Newly revealed documents shared by former NSA contractor Edward Snowden have shown that so-called ‘leaky’ smartphone apps are being targeted by both the NSA and GCHQ as sources of personal information on their users.
Anything from poplar game Angry Birds to apps used for sexual recreation have, according to Snowden, been exploited by special tools NSA and GCHQ have developed to mine their data.
According to Snowden, the spy agencies are intercepting information that is routinely being passed from such apps – including age, gender, location and even sexual preferences – and across the internet along relatively insecure data channels.
Location data in particular is useful to government agencies, as it means they are then able to track down targets and begin using cable or wire taps, or international mobile phone networks, to hone in on individuals.
A slide from an NSA presentation describes the scenario of a “Golden Nugget!” – a user uploading a photo “to a social media site taken with a mobile device”.
“What can we get?” asks the slide.
It turns out the NSA believes it could obtain an email selector, buddy lists from the phone and “a host of other social working data as well as location”.
Gender, zip code, marital staus, sexual orientation, education level, number of children and whether or not an individual is a “swinger” are other cited categories of information that the NSA said it could easily collect from vulnerable apps, provided users agree to allow the individual app to access this information – or freely provide it manually to the app – as many existing apps require.
While Facebook and Twitter do remove this EXIF [exchangeable image file format] information from uploads, it is believed that this data could still be removed, given the correct techniques, at some point during the upload process.
Michael Sutton, VP of security research at cloud-based information security firm Zscaler, believes companies who run app stores could do more to prevent apps “leaking” so easily, and being picked up by such surveillance methods.
“While app store gatekeepers such as Apple, Google and Amazon focus on ensuring that malicious apps aren’t included in their app stores, they tend to do a very poor job at filtering out those apps that expose users to privacy risks.
“This is in part driven by the very economy of the app store ecosystem.
The bulk of apps are free, but developers need to turn a profit somehow. That’s generally done by embedding advertising and sharing metrics with advertisers about user behaviour, better enabling advertisers to deliver targeted apps.”Sutton said that, while Apple has begun cracking down on “more egregious” data leakage issues such as location data and contact information being released to apps from users, both iOS and Google’s Android platform still permit “a significant amount of data” to be shared.
“It is common for apps to embed advertiser SDKs which share device data such as the hardware and software versions being used, along with identifiers that can be used to track the device such as the device’s Unique Identifier (UDID) or Media Access Control (MAC) address,” he said.