Forget Epsilon, Fear the Angry Bird

By Andrew StormsNo doubt you read about the huge email security breach Epsilon announced earlier this month. You may have received letters from companies that use Epsilon services about the possible loss of your email information. A lot of people are justifiably concerned that spear phishing and other nefarious attacks will be launched against millions of people as a result of that breach.

Andrew Storms

No doubt you read about the huge email security breach Epsilon announced earlier this month. You may have received letters from companies that use Epsilon services about the possible loss of your email information. A lot of people are justifiably concerned that spear phishing and other nefarious attacks will be launched against millions of people as a result of that breach.

As bad as that Epsilon breach was, I think most people have far more serious privacy concerns on their smartphones. In fact, many consumers are actually paying to have their privacy assaulted.

The Wall Street Journal recently tested 101 popular mobile applications on iPhone and Droid devices to understand what  kind of data each app collects and shares. The study found a huge number of applications that gather and share information that looks unrelated to application functionality.

I like Angry Birds. It’s simple and addicting. I had no idea that it was accessing my iPad’s Address Book and, according to the WSJ, sharing my contacts with third parties.

According to Rovio, Angry Birds is the top selling iPhone application in 67 countries. In August 2010, VentureBeat reported that Rovio sold 6.5 million copies of Angry Birds. Assuming the phenomenal growth trajectories of iOS devices and Angry Birds sales, Rovio has built a huge cache of contact data that’s growing exponentially.

What does this mean to you? Well, for one thing Rovio is gathering your location data and all the information in your address book and saving it. They might be selling or trading it with third parties. Sorting through all the other things that can be done with this information without your permission is mind boggling.

Imagine getting an email from your friend Matt:

Hey Paul-

I’m sending you this email from my iPad while I’m here at Starbucks on Washington St. They have a great new promotion that lets   me send a friend a free cup of coffee while I’m here using their free Wi-Fi. All you have to do is click on the link below to print out a personalized coupon.

<<“nefarious spear phishing URL here”>>

Wouldn’t that email be convincing? Free coffee from your friend just because he was using the free WiFi at Starbucks down the street sounds great, right? Of course you don’t know that as soon as you click on the link you are taken to a malicious website that tries to use every malware trick in the book.

There’s more bad news. Angry Birds isn’t the only application that reaches into all corners of your private information without letting you know. For your own safety, take a few minutes and read the WSJ study. This is particularly important if you are using an iOS device in an enterprise environment where the contacts on your phone could be considered confidential company property.

Smart consumers are only part of the solution to this problem. Apple needs to step up their consumer privacy policies as well. Apple wants to have it both ways. On one hand, Apple claims that the iTunes closed system and review process, along with the ability to remove apps from phone remotely, keeps consumers safe. One the other hand, aren’t taking responsibility for what happens to consumer data after they download an app.

At the minimum, Apple needs to require app publishers to tell consumers in plain language what kind of data every application accesses and what happens to that data. This information should be available to consumers before they purchase an application.

If Apple continues to let app publishers do whatever they want with consumer data they could find themselves on the receiving end of some very difficult questions about privacy.

Andrew Storms is the director of security operations at nCircle.

Suggested articles

Discussion

  • Dennis Forbes on

    Angry Birds on Android, as a counterpoint, has and demands no rights. It can't get your location (either coarse or fine). It can't read your phone number or identifier. It can't look at your contacts, messages, or emails.

    It is limited to essentially playing a game.

    That's the value of a granular rights-based permission system.

  • pgl on

    "It's simple and addicting". ITYM "addictive". HTH. HAND.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.