The mobile apps on your smartphone or tablet could be exposing your personal information and even your passwords, according to new research by Zscaler Inc., a cloud-based provider of Internet security for businesses. And that poses a risk not just for individual users but for their employers' computer networks.
ThreatLabZ, the San Jose, Calif.-based company's security research arm, analyzed more than 500 popular mobile apps and discovered that 60% of them leak information about the device and/or user. The research concluded that 10% of these apps expose user names and passwords; 25% expose personally identifiable information, such as names, email addresses and phone numbers; and 40% communicate with third parties, such as advertisers and analytics firms.
"People download apps from a centralized location, from Google, Apple or Amazon, and mistakenly believe that these are completely secure applications," says Michael Sutton, Washington, D.C.-based vice-president of security research at Zscaler and a developer of the Zscaler Application Profiler, or ZAP. "Our findings suggest otherwise."
Zscaler has released ZAP as a free online tool so users can better understand how the mobile apps they use access and share personal information. Users can search ZAP's database of pre-scanned apps to see which types of data a given app leaks and the app's overall security/privacy risk score out of 100. A higher score means a higher risk.
For example, the popular game Angry Birds has a risk score of 50. This app shares device metadata, such as the phone's unique device identifier, and transmits information to third parties. Over time, says Sutton, app developers and advertisers can collect information without users' knowledge or permission and build profiles of each person's usage pattern. Advertisers could use these profiles to offer targeted ad messages, while app developers could sell the profiles to advertisers.
Sutton says the research finding that most worries him is that so many apps leak user names and passwords. The risk is that users who accesses mobile apps on a public Wi-Fi network and use the same login and password in multiple locations, including corporate email, could unknowingly expose their credentials to anyone monitoring the network. "That's why companies should care about the privacy implications of an application, even if it is used on a personal device and is a non-work-related app," says Sutton.
Zscaler is crowdsourcing further research on this topic by inviting users to scan the mobile apps on their smartphones to add to the database. The company has posted a video explaining how to scan your smartphone so mobile-app users, regardless of how tech-savvy they are, can understand how their information is shared.