Do You Know What Data Your Mobile App Discloses?

Living in Europe, I noticed the general interest of the media, politicians, and users about privacy and potential data leakage. This concern is surely not limited to Europeans — people from around the globe and governments are also interested on how to protect the sensitive data stored on mobile devices.

With this in mind, I recently checked a study on the Top 25 Free Apps used by German Android users. I researched and found out that 60% of these apps have the potential to put users’ data at risk.

I focused my research on popular apps in Germany because I am aware of how sensitive Germans are on their mobile data protection and privacy. The Federation of German Consumer Associations, in particular, monitors potential privacy issues in the country. The group has already taken actions against several corporations that threaten to violate German privacy laws and consumer rights.

I was curious to see which of the popular apps cited in the article request for information, and was also looking forward in using Trend Micro’s latest Android security product, Trend Micro Mobile Security for Android to check on these apps.

Upon checking, I found that among the top 5, only Facebook and Adobe Flash Player 11 were found to ask for less mobile data and consume less resource (e.g. battery life and memory consumption). I checked further and found out that the possible exposed data includes location (34%), International Mobile Equipment Identity (IMEI) (27%) and database like address book (21%). The apps that provide more information (or “chatty”) include the hit mobile game Angry Birds. The classic AngryBirds and AngryBirds Rio have access to data that include IMEI, International Mobile Subscriber Identity (IMSI), location, incoming data and databases.

Aside from gaming apps, it is interesting to note that apps such as Skype and Google+ consume the most battery life even when they are just open and idle.

The fact that mobile apps disclose information may not sit well with certain users. To some, giving access to IMEI and other data may constitute a data leakage. Others may consider this as harmless and part of installing a mobile app.

Unwanted mobile data disclosure, however, is a real threat that we are only too familiar with. Previously, we have found several instances of Trojanized versions of popular apps that send recorded and other mobile data to a command center without the user’s knowledge. In turn, the stolen information can be used in other cybercriminal schemes.

Trend Micro Mobile App Reputation

I was able to generate these data using Mobile App Reputation, which is featured on the recently released Trend Micro Mobile Security on Google Play. This new cloud service receives and analyses several functions of APK packages, which can negatively influence a device’s performance and data security. These functions may include, but not limited to the following: dangerous use of API calls, specific data leakage, battery consumption, unwanted permissions, and developer information. It also checks and builds up the reputation of the mobile app and its developer(s).

The rule of thumb is to be discerning of an app’s requested permissions and access to the device’s data. Read more about mobile apps and what kind of permissions these require. If it asks for permissions beyond its function, think twice before installing the app.

Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

Post from: TrendLabs | Malware Blog – by Trend Micro

Do You Know What Data Your Mobile App Discloses?