Using apps and mobile websites is normal for smartphone users, but applications you trust could be leaking your personal information — and it can be surprisingly easy for a hacker to find it.
“There are so many very popular, recognizable brands out there producing apps and websites that are leaking personally identifiable information,” said Michael Covington, a vice president of product for mobile security company Wandera.
The global app business is now worth over $140 billion a year, according to the App Association. Every hour, more than 10 million apps are downloaded, according to analytics service company App Annie.
More than 200 apps were found to be exposing sensitive consumer information, with close to 60 percent of the leaks coming from news, sports and shopping apps. The study was released in December by Wandera.
“I as an information security professional was not aware that this many brands were not protecting that information,” said Covington.
Another nearly 30 percent of leaks came from travel, entertainment, lifestyle and technology applications and mobile websites. Adult content was one of the most insecure categories. Eighty percent of the top 50 adult services apps and mobile websites leak personal information.
“Maybe it’s leaking your username, your password and your credit card information just by you hitting a single button … anything that they may have put into that tool is vulnerable,” Covington said.
The most commonly exposed data is usernames and passwords, but sometimes credit card or Social Security numbers are leaked too.
“If you think about the combination of a username and a password, that’s all that you need as an attacker to get access to everything else that might be in an account,” Covington said.
Apps and mobile websites sometimes collect information from smartphones and tablets, such as the user’s location.
The risk is even bigger for business apps. Wandera found that a meeting room software provider’s website and mobile app was leaking usernames and passwords. While that may seem innocuous, once cybercriminals accessed the service, they were able to reserve rooms and get security access to the building.
Why do the leaks occur? Often because of flaws in the code, such as not using secure communication. Also, there is pressure on developers to get apps out quickly.
“As they really rush to get their app out into the marketplace, in the process they lose sight of some of the more fundamentally important things like security and privacy,” Covington said.
Another issue is that cybercriminals are increasingly setting up fake Wi-Fi hot spots. Hackers pretend to be a trusted network and then can watch anything you do while connected.
“There is no attack required on a mobile device when it is freely giving away information in an unprotected way,” said Covington.
“I’ve seen some of the parties usually react by having a new app or a new website out within 24 hours.
And in other cases, they don’t even pick up the phone,” Covington said.
Here is how to protect yourself when using app and mobile websites.
Covington suggests you think about the type of information being requested. “A company that’s providing a free news feed shouldn’t be asking for credit card information, dates of birth and Social Security number.”
Also, read reviews for apps and make sure other people have already used it.
“Don’t subject yourself to being patient zero on a new app that just landed in the app store. Wait and see how much traction it gets. See how many other people download it,” Covington said.