Are your apps leaking your private details?

For many regular readers here, this is probably not overly surprising: some of your apps may do nasty things. Yes, yes, we’re all very shocked about this but all jokes aside, it’s a rather nasty problem that kids in particular are at risk of. There was a piece a few days back on Channel 4 in the UK about Apps, ads and what they get from your phone where a bunch of kids had their traffic intercepted by a security firm. The results were then shared with the participants where their shocked responses could then be observed by all.

I got asked for some comments on this by SBS TV here locally which went to air last night:

This brings me to the two points I make in the video:

  1. Get your apps from the official app stores. Take apps from nefarious sources outside of there (primarily Androids and jail-broken iOS devices) and you have no certainty of the integrity or intent of what you’re getting.
  2. Read the warnings your device gives you! Modern mobile operating systems are exceptionally good and “sandboxing” apps, that is ensuring they run without access to other assets on the device unless you give them your express permission!

When we see kids’ photos being accessed via third party apps, it’s almost certainly because they’ve accepted a prompt just like this:

My Tom asking for access to the microphone

Now this is a simple decision – do you really like “My Tom” enough to allow it to listen to you whilst the app is running? Perhaps, but what if it asked for access to your photos? Or your contacts? You might have the common sense to reject that but kids, not so much. They see a prompt where the path forward is “OK” and just as the girl in the Channel 4 piece says, they don’t read the terms and conditions and instead just immediately jump in. Come to think of it, it’s not just kids that do that!

Apps accessing personal data such as the address book is serious business. A few years back there was an uproar around the Path app sending users’ entire address book back to their servers. Apple was decidedly unimpressed about the whole affair and as they say in that link:

Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.

Several years on, things are certainly better but that one great security risk we’ve always had still remains – gullible humans!

Security Speaking
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals