Free mobile applications apparently leak personal data which is collected by intelligence agencies the National Security Agency and its UK counterpart GCHQ, according to the Guardian.
Reports claim that both the NSA and GCHQ have developed capabilities to take advantage of “leaky” smartphone apps. The information, released by whistleblower Edward Snowden, is reportedly a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities.
Although what is leaked is dependent on what profile information a user had supplied, Snowden’s documents suggest that the NSA would be able to collect almost every key detail of a user’s life: including home country, current location (through geolocation), age, gender, zip code, marital status, income, ethnicity, sexual orientation, education level and number of children. Also, some app platforms allow identifying information such as exact handset model, the unique ID of the handset, software version and similar details to be transmitted.
Research from Zscaler found that free applications often require personal information to be surrendered as they may allow a user to be monitored, for sensitive information to potentially be viewed and compromised.
ZScaler director of security research Michael Sutton, said that a free app “wants to deliver meaningful advertisements, so the app will grab whatever it can to track that device, not the person”. He also said that despite privacy concerns, some people will not care.
Commenting on the leaky apps revelations, Sutton said that app store gatekeepers such as Apple, Google and Amazon focus on ensuring that malicious apps aren’t included in their app stores, they tend to do a very poor job at filtering out those apps that expose users to privacy risks.
“This is in part driven by the very economy of the app store eco-system. The bulk of apps are free, but develops need to turn a profit somehow. That’s generally done by embedding advertising and sharing metrics with advertisers about user behaviour, better enabling advertisers to deliver targeted apps,” he said.
“While some may be fine with sharing data in order to receive ads targeted to their interests, others see it as a privacy concern and as we’ve recently seen, spy agencies, such as the NSA are taking advantage of the data shared by mobile applications.”
Among the “leaky” apps named are Rovio, the maker of Angry Birds, who denied any knowledge of any NSA or GCHQ programs looking to extract data from its apps users, or any involvement with the agencies.
The NSA said its phone interception techniques are only used against valid targets, and are subject to stringent legal safeguards. It declined to respond to a series of queries on how routinely capabilities against apps were deployed, or on the specific minimisation procedures used to prevent US citizens’ information being stored through such measures. GCHQ declined to comment on any of its specific programs, but stressed all of its activities were proportional and complied with UK law.
Kevin Morgan, chief technology officer of Arxan Technologies said that the news did not come as much of a surprise, as in 2013 consumers downloaded over 83 billion applications worldwide. “Wha
t this demonstrates is that many application developers and owners are simply not putting enough protections in place to secure their apps, which leaves users’ data vulnerable to compromise by anyone with the technical know how to get it,” Morgan said.
Vicente Diaz, senior malware analyst at Kaspersky Lab, said: “The information provided by these apps has already proven lucrative to both advertisers and developers, so it stands to reason that it is also valuable to intelligence agencies. Many games allow users to play with contacts and friends and therefore bind those individuals to a network of people, just like social networks.
The latest version of Angry Birds asks the user for information on their location, mobile number and various other personal details – all this apparently for advertisement purposes. However, this can provide third parties with more information that you want to share, such as exactly where you are at any particular moment.
“It doesn’t seem so untoward when talking about one application, but this is just one example. Think about all the information you are providing to all the apps in your mobile device and what they are saying about you, your location, the people you talk to, and what you say to them. This shows how apparently innocent features can be used for a very different purpose when gathered with an ulterior motive.”