Zimperium's Mobile Security Blog

Don’t Kick Yourself Later for Not Knowing the Privacy and Security Risks of Your Mobile Apps Now

Don’t Kick Yourself Later for Not Knowing the Privacy and Security Risks of Your Mobile Apps Now

New reports are published every week about privacy and security problems affecting everyday consumers via mobile apps. FaceApp, the mobile app for iOS and Android, uses neural network technology to automatically generate highly realistic transformations of faces in photographs. The app can transform a face to make it smile, look younger, look older, or change gender. The inherent privacy risks from this app – which has been available for two years – only became an issue when it became known through a tweet that went viral that the app was developed by a Russian company. 

The reality is, our mobile devices are full of seemingly innocuous apps. However, most of us have no idea how much information those apps are really collecting. We have no idea what kind of security risks we incur.

Recently, TechCrunch reported Spanish soccer’s premier league, LaLiga, netted itself an approximate $280,000 fine for privacy violations of Europe’s General Data Protection Regulation (GDPR), related to its official app. 

Per the story, “Users of the LaLiga app were outraged to discover the smartphone software does rather more than show minute-by-minute commentary of football matches — but can use the microphone and GPS of fans’ phones to record their surroundings in a bid to identify bars which are unofficially streaming games instead of coughing up for broadcasting rights. 

“Unwitting fans who hadn’t read the tea leaves of opaque app permissions took to social media to vent their anger at finding they’d been co-opted into an unofficial LaLiga piracy police force as the app repurposed their smartphone sensors to rat out their favorite local bars.”

Last month, we blogged about our findings on banking apps and found all banking apps are not created equal. We then looked at the LaLiga app with the same technology we looked at the iOS and Android banking apps from the top 45 US banks and mobile payment providers. Our findings are on-one hand startling, but on the other not so unexpected. 

Based on the TechCrunch story we already knew – and confirmed through our findings – that the microphone and GPS of LaLiga app users’ phones could be used to record their surroundings. In addition, we found:  

  • The app has several different analytics libraries installed to measure customer engagement and app performance but then includes what appears to be a backdoor to capture metrics on communication such as telephone call details and WiFi network discovery. 
  • Power usage, CPU, Memory and process usage is also collected. 
  • All of this data is mapped to the device fingerprint along with the UUID and additional device information, giving La Liga powerful tracking abilities of the device ant hus the user, beyond just their use of the La Liga application. 
  • The functionality to map WiFi signal strength is used to triangulate the user’s position. This method is often used as a secondary approach to capture the user’s location when the location service is disabled on the device.
  • The management of the data collection is controlled via a configuration file on the internet using HTTP, not HTTPS.

The app has the ability to track a user’s location without the location feature being enabled on the device. It is sending that data over unencrypted channels, potentially exposing user data to being captured by a third party. 

Beyond knowingly implementing features that may violate security or privacy ethics, there are also accidental violations that are contributing to the rise in risk from apps. We don’t know whether LaLiga was aware of the lack of encryption. We do know it shows sloppy practices. 

Developers not adhering to coding best practices is all too common. In an effort to meet deadlines, developers often take shortcuts. They frequently include extra code to enable features that may have unintended consequences for privacy and security. 

We also know consumer apps like LaLiga’s app can be found on mobile devices used by executives, salespeople and entrepreneurs. Now that mobile devices are the de facto platform for productivity in business, we see risky apps pop up on almost every smartphone – – creating severe privacy and security risks for the individual and that business.    

How Risky is a Risky App?

How do we know all this information? Our Zimperium reporting mechanism is called z3A – an application reputation scanning service continually evaluating risks posed by mobile apps. z3A provides deep intelligence about app behavior, including content (the app code itself), intent (the app’s behavior), and context (the domains, certificates, shared code, network communications, and other data). 

For a business, z3A is an invaluable resource. It is the only product that can automatically give businesses true visibility into what risks their employees’ apps expose their companies to – –  each employee and every one of the apps they bring with them to work. 

Our customers are enterprise organizations and government agencies from all over the world. They have hundreds of thousands of employees using millions of apps (yes, Candy Crush and FaceApp counts). 

z3a allows organizations to better understand the risk mobile apps in their environment pose. In conjunction with additional enterprise capabilities in the larger Zimperium platform, z3A can reduce that risk.

Not every risky app is cause for concern. Deep insight into the app behavior can help separate the good from the bad. We provide privacy and security ratings, by explaining what the building blocks of an app are and what the app can do. It enables enterprises to create tailored security policies to limit or remove risky apps from managed devices. 

Security policies can monitor for specific applications out of compliance and direct mobile defense management (MDM) tools to take action as defined by the organization. This keeps you protected from the apps that are bad while ensuring innocent apps can still be used for regular business.