The US’ National Security Agency (NSA) and its UK counterpart, GCHQ, have been honing their data-slurping technologies to suck up whatever they can get from leaky smartphones, the Guardian reported on Tuesday.
Beyond device details, data shared over the internet by iOS and Android apps can include personal information such as age, gender, and location, while some apps share even more sensitive user information, such as sexual preference or whether a given user might be a swinger.
The Guardian, relying on top-secret documents handed over by whistleblower Edward Snowden, says that the spy guys are developing capabilities to milk this private information from apps as innocuous as the insanely popular Angry Birds game.
Reporting in partnership with the New York Times and Pro Publica, they revealed that the NSA and GCHQ have “extensive tools” ready to throw against iPhone, Android and other phone platforms.
The agencies also apparently think of Google Maps as a gold mine. The Guardian reports that one project involved intercepting Google Maps queries from smartphones to collect large volumes of location data.
The newspaper quotes a 2008 document’s gleeful assessment of the Google Maps work, in which it noted that:
[i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system.
The documents suggest that, depending on how much information a user has provided in his or her profile on a given app, the agency could collect “almost every key detail of a user’s life”, the Guardian reports: home country, current location (through geolocation), age, gender, zip code, marital status – options included “single”, “married”, “divorced”, “swinger” and more – income, ethnicity, sexual orientation, education level, and number of children.
Given how popular Angry Birds is, and given that the secret documents use it as a case study, some articles have hung Angry Birds in their headlinery – that’s like finery, but with headlines instead of undies.
But Angry Birds shouldn’t be singled out as being in any way subverted or corrupted by the NSA or GCHQ.
Angry Birds is, after all, just one of thousands of mobile apps, none of which has been indicted as complicit with, or data-raked by, the NSA or GCHQ – rather, the spying agencies are, as news reports say, simply tapping data as it flies across the network.
Rovio, the maker of Angry Birds, told the Guardian that it wasn’t aware of any NSA or GCHQ programs looking to extract data from its apps users.
The newspaper quotes Saara Bergström, Rovio’s VP of marketing and communications:
Rovio doesn't have any previous knowledge of this matter, and have not been aware of such activity in third-party advertising networks. Nor do we have any involvement with the organisations you mentioned [NSA and GCHQ].
The NSA’s data sniffing is far from news, of course – the names PRISM and XKeyscore should ring some bells in that department.
Much of the profile data in question isn’t being nefariously pickpocketed from app users, at any rate.
As Naked Security pointed out on Monday in honor of Data Privacy Day, many of us are willingly giving our personal data away.
It’s easy to see why: it’s a heck of a lot more fun to have apps spill your beans, since in exchange we get linked to communities or get shiny doo-dads. All we have to do is fill out profiles with stuff they actually don’t, really, need – birthdates, marital status, etc.
We can take back a big chunk of our privacy simply by refusing to hand over data, whether it’s given in a profile or beamed out when we have WiFi and/or geolocation turned on.
Cinching our data waistbands can be done with three simple steps, outlined by Naked Security in the Privacy Plan Diet.
If you can live without “Find My iPad” or other such geolocation-dependent goodies, you can keep a lot of your data out of the hands of spies, marketers or other data busybodies.
But beyond information knowingly handed over in profiles, phone apps have a nasty habit of sharing more data than users may realize.
Sometimes the holes come from software bugs, but then again, sometimes data leakage is an unintended consequence of users’ own, deliberate actions, such as:
- Twitter users having geolocation turned on, using the word “home” in their tweets and, Presto! thereby potentially handing a nosy little application their home address.
- Soldiers snapping photos that smartphones then automatically geotag, giving the enemy their coordinates.
- Fugitives’ locations – John McAfee comes to mind – babbled by a photo’s location metadata, precise latitude, longitude, time and all.
Beyond bugs and deliberate leakage from probably-inattentive users is yet another category: apps that silently gulp data in the background while they’re doing innocent-seeming things in the foreground, such as being a flashlight or a mobile app for kids.
