Every week it seems like there is a new story about a popular mobile application having privacy issues that put its users at risk. With millions of mobile apps receiving billions of downloads, it is important that users are aware of the risks they face when downloading and using apps. This infographic uses real world cases to outline the threat to user privacy posed by mobile apps.
There is no doubt you’ve heard about privacy issues related to Facebook, Google, and other major websites. But have you considered the privacy issues that could be occurring right on your mobile device?
About 25 billion Google Play and iOS apps were downloaded in 2011
At the end of 2011, the millionth mobile app hit the market.
With the popularity of mobile apps increasing, what privacy concerns should users be aware of? There are 4 levels of potential risk:
Application Layer - Apps with vulnerabilities and malicious code have access to your data and devices sensors.
Hardware Layer - Attackers use memory corruption defects in firmware to gain administrative access to your device.
Network Layer - Information can be intercepted over the air. Mobile WiFi has all the same problems that laptops have on WiFi.
Operating System Layer - iPhone and Android jailbreaks exploit defects in your phone’s operating system.
Some mobile apps upload users’ contact lists and store them without permission
In mid-April, researchers discovered that a fake version of the instagram app for android installed malware on users’ devices after being downloaded from third-party sites
Fake applications are a common method used by attackers to spread malware. Only download apps from trusted app stores.
Also in February, the mobile social network Path was discovered to be uploading whole address books to servers without the app users knowing.
A developer noticed this was occurring. In response, Path said they deleted all of the data they had stored but continued to collect anonymized/hashed data per users’ permission.
Ad Libraries Accessing Your Data
Smartphone users should be aware of the risks some mobile ads pose.
In a study of 100,000 apps in the Google Play market, more than half had ad libraries. Of these apps 297 had aggressive libraries that could run code from remote servers.
In-App ad libraries can retrieve ads remotely and come ad libraries have the same permissions that users grant the app during installation.
Some ad libraries can access:
A users location
Lists of all apps on the phone
Privacy concerns have led to legal action.
In March of this year a class action lawsuit was filed on behalf of 13 plaintiffs, naming 18 companies, some well known, as allegedly negligent (including Facebook, Instagram, LinkedIn, Foursquare, and Yelp!)
The complaint involves the plaintiffs’ concerns that some apps are allegedly taking information from users in a “surreptitious” manner.
This information and data could be used for commercial reasons.
No cases to date have proven that data is being used for reasons aside from the normal usage of the app.
In another move toward privacy, the Federal Trade Commission (FTC) has proposed extending the Children’s Online Privacy Protection Act to mobile apps that allow kids to:
Receive targeted ads
Participate in social networking
Play network-connected games
Find your own balance of privacy vs. functionality and delete apps that do not allow you to change privacy or sharing settings.
Nate joined Veracode as a marketing specialist in early 2012. He is one of Veracode’s first co-ops from Northeastern University, where he is majoring in entrepreneurship and new venture management while minoring in music. He has various responsibilities at Veracode, including blogging, SEO, and infographic design.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.