Following the news that the NSA and GCHQ have been using Smartphone apps, such as Angry Birds, to collect users’ information we have the following comments from Zscaler & Kaspersky Lab:
Michael Sutton, VP of security research at Zscaler:
“While app store gatekeepers such as Apple, Google and Amazon focus on ensuring that malicious apps aren’t included in their app stores, they tend to do a very poor job at filtering out those apps that expose users to privacy risks. This is in part driven by the very economy of the app store eco-system. The bulk of apps are free, but develops need to turn a profit somehow. That’s generally done by embedding advertising and sharing metrics with advertisers about user behaviour, better enabling advertisers to deliver targeted apps. While some may be fine with sharing data in order to receive ads targeted to their interests, others see it as a privacy concern and as we’ve recently seen, spy agencies, such as the NSA are taking advantage of the data shared by mobile applications. While Apple in particular has started cracking down on more egregious data leakage issues such as collecting geolocation data or contact information in violation of their developer guidelines and has added features to limit advertiser tracking, both iOS and Android still permit apps to share a significant amount of data about users and their devices. It is common for apps to embed advertiser SDKs which share device data such as the hardware and software versions being used, along with identifiers that can be used to track the device such as the device’s Unique Identifier (UDID) or Media Access Control (MAC) address. Personally Identifiable Information (PII) may also be shared with third parties if end users consent, although users often don’t realize what they’re consenting to. Users interested in knowing what data a given iOS/Android app may collect can leverage the free ZAP online tool provided by Zscaler.”
Vicente Diaz, Senior Malware Analyst at Kaspersky Lab:
It is not a surprise to hear that the NSA gathers information from Angry Birds. The information provided by these apps has already proven lucrative to both advertisers and developers so it stands to reason that it is also valuable to intelligence agencies. Many games allow users to play with contacts and friends and therefore bind those individuals to a network of people, just like social networks.
The latest version of Angry Birds asks the user for information on their location, mobile number and various other personal details – all this apparently for advertisement purposes. However, this can provide third parties with more information that you want to share, such as exactly where you are at any particular moment. It doesn’t seem so untoward when talking about one application, but this is just one example. Think about all the information you are providing to all the apps in your mobile device and what they are saying about you, your location, the people you talk to, and what you say to them. This shows how apparently innocent features can be used for a very different purpose when gathered with an ulterior motive.
At this point there are no technical details available but I understand that Angry Birds does not allow the user to opt out of sharing data, whether or not it is legitimately done for advertising purposes, and the user has no way to play Angry Birds without the program sending this data. However, we don´t know how many apps are being monitored by intelligence services, so we shouldn’t blame Angry Birds for monitoring their users.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.