There are issues with mobile privacy, and then too there’s security.
Specifically, phones have lagged behind websites in their use of encryption, such as, for example, the notable lack of security in banking apps.
Why cast a hairy eyeball at privacy as it plays out in Angry Birds profile data when you’ve got iOS banking apps to worry about?
Given recent research from Ariel Sanchez, a researcher at security assessment company IOActive, there’s very little security indeed to be had there.
Sanchez found that out of 40 iOS banking apps used by 60 banks in about 20 countries, 70% of the apps offered no support at all for two-factor authentication (2FA), and 40% of the apps weren’t validating SSL certificates – in other words, they weren’t able to notice bogus SSL certificates when accessing supposedly secure HTTPS traffic and couldn’t, therefore, stop a theoretical man-in-the-middle attack.
What does this have to do with Angry Birds et al.?
If the connection between the phones and the servers such apps were talking to had been well-encrypted, then it’s likely that the data they exchanged would have been unintelligible to anyone trying to read it on-the-wire.
Should Angry Birds, or ads on Angry Birds, or the other apps in question, or the ads on those apps, have been using HTTPS or some form of encryption?
Yes. But the lack of such security measures isn’t, unfortunately, remarkable, as research including Sanchez’s work on iOS banking apps makes clear.
Image of smartphone apps and banking app courtesy of Shutterstock.
8 comments on “Spy agencies are slurping personal data from leaky mobile apps”
So this is such an old story from mr Snowden and other news articles about smartphone apps and I am finding that Sophos is continuing to stir the pot of self-gratification to entertainment and to keep such old news flowing when there is no other real news of importance to report. I find it rather repugnant since I normally use naked security as a major source for threat identification but of late they have fallen on their sword with nothing better to do then to regurgitate news over and over getting rather tired of it!
You would think that everyone would know by now that every spy agency slurps data from everything – voip, desktop, mobile, server, wifi, grandmas photo album, etc.
But websites need money from advertising and so they keep reusing the same articles (just change the app and name of the article) over and over again as click bait..
Yes, this is old news for those of us who have been following Naked Security and/or other security blogs for a long time, or used our own logic to come to this conclusion before we read about it. However, there may be new readers of Naked Security that have not searched the archive and read every article posted in the past. Perhaps they may find this article helpful.
Using your logic, there’s no need to tell children to look both ways before crossing the street, because somebody told their own child once in the past already.
I would agree with your point if it hadn’t been for all Snowden related information being reported by every news site, newspaper, news channel, etc. A person would had to be disconnected from all media for a very long time to not have heard about any of this.
To use your example – It would be like a everyone at a busy crosswalk randomly yelling over and over again at the child to look both ways to cross before crossing the street.
No, it wouldn’t be like that at all. To write such an absurd example trying to make a logical point is ridiculous.
I’m still scratching my head from your final sentence. Somehow I just can’t apply it in any useful way. I tried “Why did the chicken cross before crossing the road?” but it doesn’t work in that joke either.
Awww, come on! I spent quite some time fleshing out the reasons why this Angry Birds hysteria is inflated. I think what I wrote goes a heck of a ways beyond “rehashing.”
OK… here’s my take on this… why does “Angry Birds Star Wars II” (Free) require so many permissions, and why would anyone allow that? I just went to the GooglePlay and checked this… if anyone allows this level of access to ANYTHING then you should have your phone privileges taken away, nobody is stealing, you’ve given your permission for them to take it.
This app has access to these permissions:
approximate location (network-based)
full network access
receive data from Internet
view Wi-Fi connections
view network connections
read phone status and identity
modify or delete the contents of your USB storage
take pictures and videos
find accounts on the device
test access to protected storage
prevent device from sleeping
if my bf is in UNited states and i am in london can he spy on my phone using the spy app if only he has installed and not on mine…and is there a way to do that to tap phone calls without installing it on their phone