What’s in your apps?? Lessons from the Los Angeles / Weather Channel app lawsuit.
The City of Los Angeles has sued to stop the operator of The Weather Channel’s mobile phone application from allegedly “covertly mining the private data of users and selling the information to third parties, including advertisers.”
“We’re acting to stop this alleged deceit,” Los Angeles City Attorney Mike Feuer said Friday in a statement. “We allege TWC (The Weather Channel) elevates corporate profits over users’ privacy, misleading them into allowing their movements to be tracked, 24/7.”
According to CNN, defendant TWC Product and Technology, a subsidiary of IBM, disputes the claims. “Weather Company has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously,” IBM spokesman Saswato Das told CNN.
What’s in your apps?
Without commenting on the case itself, the dispute reinforces a key question in enterprise mobile security: what’s in your apps?? While Zimperium’s zIPS solution provides the best protection against active mobile attacks, one of the other products in our portfolio ( z3A) gives even greater visibility into the risk of the applications installed on users’ devices.
Zimperium’s z3A (advanced app analysis) continually evaluates mobile app risk across company employees and their devices. z3A provides intelligent insight into the apps installed on your employees’ devices. You can see which apps are safe or risky, and set security policies to reduce that risk. For each app, z3A provides executive, technical, JSON and other reports.
z3A Privacy Example: iOS Weather Channel app
The lawsuit prompted us to look at the z3A reports of a recent Weather Channel iOS app. We were wondering what the app’s privacy risks were. We have included some screenshots of the actual z3A Technical Report to showcase some of the real world findings.
Overall, the app was determined to have many privacy risk elements, as shown in the report’s summary introduction:
“High Risk” Privacy Issues:
Some of the app’s highest privacy risks are shown below. It is interesting that the app can access EXIF metadata from stored photos and videos, which Apple prohibits, and includes pin-point location functionality that is only supposed to be used by actual navigation apps.
“Medium Risk” Privacy Issues:
While not quite as critical as the high privacy risk items just shown, the app had a significant number of medium security risks too. As you can see, there are quite a few issues around data leakage, advertising (including AdMob, not just ads within the app) and the sending of PII such as first name, last name and the device’s UUID (universally unique identifier). Depending on your organization’s risk tolerance, some of these may be critical enough to warrant creating custom policies, perhaps by specific user groups.
OWASP “Top 10 Mobile” Categories:
For another view, z3A also reports on how each app does against the OWSAP Top 10 Mobile Categories. Overall, the app passed only 5 of the 10, earning it a “Fail”. Here are few privacy categories that led to that failure:
- M2: Insecure Data Storage.
- The app may be leaking data via the UIText auto-correction functionality.
- The app has the ability to send email.
- The app implements the MFMessageComposeViewController. This enables the app to send SMS messages programmatically. Unintentional data leakage, SMS spam and trojan behavior are risk considerations.
- M3: Insecure Communications.
- The app is using a non-encrypted HTTP connection.
- The app sends query parameters with private information such as the first name, last name, email address and UUID.
- M5: Insufficient Cryptography.
- The app is configured to allow unsecure and unverified connection to servers with lower TLS versions.
If you would like to learn more about z3A, or other Zimperium solutions, please contact us.