Reports have emerged that "leaky" smartphone apps are transmitting users' private information across the internet to government spy agencies including the US National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ).
According to 'top secret documents' from a cache copied by former NSA contractor Edward Snowden – leaked to The New York Times, The Guardian and ProPublica – personal data including the age, sex and location of app users is being harvested from popular mobile games such as Angry Birds, and being used to track suspected terrorists.
One slide from a May 2010 NSA presentation, titled “Golden Nugget!”, set out the agency’s “perfect scenario”, described as a “target uploading photo to a social media site taken with a mobile device.” The presentation explained that in such a case, the agency could get a “possible image”, email and “a host of other social working data”.
It will perhaps come as no surprise that the NSA and GCHQ are harvesting data from smartphone apps. It has long been know that they use similar techniques to intercept mobile internet traffic and text message data. However, the documents reveal that the agencies are increasingly convinced of the importance of mobile applications data.
The joint spying programme "effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system" one 2008 document from the British intelligence agency is quoted as saying. Other applications mentioned by the documents include the photo-sharing site Flickr, movie-based social network Flixster and applications that connect to Facebook.
Thomas Labarthe, managing director for Europe at mobile security firm Lookout, explained that most apps do not use encryption when transmitting information, or only encrypt specific details such as financial transactions.
"If an app is not using encryption, it is basically handing over the data to anyone who's listening. This includes everything ranging from geo-location through to what’s being entered into forms, depending on the app," he said.
Another reason smartphone apps may be more 'leaky' than other platforms is because of how little control the user has over them. Adrian Culley, technical consultant at Damballa, formerly of Scotland Yard's Computer Crime Unit, said that once an app has been granted access to personal information, the user has little or no control over where their information then goes.
Paco Hope, principal consultant at software security consultancy Cigital, said that, whereas on a desktop you can browse the file system and snoop on programs looking for bad behaviour, none of this is possible on a smartphone platform. If the app developer makes a choice you do not like, you are pretty much stuck with the app behaving as written.
"The agencies watch everything that passes in the clear through major choke points on the Internet. When you register for a game and provide demographic information (e.g., birth date, gender, email), that is often transmitted in the clear from, say, your home WiFi to the game maker's servers," he said. "Agencies can see that data as it goes by. Combined with data from other sources, they build up a more detailed picture of you."
It is therefore the responsibility of app developers to protect the privacy of their customers, by increasing the level of encryption used, and devise better ways of making them aware of what information applications are capable of capturing or sending.
"When users install an application they will usually be presented with a warning or access message – however most people don’t read these before accepting and using the app," said Michael Darlington, technical director at global cloud security company Trend Micro.
Consumers also need to be cautious about what personal data they share with apps, and use the app settings to turn off access to data where possible," according to Grayson Milbourne, security intelligence director for Internet security company Webroot
"Consumers must think about the data they’re giving away. If they’re playing a game and it asks to access their microphone or geo-location – question why the app would need that. If it makes no sense, don’t agree," said Milbourne.
"Certain data – location, photos and so on – can only be taken if consumers agree. If apps store that information without permission then that is a whole other issue and one that will only ever end in court.”
If the app makes agreeing to such permissions a condition of installation, the user should think twice about installing the app at all, according to Culley.
"Very simply, to protect your privacy, when an app asks for access to any personal information, just say no. If in doubt about the provenance or commercial purpose of an app, don't install it," he said.