Mobile apps siphon off reams of data through excessive permissions

Tools

Each mobile app includes an average of nine permissions that you agree to in order to download the app to your phone--permissions that grant access to your name, phone number, email address, phone call history, contact list and other personal data, according to a study by Mojave Threat Labs.

The average mobile device has about 200 apps downloaded, which means the average user agrees to 1,800 permissions that grant access to a treasure trove of personal and corporate data.

App developers collect the data for mobile advertising libraries, which are used to track ad revenues and user statistics, as well as integrate with social media and analytics application programming interfaces (APIs), explains Ryan Smith, lead threat engineer at Mojave Networks, in a Help Net Security article.

Mobile ad libraries are "large packages of code written by a third party, which the developer includes in their mobile app to help them add standard functionality," Smith adds. There are thousands of mobile ad libraries available to mobile app developers, such as AdMob, Airpush, Flurry and MillenialMedia. Airpush, for example, collects geolocation data, browser history, zip code, device ID and a list of mobile apps installed on the device.

By giving the app developers and libraries access to this information, it is "like entrusting your house keys to your teenager for the weekend, only to have them immediately make copies for their friends, unbeknownst to you," writes Smith.

Enterprises as well as individuals are at risk from these mobile ad libraries, Smith warns. Based on a study of more than 11 million URLs its customers have connected to through apps, Mohave Threat Labs finds that business users connect to at least as many of these libraries as consumer users.

More than three-quarters of apps downloaded by business users connect to either a mobile ad network, social media API or analytics API, all of which could pose risks to sensitive corporate data.

"It is critically important that users and IT administrators understand what data is being collected from their devices, where it is being sent, and how it is being used. Given that the majority of the sensitive data being collected occurs within these third party libraries such as ad networks, social media APIs, and analytics tools, it is therefore important to fully understand each of the libraries included in your mobile apps," concludes Smith.

For more:
- read Smith's article

Related Articles:
Facebook retools Login to bolster mobile user privacy controls
Third-party mobile app libraries access sensitive info without user permission, warn researchers
Android 'App Ops' to give users controls over app permissions