Or so a Guardian article claims – while mobile ads get the blame
According to a report in the UK’s Guardian newspaper, here, the USA’s National Security Agency and its UK counterpart – GCHQ, have been developing capabilities to take advantage of what it described as “leaky” smartphone apps. In the frame was the popular Angry Birds game. Guess who is taking the blame for smartphone personal information leaking out? That’s right, the mobile advertising industry which provides SDKs to app developers. That way they can at least make some money out of their ‘free’ software. Below, Kroll Ontrack and Zscaler comment on the revelations.
Some of the claims made in the Guardian article should be taken with a pinch of salt, of course.
How can GCHQ guess your sexual orientation from how you play Angry Birds, for example?
Michael Sutton, a vp for security research with Zscaler commented,”Whilst app store gatekeepers such as Apple, Google and Amazon focus on ensuring that malicious apps aren’t included in their app stores, they tend to do a very poor job at filtering out those apps that expose users to privacy risks.”
This is down to the very economy of the app store ecosystem. The vast majority of apps are free. So developerss need to turn a profit somehow.
That’s generally done by embedding advertising SDKs or by sharing metrics with advertisers about user behaviour.
This is, of course, desirable because it enables advertisers to deliver targeted ads to app users.
Sutton continues, “Whilst some may be fine with sharing data in order to receive ads targeted to their interests, others see it as a privacy concern.”
He added, “Apple in particular has started cracking down on more egregious data leakage issues such as collecting geolocation data or contact information in violation of their developer guidelines.”
“It has also added features to limit advertiser tracking – but both iOS and Android still permit apps to share a significant amount of data about users and their devices.”
Tony Dearsley, computer forensics manager at Kroll Ontrack UK, observes, “Advertising is typically targeted at the user by virtue of their online activities and profile gathered by the app supplier.”
He continued, “There is risk inherent with many such ‘free’ apps and when you install them they ask/demand access to many areas such as contact list, network, internet and a plethora of other running services on the device.”
“Most people answer “Yes” to the prompts, not realising the level of information to which they have given access.”
“Act with caution when installing Apps and granting permissions. Ask yourself would I give the information this app is asking for to a stranger in the street,” Dearsley added.
Technically speaking it is common for app developers to embed advertiser SDKs which share device data such as the hardware and software versions being used.
That’s along with identifiers that can be used to track the device such as the device’s Unique Identifier (UDID) or Media Access Control (MAC) address.
Personally Identifiable Information (PII) may also be shared with third parties if end users consent, although most users often don’t realize what they’re consenting to.
Now it just so happens that Zscaler reckons it offers a couple of resources which will help worried smartphone users.
Firstly it offers an online service which lists known iOS/Android apps an attempts to rate the kind of information that a specific app may collect.
We suggest you access this free ZAP online tool from Zscaler via a desktop here.
The alternative is to download Zscaler’s SafeBrowser. We can’t figure out how to authorise it to test it but just search on Zscaler and you should be able to find it.