Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Leaks reveal early NSA plans to extract data from popular mobile apps

Recent Snowden leaks have shed light on plans by the National Security Agency (NSA), and its British equivalent, to snatch up mobile data exposed by popular gaming and social media applications.

On Monday, The New York Times, The Guardian and ProPublica teamed up to disclose classified government documents from 2010.

According to the leaks, NSA and Britain's GCHQ worked together to determine how the intelligence agencies could intercept user information sent over mobile versions of Facebook, Twitter, LinkedIn and other social networking services.

In addition, it was revealed that the popular gaming app, Angry Birds, was also of interest to the spy networks, which planned to target “dozens of smartphone apps” by 2007, including Google Maps.

“Since then, the agencies have traded recipes for grabbing location and planning data when a target uses Google Maps, and for vacuuming up address books, buddy lists, telephone logs and the geographic data embedded in photographs when someone sends a post to the mobile versions of Facebook, Flickr, LinkedIn, Twitter and other Internet services,” the article revealed.

A 14-page document (PDF) from the NSA, called “Converged Analysis of Smartphone Devices,” along with a documents from a GCHQ briefing on mobile surveillance (PDF) were published by the outlets.

On Tuesday, Scott Matsumoto, who manages the mobile security practice at Cigital as a principal consultant, told SCMagazine.com that the insight on NSA's spying tactics reaffirms app developers growing responsibility to protect user data.

“Back in 2010, developers didn't really know they were supposed to protect themselves from the NSA as well,” Matsumoto said. “In 2014, any company that is building applications really needs to think about [data security]. It's going to get exposed, so we need to take care and make sure we are protecting customers' privacy.”

This month, San Francisco-based mobile security firm Lookout analyzed over 30,000 applications to determine what percentage of them are capable of reading users' sensitive content.

The firm found that around 38 percent of Android apps have the ability to read location data, and about 50 percent of apps on the mobile platform had the ability to access a phone's international mobile station equipment identity [IMEI], a unique identifier assigned to devices.

Furthermore, approximately 15 percent of Android apps analyzed in the data set were discovered to access users' phone numbers.

On Tuesday, Marc Rogers, principal security researcher at Lookout, told SCMagazine.com that, over the years, the mobile space has gone from encrypting virtually no data, to sensitive data like banking details.

Despite these developments, the industry needs to “redefine what we call personal information,” Rogers said.        

“Unfortunately, there's all this other metadata that [app developers] aren't encrypting because they assume it has no value,” – such as location data, or even personal information like your race or gender, Rogers explained. “All of these things allow them to build a picture of you.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.