Amid growing concerns of smartphones being exploited to leak sensitive user’s data, a research from the Massachusetts Institute of Technology (MIT), Harvard, and Carnegie-Mellon has revealed that mobile apps are leaking user’s information to the third parties in a massive proportion.
These third parties are nobody but the advertisers who use user’s personal information such as behavioral data, search terms, and location data to understand and predict their buying behavior.
Android most damaging, iOS close second
Researchers at MIT tested 110 popular, free apps – half of them Android and half iOS. These tests were carried out on the top 5 most popular apps from the Google Play Store in the categories of Business, Games, Health & Fitness, and Travel & Local. Similarly for Apple’s App Store, they tested the top five from categories such as Business, Games, Health & Fitness, and Navigation.
The results that came out were nothing less than shocking. A staggering 73% of the tested Android apps were found to be leaking user’s email address with the third parties while 47% of the Apple store apps were found to be leaking geo-coordinates and other location data with the third parties.
The research also stated that 51 out of 55 Android apps connect to a mysterious domain, safemovedm.com. The purpose could not be verified, but is likely due to a background process of the Android phone.
“It may be a background connection being made by the Android operating system; thus we excluded it from the tables and figures in order to avoid mis-attributing this connection to the apps we tested. The relative emptiness of the information flows sent to safemovedm.com indicate the possibility of communication via other ports outside of HTTP not captured by mitmproxy”.
Why Information leak could be leathal
Suggesting how information leaking apps are posing a great risk to user’s sensitive data, the research described following as the most concerning,
- An app may share a unique [ID] related to a device such as a System ID, SIM card ID, IMEI, MEID, MAC address, UDID, etc. The ID can be used to track an individual.
- An app can request user permission to access device functions and potentially personal or sensitive data, with the most popular requests being access to network communications, storage, phone calls, location, hardware controls, system tools, contact lists, and photos & videos.
- Some apps practice over-privileging, where the app requests permissions to access more data and device functions than it needs for advertising and data collection.
- Any data collected by the app may be sent to a third party, such as an advertiser.
- A user may have a hard time understanding permission screens and other privacy tools in a device’s operating system.
Windows Phone, the 3rd most used mobile platform after iOS and Android, has certainly been found to be the safest bet among its compatriots. Although MIT’s research did not mention if Windows Phone apps are leaking user’s info, statistics from ReCon, a cross-platform system that shows PII leaks by inspecting network traffic, shows that only one Windows app sent PII to trackers over an SSL (Secure Sockets Layer).