Companies that do not test their mobile apps for security or privacy vulnerabilities may be drip-feeding private data to malicious third-parties.
A report by security-as-a-service platform provider Zscaler said that privacy-related traffic from mobile apps could open the door for data loss and security breaches. In a blog post, Zcaler said that approximately 4% of the 45 million mobile device transactions per quarter that the company tracks through its cloud inadvertently release unique or customer-based data, such as device metadata, location and personally identifiable information (PII).
Leaked data can be used by third-parties to target and create attacks on device owners through mobile apps, Zscaler said. The report only considered privacy data that came through Zcaler’s cloud, but the scenario could be replicated across a much wider area.
“In almost every enterprise, mobile and cloud represent a large and growing proportion of overall traffic, said Zscaler’s senior security researcher Viral Ghandi. “While they offer many advantages in productivity, they also bring about new challenges for organizations trying to simplify their infrastructures while maintaining critical security controls.”
The cumulative data leak rate of 4% over both major operating systems is, in the grand scheme of things, fairly low.
Targeted attacks on mobile devices have increased in recent years, mainly because the ubiquitous computer in the pocket is never far away. People conduct hundreds of millions of transactions every day across the world and it would be naïve to assume that every mobile app was as secure as Fort Knox.
Look at the bigger picture: there are billions of mobile devices in the world, all of which have apps installed that customers assume will protect their data … and not resemble a leaky faucet.
Mobile Apps Need To Be Secure
Privacy leakage varies depending on the operating system.
The vast majority of leaked customer information is metadata—58% on Android devices, 72.3% on iOS devices. Metadata relates to a device’s unique ID, information relating to the network and the software run. This data can be leveraged to track a device and create an attack.
Location-related data makes up 39.3% of leaks on Android and 27.5% on iOS. PII leakage through a mobile app can include a person’s phone number or email addresses. The amount of PII data that is leaked is extremely small—3% on Android, 0.2% on iOS—but that leak can still leave a device open to a malicious infection.
On a global level, Android device owners in the United States are most at risk from these leaks. A full 55% of leaks occur in the U.S., followed by the United Kingdom (16%) and China (12%). On the iOS side, China records a huge amount of mobile app data leakage—70%. Only South Africa comes anywhere close to that level with 20% of iOS privacy-related traffic.
Bear in mind that hardware identifiers are globally unique and remain the same through a device’s lifetime, the trickle of leaked metadata can be exploited at any time. The same goes for both location and PII-related data. For example, phone numbers and email addresses are the easiest way to target an individual, especially when it comes to spam and phishing attacks.
People Need To Trust Their Apps
It is worth remembering that a company that offers security-as-a-service produced this report, but it highlights an important consideration for business decision-makers. The issue is not that mobile apps should have data protection features but that companies don’t take the potential for leaked data into account. And that is directly linked to the duty-of-care that companies owe to their customers.
The report cited a 2015 study of 400 organizations by IBM and The Ponemon Institute that said approximately 40% of companies do not test their mobile apps for security vulnerabilities. Of the ones that do test, only 15% test them frequently. A full 50% of those companies allocated no money for security vulnerability testing. The caveat is that these figures may have improved in the last year.
“Observing the leakage from these apps—and the developers’ minimal security investments—means that organizations must take steps to protect their users and the broader network infrastructure and data assets,” said Ghandi. “They should be applying strict MDM policies and educating employees about app security in an effort to stave off any kind of data loss or security breach.”