Every week it seems like there is a new story about a popular mobile application having privacy issues that put its users at risk. With millions of mobile apps receiving billions of downloads, it is important that users are aware of the risks they face when downloading and using apps. This infographic uses real world cases to outline the threat to user privacy posed by mobile apps.
There is no doubt you’ve heard about privacy issues related to Facebook, Google, and other major websites. But have you considered the privacy issues that could be occurring right on your mobile device?
About 25 billion Google Play and iOS apps were downloaded in 2011
At the end of 2011, the millionth mobile app hit the market.
With the popularity of mobile apps increasing, what privacy concerns should users be aware of? There are 4 levels of potential risk:
- Application Layer - Apps with vulnerabilities and malicious code have access to your data and devices sensors.
- Hardware Layer - Attackers use memory corruption defects in firmware to gain administrative access to your device.
- Network Layer - Information can be intercepted over the air. Mobile WiFi has all the same problems that laptops have on WiFi.
- Operating System Layer - iPhone and Android jailbreaks exploit defects in your phone’s operating system.
Application-Related Risks
- Some mobile apps upload users’ contact lists and store them without permission
- In mid-April, researchers discovered that a fake version of the instagram app for android installed malware on users’ devices after being downloaded from third-party sites
- Fake applications are a common method used by attackers to spread malware. Only download apps from trusted app stores.
- Also in February, the mobile social network Path was discovered to be uploading whole address books to servers without the app users knowing.
- A developer noticed this was occurring. In response, Path said they deleted all of the data they had stored but continued to collect anonymized/hashed data per users’ permission.
Ad Libraries Accessing Your Data
- Smartphone users should be aware of the risks some mobile ads pose.
- In a study of 100,000 apps in the Google Play market, more than half had ad libraries. Of these apps 297 had aggressive libraries that could run code from remote servers.
- In-App ad libraries can retrieve ads remotely and come ad libraries have the same permissions that users grant the app during installation.
- Some ad libraries can access:
- A users location
- Phone numbers
- Lists of all apps on the phone
- Call logs
Public Response?
- Privacy concerns have led to legal action.
- In March of this year a class action lawsuit was filed on behalf of 13 plaintiffs, naming 18 companies, some well known, as allegedly negligent (including Facebook, Instagram, LinkedIn, Foursquare, and Yelp!)
- The complaint involves the plaintiffs’ concerns that some apps are allegedly taking information from users in a “surreptitious” manner.
- This information and data could be used for commercial reasons.
- No cases to date have proven that data is being used for reasons aside from the normal usage of the app.
- In another move toward privacy, the Federal Trade Commission (FTC) has proposed extending the Children’s Online Privacy Protection Act to mobile apps that allow kids to:
- Receive targeted ads
- Participate in social networking
- Play network-connected games
Find your own balance of privacy vs. functionality and delete apps that do not allow you to change privacy or sharing settings.
Veracode Security Solutions
Vulnerability Assessment Tools
Web Vulnerability Scanner
Apple iOS Security
Mobile Phone Security
Facebook Security Issues
SDLC Phases
SQL Injection Attack
Android Application Security
