Spy agencies are slurping personal data from leaky mobile apps
The US’ National Security Agency (NSA) and its UK counterpart, GCHQ, have been honing their data-slurping technologies to suck up whatever they can get from leaky smartphones, the Guardian reported on Tuesday.
Beyond device details, data shared over the internet by iOS and Android apps can include personal information such as age, gender, and location, while some apps share even more sensitive user information, such as sexual preference or whether a given user might be a swinger.
The Guardian, relying on top-secret documents handed over by whistleblower Edward Snowden, says that the spy guys are developing capabilities to milk this private information from apps as innocuous as the insanely popular Angry Birds game.
The agencies also apparently think of Google Maps as a gold mine. The Guardian reports that one project involved intercepting Google Maps queries from smartphones to collect large volumes of location data.
The newspaper quotes a 2008 document’s gleeful assessment of the Google Maps work, in which it noted that:
[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system.
The documents suggest that, depending on how much information a user has provided in his or her profile on a given app, the agency could collect “almost every key detail of a user’s life”, the Guardian reports: home country, current location (through geolocation), age, gender, zip code, marital status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and number of children.
Given how popular Angry Birds is, and given that the secret documents use it as a case study, some articles have hung Angry Birds in their headlinery – that’s like finery, but with headlines instead of undies.
But Angry Birds shouldn’t be singled out as being in any way subverted or corrupted by the NSA or GCHQ.
Angry Birds is, after all, just one of thousands of mobile apps, none of which has been indicted as complicit with, or data-raked by, the NSA or GCHQ – rather, the spying agencies are, as news reports say, simply tapping data as it flies across the network.
Rovio, the maker of Angry Birds, told the Guardian that it wasn’t aware of any NSA or GCHQ programs looking to extract data from its apps users.
The newspaper quotes Saara Bergström, Rovio’s VP of marketing and communications:
Rovio doesn’t have any previous knowledge of this matter, and have not been aware of such activity in third-party advertising networks. Nor do we have any involvement with the organisations you mentioned [NSA and GCHQ].
Much of the profile data in question isn’t being nefariously pickpocketed from app users, at any rate.
As Naked Security pointed out on Monday in honor of Data Privacy Day, many of us are willingly giving our personal data away.
It’s easy to see why: it’s a heck of a lot more fun to have apps spill your beans, since in exchange we get linked to communities or get shiny doo-dads. All we have to do is fill out profiles with stuff they actually don’t, really, need – birthdates, marital status, etc.
We can take back a big chunk of our privacy simply by refusing to hand over data, whether it’s given in a profile or beamed out when we have WiFi and/or geolocation turned on.
Cinching our data waistbands can be done with three simple steps, outlined by Naked Security in the Privacy Plan Diet.
If you can live without “Find My iPad” or other such geolocation-dependent goodies, you can keep a lot of your data out of the hands of spies, marketers or other data busybodies.
But beyond information knowingly handed over in profiles, phone apps have a nasty habit of sharing more data than users may realize.
Sometimes the holes come from software bugs, but then again, sometimes data leakage is an unintended consequence of users’ own, deliberate actions, such as:
- Twitter users having geolocation turned on, using the word “home” in their tweets and, Presto! thereby potentially handing a nosy little application their home address.
- Soldiers snapping photos that smartphones then automatically geotag, giving the enemy their coordinates.
- Fugitives’ locations – John McAfee comes to mind – babbled by a photo’s location metadata, precise latitude, longitude, time and all.
Beyond bugs and deliberate leakage from probably-inattentive users is yet another category: apps that silently gulp data in the background while they’re doing innocent-seeming things in the foreground, such as being a flashlight or a mobile app for kids.
There are issues with mobile privacy, and then too there’s security.
Specifically, phones have lagged behind websites in their use of encryption, such as, for example, the notable lack of security in banking apps.
Why cast a hairy eyeball at privacy as it plays out in Angry Birds profile data when you’ve got iOS banking apps to worry about?
Given recent research from Ariel Sanchez, a researcher at security assessment company IOActive, there’s very little security indeed to be had there.
Sanchez found that out of 40 iOS banking apps used by 60 banks in about 20 countries, 70% of the apps offered no support at all for two-factor authentication (2FA), and 40% of the apps weren’t validating SSL certificates – in other words, they weren’t able to notice bogus SSL certificates when accessing supposedly secure HTTPS traffic and couldn’t, therefore, stop a theoretical man-in-the-middle attack.
What does this have to do with Angry Birds et al.?
If the connection between the phones and the servers such apps were talking to had been well-encrypted, then it’s likely that the data they exchanged would have been unintelligible to anyone trying to read it on-the-wire.
Should Angry Birds, or ads on Angry Birds, or the other apps in question, or the ads on those apps, have been using HTTPS or some form of encryption?
Yes. But the lack of such security measures isn’t, unfortunately, remarkable, as research including Sanchez’s work on iOS banking apps makes clear.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wiVSYLAdfLw/