How should we rate the risk posed by mobile app data slurping on our employees' BYOD devices? Do apps like Angry...
Birds and the like give away anything we need to worry about?
Mobile app data slurping (capturing users' data without their explicit knowledge) has become a widespread issue of concern to many enterprises following revelations by NSA whistleblower Edward Snowden. The scale of data slurping is certainly a shock to most, and enterprises need to review the permissions granted to apps used by employees.
The Angry Birds family of apps has been singled out in the press due to its popularity, but many other apps also "require" an excessive list of permissions that allow them to read and transmit personal and profile data. Some free apps justify this requirement, saying they need it so they can serve up targeted ads. The following permissions are commonly required, and all have an impact on users' privacy and security:
- Approximate location
- Full network access
- Receive data from Internet
- View Wi-Fi and network connections
- Read phone status and identity
- Modify or delete contents of USB storage
- Take pictures and videos
- Find accounts on user's device
- Read contacts
- Test access to protected storage
Security teams should inform employees that any information they provide in their app profiles will in most instances be sent to the app vendor, and it's no longer far-fetched to assume that leaked data may even be collected by the NSA or the U.K.'s Government Communications Headquarters (GCHQ). App vendors don't have to be in partnership with the NSA or the GCHQ for device data to be captured because these agencies collect information as it travels across the Internet. Documents don't suggest that the NSA and GCHQ are subverting mobile apps, but rather that they are simply collecting the data the apps send back to their developers.
One report noted that updating Android on a device will leak about 500 slurpable records describing how the device was used by its owner. Many vendors certainly are retrieving far more data than is necessary and often don't bother to encrypt it during transit. Therefore, mobile users should keep their profile information to an absolute minimum. Details such as gender, marital status, etc. are completely unnecessary for most apps to function correctly, but combined, they can be used to build a picture of almost every key detail of a user's life.
For many enterprises, this loss from mobile app data slurping is unlikely to have an immediate impact on day-to-day business, but certain industries do need to be vigilant. Take a firm providing physical security services, for example. An employee's physical coordinates may be made public any time he takes a photo using a smartphone if automatic geotagging is enabled. This, in theory, could make it easier for an adversary to find someone or something that security services employee is supposed to be protecting. Certainly any app that has access to sensitive data should be risk assessed, as many do not implement encryption correctly. A researcher at security assessment company IOActive found that out of 40 iOS banking apps, 40% weren't validating SSL certificates and therefore couldn't stop a theoretical man-in-the-middle attack.
To combat mobile app data slurping, users should be encouraged to turn off geolocation whenever it's practical and to turn on Wi-Fi only when it's needed. A device with Wi-Fi enabled searches constantly for networks to join, broadcasting its MAC address, a unique ID that can be used to track location. Finally, users should log out of each app when finished and pay close attention to the permissions that an app requests. Be sure to look for an alternative if the permissions seem excessive -- a weather app, for example, doesn't need access to your contacts.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.