Newly leaked documents by Edward Snowden reveal that the NSA and British Government Communications Headquarters (GCHQ) have been collecting personal information from mobile apps such as Angry Birds and Flickr. The separate intelligence agencies have been working together since 2007, trading information about how to collect data from various smartphone apps. The information collected included age, sex, “political alignment,” and even geotag information from uploaded photos from apps like Facebook, Flickr, LinkedIn, and Twitter.
Previously leaked documents by Snowden revealed the extent of mobile data collection by the NSA. Earlier generations of mobiles phones were monitored for things like text messages and mobile network data, including mobile phone identifiers like IMEI numbers. The metadata was then tagged and stored in the NSA’s Xkeyscore/Marina database to be made searchable.
As mobile phones became more powerful and complex, the NSA and GCHQ began collecting more information including website histories, “buddy lists,” downloaded documents, user agents, email addresses, and even BlackBerry PINS. Documents from the GCHQ reveal the agency’s intense interest in collecting mobile phone data. “By 2015 up to 90% of internet traffic will be accessed on mobile devices. Over 200 3rd party Location Aware Applications on the iPhone alone,” states a document from the GCHQ.
Worryingly, it appears that mobile ad networks are responsible for the collection of personal data from popular apps like Angry Birds. Ad company Millennial Media worked with Angry Birds developer Rovio in 2011 to integrate ads into the game. The documents do not explain whether or not players offered up data about their ethnicity, marital status, and sexual orientation willingly or if the company accessed the information by other means.
At the Samsung Developers Conference in 2013, Appthority held a seminar highlighting the dangers of mobile security. While the talk focused on the enterprise market, many of the company’s discoveries affect all users, not just those with enterprise devices. From its study, Appthority found that 41% of iOS and 77% of Android apps tracked location.
Appthority found five major failures in mobile security:
- 3rd party SDKs (including adware and analytics) cause security holes: One major risk is that some adware SDKs can perform tasks outside the original app permissions.
- Permissions bypass user consent: Apps can sidestep required permissions to complete the same behavior or add more permissions for unused functions.
- Include debug information from developer: This can contain information that can be used for targeted attacks against companies to steal data.
- Improper handling of private appdata: Some popular apps may encrypt data on its servers, but data is send through unsecure channels.
- Apps don’t apply security to user data: A lack of SSL/encryption, storing passwords in plain text, and not using expiring oAuth tokens for login.
This shows that the means to access user data is not as difficult as you would think. While many popular apps may look secure on the surface, the background functionality may be transmitting data openly for anyone to collect.
There are still many unanswered questions about the NSA and GCHQ’s mobile data collection, including which countries the data was collected from, how often data was collected, and how the security agencies were able to collect this data without app developers noticing. And with this much data being collected, how much of it is actually used in the fight against terrorism?
Chris Park contributed to this story.
Source: The New York Times
Read more about PRISM and the NSA
- NSA Scandal: How closely is Big Brother watching us?
- Microsoft publishes data on law enforcement requests
- Facebook and Yahoo! speak out over PRISM and the NSA
- Facebook publishes Global Government Requests Report
- Court sides with Yahoo!, requires US government to declassify Yahoo! docs on FISA
- New report reveals Microsoft worked with NSA to provide access to Outlook.com, SkyDrive, Skype
