Most apps track your location, even when they don’t need to, and many collect ‘alarming’ amounts of data
More than half of mobile applications collect “alarming quantities” of users’ personal data, although many don’t even need to, unnecessarily increasing data security threats, according to Hewlett Packard Enterprise (HPE) research.
The HPE Mobile Application Security Report 2016 relied on findings from an exercise involving the HPE Security Fortify on Demand system, which scanned more than 36,000 iOS and Android mobile apps.
As mobile applications become more prevalent in the work environment, it’s essential that organisations understand the security vulnerabilities of mobile applications and implement mobile security best practices and policies required to protect today’s digital enterprise, said HPE.
“Modern mobile applications are collecting, transmitting and storing a wide range of data that often is not necessary to the application’s function, and can cause significant financial and reputational damage if a vulnerability is exploited,” said Jason Schmitt, vice president and general manager, HPE Security Fortify at Hewlett Packard Enterprise.
“With attackers’ growing interest in mobile, it’s critical that developers build security into applications from the onset, and organisations take a proactive approach to data security to better protect both personal and corporate data.”
According to the report, a majority of mobile applications track your location, but not all of them need to. More than 50 percent of the scanned applications accessed geolocation data. This can create “serious privacy implications in the event of an attack”, HPE said, as an attacker can gain access to the physical location of otherwise anonymous, unsuspecting users.
While it makes sense for a traffic application to track location, the study found that more than 70 percent of education applications on iOS did as well. “This is disturbing as education applications are often marketed towards children”, said HPE.
And games and weather applications are collecting calendar data. HPE found that calendar data was accessed by more than 40 percent of the iOS games and more than 50 percent of the iOS weather apps scanned. Calendar data can be particularly sensitive, detailing not just when business meetings take place, but also the topics and invitees.
In addition, Ad and analytics frameworks put your most sensitive data at risk, HPE said. Ad and analytics frameworks are commonplace in application development, with more than 60 percent of applications scanned using these frameworks. A framework that is misconfigured – or insecure to begin with – could be storing or transmitting a significant amount of highly specific and potentially sensitive data about users.
Also, logging methods can expose data to unauthorised third parties. During the early development of applications, logging can be critical to the process of correcting “buggy” code, but once an application is running on a user’s device, it becomes a significant disclosure vulnerability. Approximately 95 percent of the applications scanned included logging methods.
HPE said that if an application wants access to information that it should not need or that you do not understand, do not use the application. This could expose everything from contact data to geolocation data, which may not be necessary for the application to function.
“Be wary of applications storing large amounts of data. Avoid using applications that appear to store a lot of data locally or access data that they shouldn’t,” HPE warned.