E-Threats Mobile & Gadgets

Smartphone Apps Pose Rising Privacy Threat Even amid Public Outcry over NSA Spying

An alarming proportion of Android applications can find and open private photos on smartphones, track users’ locations, divulge e-mail addresses over the internet and leak address books and phone logs, according to an analysis of 836,021 Play Store Android applications by antivirus software provider Bitdefender.

The findings further raise privacy concerns in the light of revelations by former US intelligence contractor Edward Snowden that the US NSA and the UK’s Government Communications Headquarters planned to extract data from users’ smartphones via applications including the popular Angry Birds game.

Most smartphone or tablet owners have at least one app – and probably several – that could be used to siphon sensitive information from their phones.

Some 35.37 percent of apps that Bitdefender analyzed today can track a user’s location; and almost 3 percent can access the location even when the app is running in the background without the user’s knowledge. Some 6.66 percent of these apps can also send the device location over the Internet.

Up to 3 percent of the applications can divulge e-mail addresses over the Internet, the data show. Some 1,749 upload the address over an encrypted connection, while 1,661 do it over an unencrypted connection that can be easily intercepted.

Unauthorized permissions may also provide access to device’s location, address books, buddy lists, telephone logs and geographic data from photos uploaded to the mobile versions of Facebook, Flickr, LinkedIn and Twitter.

Facebook and Twitter clear photos of metadata before publication but a third party could duplicate the info as it travels across the carrier’s mobile network and store it for further processing. This can also happen when third-party ad providers take data from the phone to use for targeted advertisements. In this case, the ad network only serves as a vector.

The Bitdefender analysis also revealed that 5.5 percent of the applications can locate and open photos on a phone and almost 10 percent include permissions to read the contact lists. Many have a legitimate need for this data but others are clearly intrusive.

In a mobile environment, applications integrate with each other and apps can access information specific to other applications. For instance, a game could access and use information stored in the address book or read profile data from social connectors such as Facebook or Google+.

Depending on the permissions granted upon installation, an application might process the accessed information and send it to the developer or a third party. This information is mainly collected by third parties such as ad networks that use it to push targeted advertisements.

Smartphones more closely resemble a computer than they do the phones of old. They store immense amounts of highly personal data about one’s identity, schedule, friends, activities and work.

Smartphone users should pay close attention to the permissions apps request and never allow installation unless convinced the app needs those permissions. Permissions related to social networks and the device’s sensors such as the camera, microphone and GPS, are highly likely to collect and report inputs. We advise users to not install such applications unless they feel comfortable with this information landing in a third party’s hand.

Handy mobile apps such as Clueful can display permissions required by each app and help with privacy decisions. Ultimately, though, a smartphone is not a good store of highly-sensitive data.

About the author

Loredana BOTEZATU

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Why on Earth would you be trying to foment fear and suspicion instead of giving useful, practical advice on how to remain safe? This kind of baseless scaremongering has only one purpose and that’s for BitDefender to market their products. If you don’t work for BitDefender, what’s YOUR angle?

    OF COURSE apps can access data they need to work. A mapping app would be pretty useless without your current location for instance.

    The way to remain safe is not to install apps when they demand a permission they don’t need – for instance a photo-editing app which needs permission to make telephone calls!

    Shoddy, scaremongering journalism which has no useful purpose to the intended readership.