Mobile Applications Leak Device, Location Data

A study finds risky apps leave mobile devices open to SMS denial-of-service attack and remote SIM card rooting.

Both Android and iOS apps leak data, leaving users vulnerable to data theft, denial-of-service attacks, and remote SIM card rooting.

In a report released Thursday “Are mobile apps a leaky tap in the enterprise?” researchers at Zscaler assert that Android and iOS users are equally vulnerable to a wide range of mobile security threats tied to mobile apps.

According to the report, enterprises are challenged by both a growing number of BYOD devices invading the workplace along with users downloading risky apps from third-party sources. In its study of 45 million transactions during a three-month period, Zscaler identified privacy leakage as the most serious problem with too many apps sending metadata, location and personal identifiable information to the developer’s server or an ad server. The report calls on companies to enforce stricter mobile device management programs to protect users and network assets.

IT administrators, Zscaler said, “should be applying strict MDM policies and educating employees about app security in an effort to stave off any kind of data loss or security breach.” Deepen Desai, director of security research at Zscaler, said administrators need to take control of the type of apps that are allowed to be installed on devices and they need to monitor app traffic over the corporate network and enforce policies.

When it came to monitoring 20 million Android app transaction for one quarter, the study said that 0.3 percent resulted in some level of private data becoming available to a third party. Zscaler said 58 percent of those Android transaction leaks were tied to exposure of a phone’s International Mobile Equipment Identity (IMEI) number, Media Access Control address and the International Mobile Subscriber Identity (IMSI) number.

“Such data can be leveraged for tracking the device and creating targeted attacks,” according to Zscaler. User data, in these cases, was shared with servers or ad-servers in clear text.

Another high percentage of Android transaction leaks (39.3 percent) are tied to the user’s location, including exact latitude and longitude coordinates, Zscaler said. Less significant is lost data tied to revealing an Android user’s personally identifiable information that can give a third-party access to a user’s mobile number and email address.

Zscaler said when it comes to iOS apps, iPhones and iPads are no panacea when it comes to security risks. In fact, by a hair, iOS apps reveal more private data than their Android counterparts. However, the type of data iOS gives up is not as severe.

Based on a sample size of 26 million iOS transactions over three months, 0.5 percent resulted in privacy-related information being shared.

Most of that data, 72.3 percent, is iOS device metadata, according to Zscaler. Another 27 percent of iOS data was location data. About 0.2 percent of data leaked on iOS devices is personally identifiable information. Of all the iOS transactions in which privacy-related information is being sent, five percent resulted from of malicious infections.

The big takeaway is that leaking data, no matter the mobile OS, can be leveraged for more sophisticated attacks. Personal information coupled with location data can easily be leveraged in a well crafted phishing attack, Zscaler asserts.

“Because hardware identifiers like MAC, GSM IMEI, IMSI, and UDID are globally unique and do not change over the lifetime of a device, the collection of such IDs allows for both tracking and physical device association. These identifiers can be exploited by a range of attacks,” Zscaler wrote in its report.

Attacks can include a GSM air interface attack where a hacker armed with a target’s IMEI can perform a remote SMS denial-of-service attack or remote SIM card rooting, Zscaler researchers said.

“The exact location of any person is highly valuable in this global era, where lots of spying and spoofing are done; such information can lead to mass compromise and/or targeted attacks. Phone numbers and email addresses are the quickest way to reach any individual, and can be leveraged for spamming and phishing attacks,” Zscaler wrote.

Citing a study by IBM and the Ponemon Institute, Zscaler said 40 percent of enterprises do not scan apps they develop in-house for security vulnerabilities. Fifty percent of those in-house developers do not allocate any money to security vulnerability testing.

Suggested articles