Leaky Mobile Apps Expose Personal Info for Millions

Written by

A full quarter of all mobile apps have at least one high-risk security flaw, while 35% of communications sent by mobile devices are unencrypted.

This is of concern given that the average mobile device connects to 160 unique servers each day, representing an inordinate amount of exposure.

According to the 2016 NowSecure Mobile Security Report, when it comes to the five most-popular app categories (business, finance, games, shopping and social), business apps are three times more likely to leak login credentials than the average app. And, gaming apps are one-and-a-half times more likely to include a high-risk vulnerability than the average app.

 “Leaky apps are the No. 1 security problem facing mobile users today,” said Andrew Hoog, CEO and Founder of NowSecure. “They transmit and/or store private user information and have vulnerabilities that can result in the loss of private, sensitive user data.”

In an analysis of more than 400,000 apps available from the Google Play store, the report found that overall, 10.8% of all apps leak sensitive data over the network. Most prominently, half of those do so by sending data to an ad network, like phone numbers, IMEI numbers, call logs, location coordinates and more.

Personal data leaked by multiple apps can be used as reconnaissance for social engineering schemes. For example, if the user is targeted, credentials leaked by a productivity app might grant an attacker access to a cache of sensitive information. Or a hacker could gain access to a user name and GPS location, enabling them to correctly guess the answers to security questions on other accounts.

Hoog added, “We conducted this extensive research and reported our findings to make mobile users, as well as enterprise IT and security teams aware of the danger of mobile devices and apps storing and transmitting sensitive and personal data insecurely.”

Consumers and employees should be concerned about the security of their mobile devices and apps, and can take a number of precautions to protect themselves. At the very least, it’s important to enable a passcode, PIN or pattern lock on the device, and log out of mobile apps when not in use. Users should also only download apps from the official Apple App Store and Google Play, update operating systems and apps when new versions are available, and avoid unsecured Wi-F.

Photo © Sergey Nivens

What’s hot on Infosecurity Magazine?