive content to place in displayed ads on the device but also gather data and send outside of the device.

“This data has included phone numbers, network information, lists of apps installed and running, calendar and contact (address book) information,” he added.

“Users install these apps with the ad libraries present and do not check any permissions they are granting to the app and hence the built in libraries. Whilst to an individual having the address book sent outside of the device may pose threats, many devices contain corporate information such as global address lists for a company.”

RiskIQ's vice president EMEA Ben Harknett told SC Magazine that when downloading any apps would be make sure they're from trusted stores, such as Google Play or the Apple App Store.

“Be sure to scrutinise the information about the app before downloading - does the developer name look valid, is the app rated and if so is the rating good, how many people have downloaded the app, etc.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events