GFI Labs found that both apps can harvest credentials and user details. This follows a recent news story from Reuters that touched on the security concerns surrounding President Obama's app, where it said that the implications of having a stranger's name and address at one's fingertips has raised the hackles of privacy advocates.
Users of Romney's app ‘MyMitt' are given the option to connect with Facebook or either create an account, which would involve giving a users' name, email address, password, home address or a mobile phone number (this is optional). Logging in via Facebook would give the app permission to post on their behalf and to collect data available from their Facebook friends.
Randall Griffith, junior threat researcher at GFI Labs, said that the app also collects other information, such as device ID, carrier, phone number, GPS location, phone location and package info on other installed apps.
“According to the app, users may be included in the Romney for President's contact list upon signing up. Its terms of service also mention the possibility of MyMitt members' usernames location being used for contest or programs, but users can opt out,” Griffith said.
“There are two other permissions this app seeks that caught our attention, including access to the audio recording features of a mobile phone and its camera. The app doesn't appear to take advantage of those features now, so why does it need those permissions?”
Users of the ‘Obama for America' app are required to consent to an agreement that essentially allows the app to gather information, such as GPS and mobile phone location.
Griffith said: “This app has permissions to access the user's phone contact list (which includes names and numbers), call and message logs (only the phone numbers and not the actual voice or text communication), data on currently installed apps, and contents of the SD card. Furthermore, this app constantly collects user location information.
“Users of this app are capable of accessing information on registered voters near them via the app feature called Canvass Neighborhood. Information such as the registered voter's first name and last initial, age and home addresses can be viewed. The app then encourages users to go to the homes of these voters to campaign for Obama. It gives a quick pop-up about safety tips when canvassing, as well as information on what to say and how to say it.”
Griffith concluded by saying that this underlines the importance of knowing what apps are doing and what personal information users are divulging about themselves, and potentially their contacts and social network connections.
“Even reputable sources like the official presidential campaigns may encroach on what many of us consider a reasonable expectation of privacy and limitations on data collection. Read the fine print before installing any app,” he said.